locked
Windows Hello For Business in an Hybrid ADFS Environment Not Working Properly RRS feed

  • Question

  • When a user enrolls in Windows Hello For Business, there is delay of around 30 minutes before the user is able to use the PIN.

    If they to use the PIN before then, it fails with an error:

    "This option is temporarily unavailable.  For now, please use a different method to sign in."

    This issue was supposed to be fixed by installing KB4088889 on your Server 2016 federation servers.

    The following is the enrollment behavior prior to Windows Server 2016 update KB4088889 (14393.2155).

    The minimum time needed to synchronize the user's public key from Azure Active Directory to the on-premises Active Directory is 30 minutes. The Azure AD Connect scheduler controls the synchronization interval. This synchronization latency delays the user's ability to authenticate and use on-premises resouces until the user's public key has synchronized to Active Directory. Once synchronized, the user can authenticate and use on-premises resources. Read Azure AD Connect sync: Scheduler to view and adjust the synchronization cycle for your organization.

    Windows Server 2016 update KB4088889 (14393.2155) provides synchronous certificate enrollment during hybrid certificate trust provisioning. With this update, users no longer need to wait for Azure AD Connect to sync their public key on-premises. Users enroll their certificate during provisioning and can use the certificate for sign-in immediately after completeling the provisioning. The update needs to be installed on the federation servers.

    I don't see that specific update installed on the servers in the list of installed updates, however, more current updates are installed and this update is not  being offered to the servers by WSUS.

    I assume this is because KB4088889 must have been a cumulative update that has been replaced by newer cumulative updates.

    However, I'm still seeing the issue that KB4088889 is supposed to fix. Synchronous certificate enrollment to allow immediate sign in isn't working.

    How can I verify that the fix is indeed in more recent cumulative updates?

    Is there now a different fix for this issue?

    Friday, April 12, 2019 8:54 PM