This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(22.400000000000002, 70%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENR%3C/text%3E%3C/svg%3E)
I have setup and deployed Windows Hello for Business using the instructions - That are contained in this article: https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust
For some users everything works perfectly fine they are able to sign in with NFC cards without any issues. For other issues they get an error when trying to sign in. Some get your credentials couldn't be verified and other's get No Valid Certificates were found on this smart card.
I tried removing and re-adding the NFC Card to a users account. Checked the Azure Kerberos Setup. Shows it went in place on 4/28 which was the day I initially configured it.
I check the Azure logs for people that have failed and its saying success there as well. So I'm not sure where the error is actually occuring when the login fails.
All of the users computers are Hybrid Azure AD joined.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 47%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
Having this same problem with most users as well. Works for some but I have no idea why. I wasn't able to get it working with my account at first, and then after messing around a bit somehow it worked. I thought I figured out the issue but I was wrong. Just recently switched over to a new PC and it worked perfectly. Not so lucky with everyone else.
I'm still working on this issue with MS Support directly now. Have been sending in logs and everything for all different users and so far no progress has been made.
Do you have a MS contact that I can reach out to for support? I'd love to help with this issue. It has been extremely difficult finding documentation for troubleshooting Cloud Trust deployment.
Hi
Another common scenario, I have seen it is not working for some users because they are AD protected users' group (like administors, Backup operators..etc). you can see those users group membership via whoami /groups if they login with password.
Also if you take network trace during the login attempt of the user , you will see their cloud partial "kerberos" TGT revoked by your on-prem writable DC. because of they are part of protected group.
Yea i had looked into that before. None of the users are part of those groups. They are all just normal domain users.
I just tried what this person did in this post: https://learn.microsoft.com/en-us/answers/questions/650889/windows-hello-for-business-after-setting-pin-unabl.html
But it unfortunately didn't remedy the issue either.
Hi there,
The fact that it works for some users might be due to differences in their Windows build.
When you’ve enabled Windows Hello for Business on Hybrid Azure AD Joined device, which is enabled for cloud-trust, and the enrollment doesn’t start this is due to the fact you are hitting a bug in a specific build. Please make sure to upgrade your Windows 10 21H2 / Windows 11 21H2 device to the latest build.
Also as it seems the Azure logs show nothing about the login errors I would suggest you use the tools like Sysmon or Promon to catch the error that is actually occurring when the login fails.
Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry, and process/thread activity. You can get the tool from here https://learn.microsoft.com/en-us/sysinternals/downloads/procmon
You can also a quick check with the Known Deployment Issues and see if that matches any scenario of users and apply the respective resolution. Windows Hello for Business Known Deployment Issues https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-deployment-issues
------------------------------------------------------------------------------------------------------------------------------------
--If the reply is helpful, please Upvote and Accept it as an answer–
Hi,
That was actually a prerequisite to do it so all off the computers are Windows 10 21H2 or windows 11 and fully patched. Also made sure both of the 2019 DC's are patched up to where they needed to be.
I did not try using sysmon or promon to check for the error. I can try that when i get onsite again.
I did look thru that thread as well as i was running into issue and hadn't found anything related to the issue I'm having.
In addition to what @Nagappan Veerappan mentioned, if non these fix the issue, I would recommend calling Azure support because this would require a more extensive investigation. If you do not have a support plan but have active azure subscription then, please send an email with the subject line “Attn: SivaKumarS” to AzCommunity[at]Microsoft[dot]com referencing this article and your subscription id, and we will help you get one-time free technical support. Hope this helps.
That what i ended up doing is opening a ticket with Azure support. just sent logs over to them yesterday.