Tip of the Day: Windows Hello, now with Synchronous Certificate Enrollment

Today's tip...

In the past, Hello (hybrid scenario) users had to wait thirty minutes after first creating a PIN before they could use it to logon due to the time it takes for a public key to sync back to the on-premises AD using AAD Connect. If the user tried to logon before the sync-back they might see the following error message:

‘This option is currently unavailable, please try again.’

Recent improvements to the Hybrid Certificate Trust scenario reduces the wait time for public key sync-back from the original thirty minutes to one minute or less, making it almost instantaneous by comparison. Users can now use their certificate with PIN or biometrics for authentication almost immediately resulting in a vastly improved experience.

NOTE: This does not change or affect hybrid key-trust deployments.  Users in these deployments must still wait for the public key to sync to on-premises Active Directory before they can authenticate with their PIN or biometric.

Skip to main content