I had embarked to remove a deployment of Entra Hybrid to completely On-Premise AD (the other way around) and the road to get Windows Hello working back again has been long (almost a month). Here are my discoveries to get Windows Hello working back again:
General knowledge:
- TPM: Windows Hello relies on a TPM to function properly. To the best of my knowledge, the credentials are actually cached on the TPM, and rely on the PIN auth factor to be unlocked. Face recognition / Fingerprint validation will actually unlock the PIN which in turn will give you access to your credentials to access the system. [Note: Please correct me if I’m wrong here. This is the first written reference in simple words on how this work. At least that I can tell, and I would like to make sure that this is captured for posterity]
- WH Variants: Windows Hello is different than Windows Hello for Business (WHfB). While they both seem similar in “function” at first, WHfB can be used across a multitude of authentication prompts - from Web Pages that require re-authentication when connected to SSO, to RDP. This requires for your AD to be configured with an ADFS and to perform a Device Registration against your local On-Premise ADFS, or forego ADFS and “device join” to Microsoft Entra, if you’re a 365 customer/user.
- WH at home: If all you’re looking for is Windows Hello for unlocking Windows laptops and thats it, you are actually looking at the Group Policy Object (GPO) “Turn on convenience PIN sign-in” detailed below.
- In practice, how do they work: Both regular Windows Hello and WHfB will operate the same way with the local TPM for device authentication (i.e. unlock your Windows laptop).
- Incompatibility: Windows Hello and WHfB are incompatible with each other, do not try to enable them both at once. Make appropriate OUs for where you’d want Windows Hello and WHfB separate of each other.
How to enable Windows Hello locally:
With all that out of the way, here’s how to make sure that Windows Hello works out of the gate on your AD:
- Reset the TPM: You need to make sure that Windows can use all of the TPM. It’s divided in registers, and Windows has fixed behaviours on how to access the TPM. If some of the keys that Windows uses to update the TPM are broken - Windows will not be able to enforce the PIN after a hardware change (e.g. changing a video card) and this gets cumbersome on Docks and eGPUs. NOTE: There are big caveats in the next section! Read them before doing this!
- Start
tpm.msc
. Needs admin rights - Select the
Clear TPM
option. - Restart the system
- Clear the Windows Hello container: If you already tried Windows Hello, and the PIN is misconfigured, this is a good time to completely nuke the Windows Hello container. NOTE: Doing this while the device is registered to Entra/ADFS will require for you to “leave” and “rejoin” the device, and will need administrative privileges.
- Open a Terminal / cmd.exe with admin rights
- Run the following command:
certutil -DeleteHelloContainer
- Either: Sign out / sign back in; or restart the system
- Set up the Windows Hello GPO: Microsoft changed the behavior of the “Turn on convenience PIN sign-in” GPO in Windows 10, in the advent era of WHfB. You can enable the GPO by:
- Open the
Group Policy Management
console on the Domain Controller. - Set up a new group policy, or edit one you know that will apply to your devices
- Navigate to
Policies>Administratrive Templates>System>Logon
- Enable the object
Turn on convenience PIN sign-in
- Configure the actual PIN, and other factors: Go to the Settings App, and select the
Accounts>Sign-in
options. Should be pretty straight forward from there
Troubleshooting and other things:
- What does clearing the TPM does to your system? It will erase all of the security values from the TPM storage. If you are using Bitlocker or any other software that actively relies on TPM, you will need to disable it, clear the TPM, and reconfigure it from scratch (clean install / setup even in some cases). You should only do this if you know what you’re doing.
- While troubleshooting, if you see events
1796 - The Secure Boot update failed to update a Secure Boot variable with error
… fromTPM-WMI
, this means that your TPM has not been initialized properly, or at some point, Windows lost how to access the TPM properly. You will need to reset it. - Completely local accounts (i.e. local to the system, no MS365 accts) can set up a PIN, and therefore all the other factors. This means that if your computer is never connected to an AD, you don’t need to do any of this.
- If you swap your motherboard and the Windows Hello PIN is completely gone, you may need to make sure that Windows knows how to talk to this new TPM. Open the
tpm.msc
console andPrepare the TPM
/Clear TPM
if you have to. - If you see the event
360 - Windows Hello for Business provisioning will not be launched.
fromMicrosoft-Windows-User Device Registration/Admin
, do not panic. On start-up / login, Windows checks if it should attempt a sync with whatever infrastructure is connected to ADFS or Entra. Windows telling you that it will not do it, means that it didn’t even attempt to connect to whatever infrastructure of your choosing. If you’re coming from disconnecting an AD from Entra, you may be paranoid about this event. Don’t be!
Hope this helps everyone that is fretting around Windows Hello for some reason or another. Many open threads across the Internet with no resolution. I know it will help me on remembering this stuff later on!
As an FYI - I did go to the Internet and ask about these, some of my thought processes are here: