Cannot sign-in Windows using Windows Hello for Business Cloud Trust credentials.

Question

This issue has been happening to certain users including myself. Here is some background. We have implemented Windows Hello for Business Cloud Trust. All laptops, which are Hybrid Azure AD Joined, have been configured to be signed in with either PIN, FingerPrint, or even Face Recognition, despite password sign-in still existing as a sign-in option.

Sometimes somehow certain users reported they could not sign in to their laptops, and encountered the message "Windows couldn't sign you in. Your credentials could not be verified". No matter whether that's PIN, Fingerprint, or Face Recognition we tried, particularly during those users are away from the office. I meant the laptop did not have a line-of-sight connection to the Domain Controller like when they were connected in the office, even when their VPN was established at that moment. ( I have been assuming they should be able to while the VPN is connected but it has been not true in our situation.)

What they had to do to workaround was to sign in using their password to temporarily get access to their Windows and continue to work on whatever they could access. They would end up bringing the laptop back to the office and connecting to the local network first. Then, they still, sign in temporarily using their passwords while the Windows Hello for Business's credentials still not working. Then, getting into Windows Sign-In Options where they would either remove their previous credentials for PIN, Fingerprint, or Face Recognition and recreate a new set of Windows Hello credentials. Then they would begin signing in to Windows with them fine when even not connected to the office's network.

This issue has been bothering us for quite some time, and we haven't been able to figure out the root cause.

We also have been planning to eventually completely get rid of the existence of all user passwords to implement a completely passwordless environment. That does not seem possible anytime soon as long as we still have this strange issue happening to users from time to time.

If you could advise what should I help the users with whenever they encounter the issue I described above so that we could safely transition into a completely passwordless environment in the future, that would be very appreciated.

Good day.

Answer 1

Hi Woody,

Welcome to the Microsoft Q&A community.
This issue occurs because the issuing Certificate Authority (CA) certificate is missing in the NTAuth store of the domain controller and client machine.
When you use WHFB, the domain controller needs to validate the certificate sent by the client machine. During the validation, it checks the Key Distribution Center (KDC) service on the domain controller to verify if it can find the issuing CA certificate in the NTAuth registry key. The NTAuth registry key locates at HKLM\Software\Microsoft\EnterpriseCertificates\NTAuth\Certificates.
Kindly follow the official troubleshooting guide to see if it persists.
https://learn.microsoft.com/en-us/troubleshoot/windows-server/user-profiles-and-logon/your-credential-could-not-be-verified-error-when-logging-on-to-windows-by-using-whfb#resolution

Best Regards,

Ian Xue

---

If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.