“That option is temporarily unavailable, For now, please use a different method to sign in.
Yes, anyone that has been working with Windows Hello for Business is sure to have seen that error before. Well I thought I had put Windows Hello for Business to bed with my last post on how to configure it. To be fair it has been working perfectly but I recently had to rebuild one of my PCs and that’s when it all went wrong again……argh!
On configuring Hello for Business the face recognition and PIN were setup as expected but when I went to log in I was greeted with my familiar friend
At this point I was a tad confused to why Windows Hello for Business was not working, after all it was working on my other PCs with no issue. Back to troubleshooting Windows Hello for Business….oh joy!
As with most things in IT problems are the cause of something that has changed. In my environment there was only one real big change over the past few months and that was a subscription update on my Office 365 tenant. The change was a move to Azure Active Directory Premium, this brings a whole host of new features to Azure AD, one of which is Password write back. This allows passwords that are changed in the cloud i.e. through the Office 365 portal to be written back to the on-premise Active Directory.
A quick look on the domain controller that is running Azure AD Connect showed an 6100 error in the event viewer.
Ok, so there is an error with the AD Sync, could this be what I am looking for? Next step is to fire up FIM and see what that has to say for itself. In case you were wondering where you can find the FIM GUI, its called “miisclient” and is found here:
Once FIM was fired up I could straight away see an error:
Clicking on this error gave more detail into what the error was:
And finally, clicking on the “permission-issue” URL gave me the info I needed:
So basically the sync engine was trying to write back to the local Active Directory and something was stopping it. After some digging around I discovered that this error was common in Exchange Hybrid solutions. The good news is that it’s pretty simple to resolve, I used this fantastic blog post to resolve the 8344 error which is caused by a combination of the user account used for the ADSync not having the right permissions to write to the Active Directory and the user object noting having the “Inheritance” enabled.
Once I had followed the process in that blog I re-ran the ADSync and this time there were no errors in the FIM GUI. Hey-presto Hello for Business fired back into life.