Share via

Issue with Configuring Windows Hello for Business Using User Configuration on prem AD

Aoutilios Maroun 0 Reputation points
2025-05-05T09:39:55.6866667+00:00

I am attempting to configure Windows Hello for Business using the Computer Configuration in Group Policy on-premises. Despite enabling the necessary policies such as "Use Windows Hello for Business," and "Use certificate for on-premises authentication," the configuration does not seem to be working as expected. I have followed the steps outlined in the Microsoft documentation but the devices are not enrolling or using the certificates for authentication. I would appreciate any guidance or troubleshooting steps to resolve this issue.

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
4,071 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Chen Tran 80 Reputation points
    2025-05-09T08:16:25.3266667+00:00

    Hello,

    Thank you for posting the question on Microsoft Windows forum!

    Based on your query of the devices being configured for "Windows Hello for Business", but they do not work as expected. You can check the following points as troubleshooting steps to help pinpoint the issue:

    1. Verify Group Policy Application: Ensure that the Group Policy settings are correctly applied to the affected devices. Run gpresult /h report.html on a client machine to check if the policies are being applied as expected.
    2. Check Event Logs: Navigate to Event Viewer (Eventvwr.msc) and check under **Applications and Services Logs -> Microsoft -> Windows -> HelloForBusiness` for any errors or warnings related to enrollment or authentication. User's image
    3. Check Domain Connectivity: Windows Hello for Business requires proper Active Directory (AD) connectivity. Run dsregcmd.exe /status on the client device to confirm its domain binding.
    4. Verify TPM Status: If your deployment relies on a Trusted Platform Module (TPM), ensure that: TPM is enabled in BIOS/UEFI. The device is using TPM 2.0. Run tpm.msc to check for any issues.
    5. Certificate Enrollment Issues: Make sure the clients can enroll for the necessary certificates:
    • Verify connectivity to the on-premises Certificate Authority (CA).
    • Confirm that the template for Windows Hello for Business is properly configured and published.
    • Ensure auto-enrollment is enabled via Group Policy (User Configuration -> Policies -> Windows Settings -> Security Settings -> Public Key Policies -> Certificate Services Client – Auto-Enrollment). You can refer to the following Microsoft official article for more information about Configuring Windows Hello for Business policy settings.
    • https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-enroll Hope the above information is helpful!
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.