This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(172.8, 83%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMK%3C/text%3E%3C/svg%3E)
Windows Hello for Business is working for Azure AD joined devices but not on Hybrid AD joined devices.
Error when logging on to Windows with Windows Hello for Business.
"Your credentials could not be verified"
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Manish Kumar, Hope the following suggestion can help. If there's any update, feel free to let us know.
Hello Manish
. Here are some steps to troubleshoot and resolve the issue:
1. Check Domain Trust Relationship:
o Ensure that there is a proper trust relationship established between the on-premises AD and the Azure AD.
o Verify that Hybrid Azure AD Join is configured correctly on your devices.
2. Check Hybrid AD Join Settings:
o Make sure that your devices are properly configured for Hybrid AD Join.
o Verify that group policies related to Hybrid AD Join are correctly applied.
3. Verify Azure AD Connect:
o Check the synchronization status of Azure AD Connect to ensure that user and device objects are syncing properly between on-premises AD and Azure AD.
4. Check Certificate Configuration:
o Verify that the required certificates for Windows Hello for Business are properly issued and installed on the devices and user objects.
o Ensure that the certificate templates in the on-premises AD are correctly configured for Windows Hello for Business.
5. Check Windows Hello for Business Policy:
o Review the Windows Hello for Business Group Policy settings applied to the Hybrid AD-joined devices to ensure they are configured correctly.
o Make sure that policies related to biometric authentication are not conflicting.
6. Check Event Viewer Logs:
o Look into the event logs on the devices and AD servers for any specific error messages or warnings related to Windows Hello for Business.
o Check if there are any authentication failures or issues with the trust relationship.
7. Restart Devices and Services:
o Try restarting the devices and domain controllers to see if it resolves the issue.
o Restart the Windows Hello for Business-related services on the devices.
@Manish Kumar, Thanks for posting in Q&A. For the error, it can occur because the issuing Certificate Authority (CA) certificate is missing in the NTAuth store of the domain controller and client machine. You can try the steps in the following link to see if the issue can be resolved.
Hope the above information can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 92%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYL%3C/text%3E%3C/svg%3E)
Hello Manish Kumar,
Thank you for posting in Q&A forum.
When you sign in for the first time after provisioning Windows Hello for Business, if the device isn't connected from your on-premises network to an internal domain controller, this error appears on a hybrid Azure AD-joined device (key and certificate trust). You can try following this link: Set up Windows Hello for Business Hybrid Azure AD joined Devices - .matrixpost.net
You can also update Azure AD Connect to make sure you're running the latest version of Azure AD Connect.
I hope the information above is helpful.
If you have any questions or concerns, please feel free to let us know.
Best Regards,
Yanhong Liu
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Hello Manish Kumar,
Thank you for posting in Q&A forum.
When you sign in for the first time after provisioning Windows Hello for Business, if the device isn't connected from your on-premises network to an internal domain controller, this error appears on a hybrid Azure AD-joined device (key and certificate trust). You can try following this link: Set up Windows Hello for Business Hybrid Azure AD joined Devices - .matrixpost.net
You can also update Azure AD Connect to make sure you're running the latest version of Azure AD Connect.
I hope the information above is helpful.
If you have any questions or concerns, please feel free to let us know.
Best Regards,
Yanhong Liu
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.