Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,205 questions
Windows Hello for Business and On-Premise: What do I try next?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(182.40000000000003, 23%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETJ%3C/text%3E%3C/svg%3E)
Tom James
1
Reputation point
Hi All,
I hope you can possibly push me in the right direction. We want to implement Windows Hello for Business but not just on the AAD side but to access our Hybrid On-Premise setup.
So far, we've followed a dozen guides, a few more third party guides, YouTube videos and we're at a point where the PIN still does not work for On-Prem. Let me tell you what we have set up first:
- 2 weeks ago we removed all Windows Server 2012 R2 systems from our DCs, we are now running a minimum Schema of 2016.
- We have one CA server with both an enrollment and connection certificate published.
- We have a public facing server that hosts the CRL, IIS and NDES servers.
- CRLs are visible externally.
- The NDES server is working externally.
- The NDES server took time to configure but we eventually got it working.
- Intune is pushing out the CA Root Certificate.
- Intune is allocating the WhfB certificate via SCEP (to users with no direct line of site of a DC).
- Intune is pushing out Windows Hello settings as standard.
- AD Connect was refreshed and a full import / Sync run.
- NGC keys are showing for users / Kerberos tickets.
- All devices are showing as Hybrid Joined / AAD Joined.
- Device Registrations is being updated in On-Prem AD.
What we're seeing are users being prompted for the PIN over and over again until they use their password, WVD shows 'no certification authority available for smart card logon' and file shares fail unless their password has been used.
It's all rather frustrating as having followed the official MS documentation (as bad as it is) and then third party guides (including multiple rebuilds of servers until it worked) but still being without PIN functionality is starting to annoy me! Any ideas greatly appreciated.
Our users are all on the latest version of Windows 10 with full security and software updates.
Our DCs are (1x) 2016 and (2x) 2022 and running the latest versions / security updates.
Our MFA is provided by Office 365 (Azure).
We are running AD FS (2 x ADFS, 2 x WAP and 1 x ADC).
Regards
TJ
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 78%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESG%3C/text%3E%3C/svg%3E)
Sandeep G-MSFT 14,806 Reputation points Microsoft Employee2022-07-12T05:52:02.807+00:00 Thank you for posting your query in Microsoft Q&A
As I understand users are being asked for PIN again and again.
I wanted to check if users are being asked to setup new PIN again and again or users PIN is not getting accepted.
Also, can you share the Windows version that users are using? -
Tom James 1 Reputation point
2022-07-12T06:05:39.943+00:00 Hi Sandeg,
They are being requested to authenticate by PIN, not set it up over and over. For example, authenticating to an On-Prem Fileserver just brings up the PIN request until they choose Other User and enter their password.
As per my post:
Our users are all on the latest version of Windows 10 with full security and software updates.
Our DCs are (1x) 2016 and (2x) 2022 and running the latest versions / security updates.
Our MFA is provided by Office 365 (Azure).
We are running AD FS (2 x ADFS, 2 x WAP and 1 x ADC).The minimum version of Windows 10 (approximately 20 users) is 20H2, the other users (450+) are on 21H2.
Sign in to comment