This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(156.8, 31%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESB%3C/text%3E%3C/svg%3E)
Hello Team,
Here is my current setup :
Windows 2019 DC (OS Build 17763.2237) so it should include the update - KB4487044( OS Build - 17763.316)
Windows hello for business - Key Trust
Rolled out for two users :
User A and User B
User A - WHFB - PIN Setup Successful , PIN Login successful , I can verify from the Azure AD sign in logs that the authentication is windows hello for business.
User B - PIN Setup Successful, PIN Login Unsuccessful , getting the below errors ( I need assistance in resolve these errors or provide a direction , will be much appreciated.)
1) Your credentials could not be verified
2) Something went wrong and your PIN isn't available ( status:0xc000005e, substatus:(0x0) Click to set your PIN again.
I have below two GPO's configured :
GPO 1
1) User level - Enable Windows Hello for Business
User configuration under Policies > Administrative Templates > Windows Components > Windows Hello for Business
GPO 2:
2.1 Computer Configuration -> Policies -> Administrative Templates -> System -> PIN Complexity ===> To set the PIN complexity
2.2 ) Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Windows Hello for Business -> Use a hardware security Device : Disabled ( so that both hardware TPM and software are used for fall back)
2.3) Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Windows Hello for Business ->Use Biometrics ( To allow user to enroll biometrics)
I have not set Convenience PIN ( computer configuration -> Administrative Templates-> System -> Logon -> Turn on convenience PIN Sign in policy) as I dont think this is required .
Self - Resolved after following the below steps :
1) I deleted the NGC Folder ( C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft )
2) Deleted the enrolled WHFB authentication method
Asked the user to Re-enroll for Windows Hello for Business and it enrolled successfully.
Self - Resolved after following the below steps :
1) I deleted the NGC Folder ( C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft )
2) Deleted the enrolled WHFB authentication method
Asked the user to Re-enroll for Windows Hello for Business and it enrolled successfully.