Windows Hello for business is working for Azure AD joined devices but not on Hybrid AD joined devices.

Manish Kumar 0 Reputation points
2024-03-06T13:46:22.3133333+00:00

Windows Hello for Business is working for Azure AD joined devices but not on Hybrid AD joined devices.
Error when logging on to Windows with Windows Hello for Business.
"Your credentials could not be verified"

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,726 questions
Windows Autopilot
Windows Autopilot
A collection of Microsoft technologies used to set up and pre-configure new devices and to reset, repurpose, and recover devices.
406 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,307 questions
Microsoft Entra
{count} votes

4 answers

Sort by: Most helpful
  1. glebgreenspan 1,125 Reputation points
    2024-03-06T13:52:21.1933333+00:00

    Hello Manish

    . Here are some steps to troubleshoot and resolve the issue:

    1.     Check Domain Trust Relationship:

    o    Ensure that there is a proper trust relationship established between the on-premises AD and the Azure AD.

    o    Verify that Hybrid Azure AD Join is configured correctly on your devices.

    2.     Check Hybrid AD Join Settings:

    o    Make sure that your devices are properly configured for Hybrid AD Join.

    o    Verify that group policies related to Hybrid AD Join are correctly applied.

    3.     Verify Azure AD Connect:

    o    Check the synchronization status of Azure AD Connect to ensure that user and device objects are syncing properly between on-premises AD and Azure AD.

    4.     Check Certificate Configuration:

    o    Verify that the required certificates for Windows Hello for Business are properly issued and installed on the devices and user objects.

    o    Ensure that the certificate templates in the on-premises AD are correctly configured for Windows Hello for Business.

    5.     Check Windows Hello for Business Policy:

    o    Review the Windows Hello for Business Group Policy settings applied to the Hybrid AD-joined devices to ensure they are configured correctly.

    o    Make sure that policies related to biometric authentication are not conflicting.

    6.     Check Event Viewer Logs:

    o    Look into the event logs on the devices and AD servers for any specific error messages or warnings related to Windows Hello for Business.

    o    Check if there are any authentication failures or issues with the trust relationship.

    7.     Restart Devices and Services:

    o    Try restarting the devices and domain controllers to see if it resolves the issue.

    o    Restart the Windows Hello for Business-related services on the devices.

     

    0 comments No comments

  2. Crystal-MSFT 42,716 Reputation points Microsoft Vendor
    2024-03-07T01:26:06.84+00:00

    @Manish Kumar, Thanks for posting in Q&A. For the error, it can occur because the issuing Certificate Authority (CA) certificate is missing in the NTAuth store of the domain controller and client machine. You can try the steps in the following link to see if the issue can be resolved.

    https://learn.microsoft.com/en-us/troubleshoot/windows-server/user-profiles-and-logon/your-credential-could-not-be-verified-error-when-logging-on-to-windows-by-using-whfb

    Hope the above information can help.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  3. Yanhong Liu 1,550 Reputation points Microsoft Vendor
    2024-03-07T08:12:49.6633333+00:00

    Hello Manish Kumar,

    Thank you for posting in Q&A forum.

    When you sign in for the first time after provisioning Windows Hello for Business, if the device isn't connected from your on-premises network to an internal domain controller, this error appears on a hybrid Azure AD-joined device (key and certificate trust). You can try following this link: Set up Windows Hello for Business Hybrid Azure AD joined Devices - .matrixpost.net

    You can also update Azure AD Connect to make sure you're running the latest version of Azure AD Connect.

    I hope the information above is helpful.

    If you have any questions or concerns, please feel free to let us know.

    Best Regards,

    Yanhong Liu

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments

  4. Yanhong Liu 1,550 Reputation points Microsoft Vendor
    2024-03-07T08:39:06.6466667+00:00

    Hello Manish Kumar,

    Thank you for posting in Q&A forum.

    When you sign in for the first time after provisioning Windows Hello for Business, if the device isn't connected from your on-premises network to an internal domain controller, this error appears on a hybrid Azure AD-joined device (key and certificate trust). You can try following this link: Set up Windows Hello for Business Hybrid Azure AD joined Devices - .matrixpost.net

    You can also update Azure AD Connect to make sure you're running the latest version of Azure AD Connect.

    I hope the information above is helpful.

    If you have any questions or concerns, please feel free to let us know.

    Best Regards,

    Yanhong Liu

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments