Windows Hello for Business PIN not available for first time domain logon

Question

Hi everyone,

We are facing an issue where we have enabled Windows Hello for business on our organization. Users can set up Windows Hello PIN after the GPO is applied.

Everything works according to the documentation, but when the user reboot the machine, on the first logon the use of PIN or any other windows hello for business authentication method is disabled, there is no "sign in option" so the user has to log in using the password.

Then after the first login if the user locks the computer, he can then unlock using PIN or other authentication method.

Any ideas?

Answer 1

Hello anonymous user,

Thank you for posting here.

Based on the following link, we can see user experience for Windows Hello for Business.

What is the user experience for Windows Hello for Business?
The user experience for Windows Hello for Business occurs after user sign-in, after you deploy Windows Hello for Business policy settings to your environment.

Windows Hello for Business Frequently Asked Questions (FAQ)
https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-faq

Windows Hello for Business Videos
https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-user-enrollment-experience

Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou

Answer 2

Hi Daisy,

The problem we have already deployed the GPO, and user has successfully enrolled. The problem is that when the users log in to their windows profiles the first time after a reboot or shutdown, the sign in options for windows hello are not available, so the user has to log in using password.

After that first time, if the users lock their computers they can now unlock them using windows hello for business PIN or Face recognition

So the question is, why is it not available to use during the first login?

Answer 3

Yes we do have AAD environment, and the enrollment process is working fine, the problem is during the first sign in, please i need help with this

Answer 4

Hi,

The default behaviour for windows hello for business provisioning is that once the user has completed the setup at the next sign in the public key will be added to the users Azure AD attribute - before the user can authenticate using the configured windows hello for business PIN or biometrics AAD Connect needs to sync back to the premise AD - in this sync the public key will be written back to the users AD object on premise to attribute: msDS-KeyCredentialLink - once this sync has occurred the user will be able to authenticate with the configured windows hello for business options.

You can see the entire process for how this works if you look in the event viewer under HelloforBusiness - each step is listed from post logon provisioning to creating the windows hello container, creating the public key etc.

Within AAD Connect you can then see the modification to the user attribute to be written back to the on premise AD user object - see below;

***The above is the default behaviour... however I did see an article a little while ago which explained how you can use ADFS to do the mapping of the users Public key rather than doing this within AAD first - this would mean you do not have to wait for the AAD connect to take place (of course you could do a delta sync to do it immediately...) - I've not been able to find this article which I was reading so did a public forum post: https://learn.microsoft.com/en-us/answers/questions/408945/windows-hello-for-business-key-trust-with-adfs.html#comment-409585 to see if anyone could point me in the right direction for what I thought I was reading. Not heard back yet - someone out there will know the ADFS configurations needed to bypass the AAD Connect sync time...