Windows Hello Credentials could not be verified
Posted by Electrical_Arm7411@reddit | sysadmin | View on Reddit | 6 comments
Anyone else running into Whfb issues as of recent? Seemingly after the latest May update for Windows 11 24H2?
Environment details: - Cloud Kerberos Trust setup - Hybrid AD environment - Domain controllers all 2022 - PCs all Windows 24H2
The problem is if the computer isn’t LOS to the domain controller, when fingerprint or PIN is used we’re faced with “credentials could not be verified” and the only way to log back in is to either be LOS to the DC or use password instead.
The other kicker is we have a few 23H2 devices with whfb enrolled and aren’t having this problem. Wondering if anyone else is in the same boat? Known issue and is MS aware?
Running a dsregcmd /status shows all the correct fields and NgcSet is Yes, CloudTgt is Yes, AzureADPrt is Yes, AzureAdJoined is Yes, DomainJoined is Yes. I ran it through ChatGPT and it’s telling me I’m missing this: CloudKerberosTicketAcquisition : YES
Not sure if that’s accurate.
Asleep_Spray274@reddit
Only on the first logon after the upgrade and hello works as normal with LOS to the DC?
Or after the first successful sign in with LOS to the DC then no LOS and it fails again?
Electrical_Arm7411@reddit (OP)
The OS is already on 24H2 prior to whfb enrolment. Doesn’t matter how many times, always works when in LOS to the DC; never works when not in LOS of the DC.
I’m wondering, though I doubt this is the case, but if it’s because I created my Windows 11 24H2 media using Rufus which disables TPM checks, I’m not entirely sure, but going to test again next week on a regular MS media manager image.
Asleep_Spray274@reddit
Oh dear, in that case I'm out 😜.
DaithiG@reddit
Are all your devices hybrid joined? I know you said that's your enviroment, but was just wondering about the devices themselves.
Electrical_Arm7411@reddit (OP)
They are
xxdcmast@reddit
I can’t say I’ve seen that but recently we’ve run into yubikey where “we don’t recognize the security key. Please try another” on previously working whfb with security key systems.
I have a case open with me I’ll let you know how it turns out in 6 months or so. Or maybe not depending on if I get any answers