Hi, I have a problem where two accounts cannot use Windows Hello >correctly<.

They can set it up and use it for things like unlocking password managers etc., but logging into Windows doesn’t work.

The error has been occurring since I set the option “Require multi-factor authentication to register or join devices to Microsoft Entra” to Yes. Everyone had to re-register their Hello registration with MFA.

The message “This sign-in option is temporarily unavailable” always appears.

When I unplug the network cable, I get an error message that the login server cannot be reached. Password login works normally.

It should be noted that the two accounts, as well as a third one, are domain admin accounts. However, login works perfectly with Hello for the third account. The third account also didn’t need to be re-registered and was immediately ready for use.

I’ve also come across this regarding privileged accounts: WHFB Cloud Trust Sign-in Failure | 0xc000006d - Ruian's Tech Troubleshooting Toolbox

However, I haven’t found an AzureADKerberos account in AD that I could edit.

Sync via AADC or Microsoft Entra Connect Sync works error-free according to the log. I’ve already deleted previous Windows Hello entries from the authentication methods for the users in Entra ID. I’ve also tried deleting the user profile and tested the login on a completely new PC.

I stripped one of those users completely of all their admin rights and it still tells me that it is temporarily unavailable

Any clues for me?

4 Spice ups

I think I have found the reason, two fields are missing in the AD Object attributes

Once msDS-ExternalDirectoryObjectID and msDS-KeyCredentialLink

Both are filled in for all others. Only these two accounts are empty.

Does anyone have an idea how I can fix this?

2 Spice ups

Sounds like this setup is with certificate, and not Kerberos Cloud Trust model?

Are you able to set it up again, or change the deployment model?

1 Spice up

I have CloudTgT: yes when executing dsregcmd /status

As said, I think the issue is because those two accounts somehow have Sync issues

I found that the X500 entry is missing also. In the M365 Exchange Admin Console under Manage e-mail address types in the User object, der are two SPO entries and a X400 entry that came from the Exchange server we had 12 years ago.

In the local AD object, there only is a SMTP:Mail@adress.com entry under proxyAdress in the AD Attributes

I think that’s the issue.

1 Spice up