Windows Hello for business for Hybrid Entra Joined devices

Ahmed Sh 100 Reputation points
2024-07-04T08:55:32.7066667+00:00

Environment:

-No UPN matching between onprem AD and Azure, Third party federation and User provisioning .

-Hybrid Entra Joined devices

-Enrolled to Intune using device credentials as SCCM is setup with co management (Cloud Attach).

Question:

Whether setting up Windows hello for business (Which was working before enrollment) using GPO / or Intune. An error is returned.

Pin:

"this sign in option is only available when connected to your organization's network"

"Fingerprint and Face"

"The option is currently unavailable"

Multiple methods to setup WFH was attempted and none worked so far.

-Devices -> Win 10 -> Enrollment -> "Configure Windows hello for business"

-Using Custom settings as described here(CSP or GPO):

https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/configure

-Biometrics devices updated/ Windows updates installed/ All devices and users affected in the organization.

-What could be the issue? Any best effort to get the windows hello for business working again?

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
11,760 questions
Windows 11
Windows 11
A Microsoft operating system designed for productivity, creativity, and ease of use.
9,986 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,233 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,229 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. ZhoumingDuan-MSFT 13,965 Reputation points Microsoft Vendor
    2024-07-05T02:45:42.01+00:00

    @Ahmed Sh, Thanks for posting in Q&A.

    To clarify this issue, please share with us the following information.

    1.What kind of deployment do you use to configure Windows Hello for Business?

    2.Could you please share the screenshot of returned error?

    3.Check if there exist some useful message in Applications and Services logs\Microsoft\Windows\HelloforBusiness\Operational and Microsoft\Windows\User Device Registration\Admin and Microsoft\Windows\Security-Kerberos\Operational under Event Viewer.

    4.Please also check whether the device meet the requirements.

    Also, here is a link about the know deployment issues you can refer.

    https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-deployment-issues

    If there is any update, feel free to contact me.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


  2. Givary-MSFT 33,391 Reputation points Microsoft Employee
    2024-07-08T09:34:42.29+00:00

    @Ahmed Sh Thank you for reaching out to us, to start troubleshooting would recommend reviewing the dsregcmd.exe /status - https://learn.microsoft.com/en-us/samples/azure-samples/dsregtool/dsregtool/

    Review the below event logs for more details/to get guidance.

    Application and Service Logs > Microsoft > Windows > HelloForBusiness

    Application and Service Logs > Microsoft > Windows > User Device Registration

    Application and Service Logs > Microsoft > Windows > AAD

    Is this a new setup ? was it working before ?

    Let me know if you have any further questions, feel free to post back.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.