WHFB Key Trust Sign-in Failure | Missing KDC Certificate 0xc0000320

Here’s a scenario that devices enrolled in Intune and has enabled Windows Hello for Business in the Intune Endpoint (Hybrid Azure AD Joined). However, we have found that our users are unable to successfully log in with PIN.

We encountered a common error message: “This option is temporarily unavailable. For now, please use a different method to sign in.” This error message usually indicates that the key has not been written back to the local user’s MS-keycredentiallink attribute. However, even after verifying that this value has been written back, the issue still persists.

After analyzing the authentication logs, it was discovered that the issue was caused by the absence of the KDC certificate in the domain controller.

We confirmed that the KDC certificate was never configured, and Intune is only responsible for enabling the Windows Hello for Business policy, which is equivalent to enabling the policy through group policy.

We still require our Enterprise CA to issue a KDC certificate for client and local AD Kerberos authentication.

We can follow the steps in the following document to configure the KDC certificate on our DC (defaulting to Key Trust for now): Windows Hello for Business hybrid key trust deployment – Windows Security | Microsoft Learn

Our login process is stuck at the third step shown in the following diagram:

How Windows Hello for Business authentication works – Windows Security | Microsoft Learn