none
Windows Hello isn't available on this device - Windows VM RRS feed

  • Question

  • Hello,

    I have Windows 10 1703 Enterprise edition, runs on VMware fusion.

    Seems like it doesn't support windows Hello for business - this sentence appears in settings>Account 'Hello isn't available on this device'

    In addition, I can't set up a Pin for domain users but for local users only.

    I tried every solution I found on the web, including enable Biometrics, enable use of windows hello etc. I went through probably every solution is on the web. The only thing I didn't do is to delete the NGC folder which I don't have access to.

    I know that Windows Hello can work with pin only, and it works on Fusion.

    Is it related to version or build? I can go and buy a new OS, but before doing so, I want to make sure it can work (if I know why it doesn't work, it will be helpful)

    Thanks.

    Saturday, December 8, 2018 4:02 PM

All replies

  • *I shall suggest you to update Windows.

    *Update Your Fingerprint Device Driver

    *Run the built-in Hardware and Devices Troubleshooter.

    *This Microsoft resource can throw more light on this subject.


    S.Sengupta,Microsoft MVP Windows and Devices for IT, Windows Insider MVP

    Sunday, December 9, 2018 12:00 AM
  • Hi,

    Thanks for your question.

    May I ask if you tried the following thread?

    Windows Hello isn’t available on this device; Fix Windows Hello problems

    Windows Hello isn’t available on this device on Windows 10 [Solved]

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    If you have any question or concern, please feel free to let me know.

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com


    Monday, December 10, 2018 6:57 AM
    Moderator
  • Hi,

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

    Best Regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, December 11, 2018 10:04 AM
    Moderator
  • Hi,

    Thanks for your reply.

    The problem is actually with Windows Hello for Business and is not related to Windows Hello - my bad with the header.

    The issue is probably around the certification of the DC, which is a certification create on the local AD CS. In addition and it might relates to the cert issue as well, the Device is not registered on AAD.

    Do you know if I need to install these 2 roles on the DC? And if I do, should I use the same account I used for AD FS which is gMSA service account?

    I installed them and used a different service account and add SPN to it.

    Certificate Enrollment Web Services 

    Certification Authority Web Enrollment

    Now I get this error under Windows log>system

    The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server adfs$. The target name used was HTTP/ADFS.<domain_name>. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (<domain_name>) is different from the client domain (<domain_name>), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

    I'm trying to roll it back so at least I don't get this error.



    • Edited by IZPing Friday, December 14, 2018 3:44 PM
    Friday, December 14, 2018 3:40 PM
  • Hi,

    Sorry for my delay.

    For Windows Hello for business, we need first to check if your environment meet this deployment prerequisites, please refer to the following docs explains the deployment of Windows Hello for Business.

    Windows Hello for Business

    Planning a Windows Hello for Business Deployment

    Beside, above event error is not related to Windows Hello for business. For this issue, we also consult in AD forum.

    https://social.technet.microsoft.com/Forums/windows/en-US/home?forum=winserverDS

    Highly appreciate your effort and time, if you have any question or concern, please feel free to let me know.

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, December 17, 2018 10:28 AM
    Moderator
  • Hi,

    Thanks for your reply.

    My environment meets all requirements. I've fixed the above error by removing the SPN the account I created.

    WHFB still doesn't work, and DRS with Azure doesn't work as well.

    One thing I see all the time is that the for Kerberos Authentication the SPN must be registered to the ADFS service Account, but during the installation of ADFS it was registered with the server itself. When I tried to change that (setspn -S HOST/adfs_service_name adfssvc), the service didn't start. So again, changed it back to the server.

    These are the errors I see in event viewer 

    On ADFS> Admin after trying to verify federation through AAD Connect (Federation does work through browser when login to office/Azure):

    "An error occurred during processing of a token request. The data in this event may have the identity of the caller (application) that made this request. The data includes an Activity ID that you can cross-reference to error or warning events to help diagnose the problem that caused this error. "

    On Device Registration Service > DRS/Admin:

    "No certificate could be found on the Device Registration Service object that can be used as the issuing certificate."

    On Windows>AAD

    "AAD Cloud AP plugin call Plugin initialize returned error: 0xC00484B2"

    Not sure what else I need to do.

    This is a lab and I do not use 3rd party CA. 

    Appreciate your help.

    Thanks,

    Itai 


    • Edited by IZPing Tuesday, December 18, 2018 6:52 PM
    Tuesday, December 18, 2018 6:38 PM
  • Hi,

    Thanks for your detailed update.

    Furthermore, I suggest to contact AD Forum or Azure Forum for further help:

    AD Forum:

    https://social.technet.microsoft.com/Forums/windows/en-US/home?forum=winserverDS

    Azure AD Forum:

    https://social.technet.microsoft.com/Forums/windows/en-US/home?forum=windowsazureaditpro

    The reason why we recommend posting appropriately is you will get the most qualified pool of respondents, and other partners who read the forums regularly can either share their knowledge or learn from your interaction with us. 

    Thank you for your understanding and support. If you have any concern, please feel free to let me know.

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, December 21, 2018 6:24 AM
    Moderator