I've been experiencing issues with Windows Hello for Business (WHFB) since the May update for Windows 11, version 24H2. I'm working in a hybrid Active Directory environment with Cloud Kerberos Trust, and all our domain controllers are on 2022. The problem arises when a computer isn't line-of-sight (LOS) to the domain controller—using a fingerprint or PIN results in a message saying 'credentials could not be verified.' The only way to regain access is to either reconnect to the DC or use a password. Oddly enough, our 23H2 devices enrolled in WHFB aren't having this issue. Has anyone else encountered this? Is Microsoft aware of it? I checked the dsregcmd /status, and all fields seem correct. I'm unsure about the CloudKerberosTicketAcquisition status that ChatGPT mentioned. Also, I found some documentation suggesting this issue relates to key trust setups only; could I be missing something?
3 Answers
Does the failure only happen on the first logon after the upgrade, or are you running into issues after the initial login? It's worth seeing if you can at least log in normally with LOS after the first login, then see what happens when it's cut off from the DC.
I haven’t run into that specific issue, but I've had a related one with YubiKey errors. It’s frustrating because it sounds similar. I’ve opened a support case; I'll check back in a few months to see if they’ve resolved it.
Are all your devices hybrid joined? Sometimes that can help narrow down the cause since your setup is cloud-based. Just checking to see if that might factor into your problem.
The OS was already on 24H2 before WHFB enrollment. It works fine as long as LOS to the DC is maintained; if not, it never works. I’m curious if it could be linked to how I created my Windows media with Rufus, which might have disabled TPM checks.