Windows Hello Business not working after DC upgrade to 2025
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 46%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERJ%3C/text%3E%3C/svg%3E)
Robert J
20
Reputation points
Hello, we upgraded all DCs to Win Server 2025 and after that update the domain structure from 2016 to 2025. It was a mix of 2019 and 2022 DCs. All of them were updated via inplace upgrade to 2025. Everything went smooth and after the update everything worked... But after we updated the domain structure to 2025 Windows Hello for business just doesnt work anymore.... cant login with fingerprint, face or pin anymore. Password of course still works.
Did somebody here also experience problems like that upgrading to 2025 DCs? Or has any tips how to fix it. Didn't find much about this problem except an article about KB5062553. But it should have been fixed by KB5060842 mentioned in this artivle if i see it correctly https://dori-uw-1.kuma-moon.com/en-us/windows/release-health/resolved-issues-windows-server-2025
I already tried to remove the AzureADKerberos computer account and add it back but it did nothing. (windows hello is configured with cloud trust to entra)
The error you get if you try to login with windows hello is: Login information could not be verified.
And the very weird thing is after trying to login with windows hello no other authentication methods works anymore (nothing happens if you press enter after inputting the password) the shutdown button also vanishes and the computer restarts itself after 1-2min. After restart the login works again with password but if you try windows hello again the same thing happens again
On the DCs i see this error in the Event Viewer:
Windows Hello for Business provisioning has encountered an error during policy evaluation. ExitCode: The RPC server is unavailable. Method: LsaGetSSOAccountType See https://go.microsoft.com/fwlink/?linkid=832647 for more details
Windows hello is as Kerberos Cloud trust configured and it was setup the same as in these articles:
All new Windows Updates are installed on the DCs and Client.
Anyone has any idea how to fix?
Windows for business | Windows Server | Directory services | User logon and profiles
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 26%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKP%3C/text%3E%3C/svg%3E)
Kate Pham (WICLOUD CORPORATION) 430 Reputation points Microsoft External Staff Moderator2025-08-25T01:31:32.9633333+00:00 Hi Robert J,
Thank you for posting question on Microsoft Windows Forum.
To assist you further, it would be helpful to know:
- Have you checked if the issue persists after applying all relevant updates (including KB5060842)? Which exactly patch is applying? 24H2 or 22H2,..?
- Can you confirm the OS of all client machines? are they the same? 10 or 11 or mixed?
- Can you confirm whether the domain controller certificates are in the NTAuth store and if they chain correctly to a CA?
- Have you verified if the
msDS-KeyCredentialLinkattribute for affected users is populated appropriately post-sync? - Are there any specific DNS or network connectivity issues between your domain controllers and clients?
Feel free to provide more context or clarify any specific area where you need help!
T&R
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(220.8, 39%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERJ%3C/text%3E%3C/svg%3E)
Robert J 0 Reputation points2025-08-26T15:10:51.9833333+00:00 Hello Kate,
thank you for your answer.
- and 2. All Clients are Win 11 24H2. All are patched with our patch management to the newest windows kbs from July. We are always 1 month behind the offical Microsoft shedule.
-
- i checked with the command "certutil -viewstore -enterprise NTAuth" and it shows me the certificate from the root CA and if i export the certificate and check it with "certutil -verify "path" i get this at the end "The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)" Is this critical?
- And with this command i dont get a empty result:
Get-ADUser username -Properties msDS-KeyCredentialLink | Select-Object -ExpandProperty msDS-KeyCredentialLink - There are no known DNS problems. DNS works correct between clients and DC.
If you have any questions you can ask me again.
Greetings
Robert
Sign in to comment
1 answer
Sort by: Most helpful
-
Deleted
This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Comments have been turned off. Learn more