WHfB prompts opening documents from Sharepoint on prem

Question

Windows Hello for Business prompts when opening Office documents from internal Sharepoint sites

Answer 1

Hi Cheryl Scott,

Thank you for posting your question in the Microsoft Q&A forum.

To help narrow down the cause of these Windows Hello for Business prompts, could you provide some additional details about your environment?

1. Is your environment a pure on-premises Active Directory setup, or is it a Hybrid environment synchronized with Microsoft Entra ID (Azure AD)?
2. WHfB Trust Model: Do you know which deployment model is currently in use (e.g., Key Trust, Certificate Trust, or Cloud Kerberos Trust)?
3. Is this a new behavior that started recently for existing users, or is it a new deployment of Windows Hello for Business?
4. Does this prompt occur every single time a document is opened, or just the first time after a user signs in or unlocks their device?
5. Are these prompts exclusive to Office desktop apps (Word, Excel) when opening from SharePoint, or do they happen with other internal resources as well?

Additionally, please consider reviewing the insights provided by the Q&A Assist in this thread, as it cover several documented legacy server-side configurations (such as WebClient and SharePoint 2016 auth headers) that might be relevant to your scenario.

Looking forward your update.

---

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

Windows Hello for Business itself is not covered in the context, but the behavior described (being prompted when opening Office documents from on‑premises SharePoint) matches known authentication and client/SharePoint interaction issues.

Use these checks and mitigations that are supported by the context:

1. Confirm the issue is not due to WebClient being disabled
   • If opening from classic mapped paths (WebDAV, “Open with Explorer”, or similar) is slow, defaults to local folders, or shows connection errors, verify the WebClient service:
     1. Open Services on the client.
     2. Locate WebClient.
     3. Set Startup type to Manual and start the service if it is stopped.
   • On Windows Server 2008/2012 RDS or VDI hosts, ensure Desktop Experience (which includes WebClient) is installed first.
2. Check for SharePoint 2016 bearer‑token behavior (if using SharePoint Server 2016)
   • When using MSI‑based Office 2016 with SharePoint Server 2016 and anonymous or alternate‑account access, Office sends an Authorization: Bearer header for compatibility with SharePoint Online.
   • SharePoint Server 2016 can respond with HTTP 401 and trigger additional authentication prompts because of how it handles Authorization: Bearer without the X-IDCRL_ACCEPTED: t header.
   • If this matches the environment (SharePoint 2016 on‑prem, MSI Office 2016, anonymous or alternate‑account access), treat the repeated prompts as a server‑side authentication behavior rather than a WHfB client problem and review SharePoint authentication configuration (disable anonymous where not needed, align auth methods with Office clients).
3. Validate that prompts are not caused by UAG or reverse proxy
   • If SharePoint is published through Forefront UAG 2010 or a similar reverse proxy, multiple prompts can occur when opening Office documents directly (e.g., via bookmark) before visiting any SharePoint page.
   • In UAG 2010, this is caused by the SSO cookie not being created until core.js is requested. The documented fix is to install the appropriate UAG 2010 Service Pack (KB 2710791).
4. General client‑side checks
   • If documents open but show outdated content or behave unexpectedly, verify AutoSave behavior with SharePoint on‑premises. SharePoint on‑prem does not support AutoSave/coauthoring the same way as SharePoint Online; Word/PowerPoint may show an Updates Available button and use cached copies.
   • If necessary, disable AutoSave by policy or per‑machine using the documented registry value autosavebydefaultadminchoice for Word and PowerPoint.
5. Isolate whether WHfB is the trigger
   • Temporarily test with a non‑WHfB sign‑in (e.g., a test device or profile not enrolled in WHfB) to confirm whether prompts persist. If they do, the cause is likely one of the SharePoint/Office behaviors above rather than WHfB itself.

If prompts occur only on SharePoint Server 2016 with MSI Office 2016 and specific auth modes, focus on the Authorization: Bearer handling and SharePoint authentication configuration. If they occur when accessing documents directly through a reverse proxy, apply the UAG fix. If they correlate with WebDAV/Explorer‑style access, ensure WebClient/Desktop Experience is correctly installed and running.

---

References:

• Problems opening Office documents from a SharePoint site if web client service is disabled
• You're prompted for credentials when you open documents anonymously in SharePoint Server 2016
• FIX: You receive multiple authentication prompts when you try to use Forefront Unified Access Gateway 2010 to open an Office document that is stored on a SharePoint site
• Microsoft 365 apps open files from SharePoint on-premises that aren’t the current version
• Fix problems opening documents in SharePoint libraries
• Can't open Office files from SharePoint Online