Windows 10 – Hello for Business – Return of the “That option is temporarily unavailable” message

“That option is temporarily unavailable, For now, please use a different method to sign in.

Yes, anyone that has been working with Windows Hello for Business is sure to have seen that error before.  Well I thought I had put Windows Hello for Business to bed with my last post on how to configure it.  To be fair it has been working perfectly but I recently had to rebuild one of my PCs and that’s when it all went wrong again……argh!

On configuring Hello for Business the face recognition and PIN were setup as expected but when I went to log in I was greeted with my familiar friend

Hello for Business - That option is temporarily unavailable

At this point I was a tad confused to why Windows Hello for Business was not working, after all it was working on my other PCs with no issue.  Back to troubleshooting Windows Hello for Business….oh joy!

What changed?

As with most things in IT problems are the cause of something that has changed.  In my environment there was only one real big change over the past few months and that was a subscription update on my Office 365 tenant.  The change was a move to Azure Active Directory Premium, this brings a whole host of new features to Azure AD, one of which is Password write back.  This allows passwords that are changed in the cloud i.e. through the Office 365 portal to be written back to the on-premise Active Directory.

A quick look on the domain controller that is running Azure AD Connect showed an 6100 error in the event viewer.

Windows Application Error 6100

Ok, so there is an error with the AD Sync, could this be what I am looking for? Next step is to fire up FIM and see what that has to say for itself.  In case you were wondering where you can find the FIM GUI, its called “miisclient” and is found here:

FIM Sync Configuration MIISClient

Error 8344

Once FIM was fired up I could straight away see an error:

FIM Sync Configuration Export Error

Clicking on this error gave more detail into what the error was:

Error 8344 - Permission Issue

And finally, clicking on the “permission-issue” URL gave me the info I needed:

Error 8344 - Insufficient access rights

So basically the sync engine was trying to write back to the local Active Directory and something was stopping it.  After some digging around I discovered that this error was common in Exchange Hybrid solutions.  The good news is that it’s pretty simple to resolve, I used this fantastic blog post to resolve the 8344 error which is caused by a combination of the user account used for the ADSync not having the right permissions to write to the Active Directory and the user object noting having the “Inheritance” enabled.

Once I had followed the process in that blog I re-ran the ADSync and this time there were no errors in the FIM GUI.  Hey-presto Hello for Business fired back into life.

3 thoughts on “Windows 10 – Hello for Business – Return of the “That option is temporarily unavailable” message

  1. Josiah

    I ran into a similar error when setting up a new laptop (Win 10 1703). In my case, the solution was to enable device writeback on AD Connect. After watching the sync logs on AD Connect, I realized that I also needed to give the AD Connect domain account permissions to update the user attribute msDS-KEyCredentialLink. I don’t see this documented anywhere, but I have a case open with Microsoft to investigate more.

    Reply
  2. David

    I received this error message trying to set up Windows Hello in a lab. i found the comment around msDS-KEyCredentialLink interesting, since I had added my Azure AD Connect account into the KeyAdmins group. I decided to restart the Azure AD Connect server to ensure the permissions took effect (this was also the DC in my lab). Lo and behold, the error disappeared.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *