This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(160, 9%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEK%3C/text%3E%3C/svg%3E)
We have an Azure AD Connect setup and have configured Windows Hello for Business with Cloud Kerberos trust. In initial testing with a half dozen users all but one have worked correctly. One specific user gets the following event on any computer we have tested with them so far:Windows Hello for Business provisioning will not be launched.
Device is AAD joined ( AADJ or DJ++ ): Not Tested
User has logged on with AAD credentials: No
Windows Hello for Business policy is enabled: Not Tested
Windows Hello for Business post-logon provisioning is enabled: Not Tested
Local computer meets Windows hello for business hardware requirements: Not Tested
User is not connected to the machine via Remote Desktop: Yes
User certificate for on premise auth policy is enabled: Not Tested
Machine is governed by none policy.
Cloud trust for on premise auth policy is enabled: Not Tested
User account has Cloud TGT: Not Tested
See https://go.microsoft.com/fwlink/?linkid=832647 for more details.
This user has the exact same setup as all the other users, the policy is showing as applied to their account through gpresult. They are correctly synced to their 365 environment and SSO works on computers they sign into. I have tried to find any details about this Event but basically all answers I have seen are about disabling WHfB to get rid of the error which is obviously not what I am going for here. Any assistance is much appreciated.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 27%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERP%3C/text%3E%3C/svg%3E)
Hello @Elijah Karnes,
Thank you for posting your query on Microsoft Q&A.
Based on your description, I see from the event log that the user did not log into the device using their work or school credentials. I can confirm this by the entry "User has logged on with AAD credentials: No." Please ensure that users are logging into the device with their correct credentials.
I would also like to know how you have enabled Windows Hello for Business (WHFB) in your environment. Is it via Group Policy (GPO) or Intune?
Could you run dsregcmd /status on one of the affected devices and share the output related to SSO and NGC state?
Additionally, please ensure that you have followed all the prerequisites mentioned in the document linked below:
Deploy hybrid cloud Kerberos trust with Windows Hello for Business
Thanks,
Raja Pothuraju.
Hello @Elijah Karnes,
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Hello @Elijah Karnes,
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.