Windows Hello PIN login errors

Posted by colne-valley@reddit | sysadmin | View on Reddit | 5 comments

We have a bunch of users that were previously able to login to Windows with a PIN but are now getting ‘something went wrong and your PIN isn’t working - 0xc000a100 error’

Not all users are affected. We’re in a hybrid Entra environment.

I’ve Google and researched this and deleted the NGC folder, asked the user to reset their PIN but to no avail.

Anyone any ideas?

[-]

TechnicalDefense@reddit

Seen this myself recently, went through the process of deleting the NGC folder among other things but what fixed it in the end was re-registering the device with Entra.

[-]

SlaVKs@reddit

Hi — I can take a $5 first pass on this today. If you share the exact error/screenshot + the 1 result you want, I’ll point to the cause and either send the small fix or clear patch steps.

[-]

We have started to see this happen to a handful of machines, and it was roughly around the time we started to deploy the secureboot setting that lets Microsoft update it for us. The first machine this happened to was mine, and I have tried to fix it numerous times, getting it to work for the day then see it start to fail the next day. Everyone else though has benefited from my experience and once we do the NGC folder reset it works for them. As for my pc, I have given up on it. it is fubar now.

[-]

old_cypherpunk@reddit

Had this happen to a pair of machines, Intune managed, including my own. Seemed to work okay after re-signing into the Entra account using their password and MFA.

[-]

thesals@reddit

Have you enabled the Azure AD Cloud Kerberos provider? Are you pushing Hello via GPO or Intune? Our onprem GPO based Hello policy stopped working after patch Tuesday this week.

I then setup the AAD Kerberos provider, disabled my GPO and setup Hello for Business via Intune. Make sure to use the Cloud Trust for On Prem Auth and that you use the device targeting scope and not the user policies.

After the policy syncs, when a user reboots, they'll be prompted to setup Hello again.... They must have line of sight to the DC to enable Hello and stay within line of sight for about 30 minutes for the trust relationship to sync before Hello will work remotely.