This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(121.6, 53%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFA%3C/text%3E%3C/svg%3E)
Hi. I am an administrator in my companys O365 online enviroment. I have watched this youtube guide to setup Windows Hello for Business: https://www.youtube.com/watch?v=A8faHO-bn-0
After setting my policy like this: (I put the user that i sign on to my computer with, in the group that i assigned to this policy)
....I restarted my PC and had a blue "welcome screen" presenting me with the option to setup Windows Hello.
I scanned my finger a bunch of times and made a PIN code.
When i now try to logon with my fingerprint, i get this error: (The text is in danish, but it says: "This setting is temporarily not available. Use another method to sign in for now")
....After at least a few restarts i tried logging in with password,(which works just fine) to try to lock the account and unlock it with fingerprint. Now, when using fingerprint, it shows me this error:
What am i missing, or doing wrong?
-Best regards
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Frederik Adsersen, Thanks for posting in Q&A. Based on my researching, I find a known issue in Hybrid environment. After the user provisions a Windows Hello for Business credential in a hybrid key trust environment, the key must sync from Microsoft Entra ID to Active Directory during a Microsoft Entra Connect Sync cycle. Before it is synced, it will get this error.
Hope the above information can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Im not sure i understand the core of this.
Will it eventually work, do i have to do something to make it work, or is this a dead end if we have a hybrid enviroment?
@Frederik Adsersen, Thanks for the reply. It will sync at next sync. Or you can manually sync with the steps in the following link
Im thinking it should have ran a cycle by now, 4 days after i set this up.
Its still giving me the exact same error.
@Frederik Adsersen, Thanks for the reply. We can check if the user's public key is written to the msDS-KeyCredentialLink attribute of the user object in AD. using Get-ADUser and specifying msds-keycredentiallink for the -Properties parameter.to double confirm on this.
$user = Get-ADUser -Identity fad -Properties msDS-KeyCredentialLink
if ($user."msDS-KeyCredentialLink") {
$user."msDS-KeyCredentialLink"
}
else {
Write-Output "No Key Credential is linked for this user."
}
No Key Credential is linked for this user.
So, no Key credentials.
How? :D
@Frederik Adsersen, thanks for the reply. You can follow the steps in the following link to troubleshoot to see if there's any finding.
https://dirteam.com/sander/2023/02/23/howto-troubleshoot-windows-hello-for-business-hybrid-access/
Note: non-Microsoft link, just for the reference.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 34%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EI%3C/text%3E%3C/svg%3E)
Hi
Your Answer
To configure Windows Hello in an O365 Azure environment, ensure that you meet all prerequisites, including an Azure AD-joined or hybrid Azure AD-joined device and an Azure AD Premium license. Verify that Windows Hello for Business is enabled in Azure AD and configured via group policies or Intune policies. If you’re facing errors, check device logs under Event Viewer > Microsoft > Windows > HelloForBusiness for detailed troubleshooting insights, and ensure the device firmware is up-to-date.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 27%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERP%3C/text%3E%3C/svg%3E)
Hello @Frederik Adsersen,
Thank you for posting your query on Microsoft Q&A.
Adding to Crystal-MSFT answer, the error message you are encountering might appear as: "That option is temporarily unavailable. For now, please use a different method to sign in." Please check if the user is part of any protected groups, such as Administrators, Domain Admins, Domain Controllers, Backup Operators, Server Operators, Account Operators, Cert Publishers, Enterprise Admins, or Schema Admins.
Solution: Remove the user from the protected groups.
I hope this information is helpful. Please feel free to reach out if you have any further questions.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Thanks,
Raja Pothuraju.
Hello @Frederik Adsersen,
Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.