deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-21 13:23:36 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

adding pin reset domain issue to known issues

Browse Source
This commit is contained in:
Matthew Palko
2021-05-03 17:31:45 -07:00
parent da986bc99c
commit 77c23a52b4
2 changed files with 24 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
View File

@ -14,13 +14,34 @@ manager: dansimp
ms.collection: M365-identity-device-management ms.collection: M365-identity-device-management
ms.topic: article ms.topic: article
localizationpriority: medium localizationpriority: medium
ms.date: 01/14/2021 ms.date: 05/03/2021
ms.reviewer: ms.reviewer:
--- ---
# Windows Hello for Business Known Deployment Issues # Windows Hello for Business Known Deployment Issues
The content of this article is to help troubleshoot and workaround known deployment issues for Windows Hello for Business. Each issue below will describe the applicable deployment type Windows versions. The content of this article is to help troubleshoot and workaround known deployment issues for Windows Hello for Business. Each issue below will describe the applicable deployment type Windows versions.
## PIN Reset on Azure AD Join Devices Fails with "We can't open that page right now" error
Applies to:
- Azure AD joined deployments
- Windows 10, version 1803 and later
PIN reset on Azure AD joined devices uses a flow called web sign-in to authenticate the user above lock. Web sign in only allows navigation to specific domains. If it attempts to navigate to a domain that is not allowed it will shows a page with the "We can't open that page right now" error message.
### Identifying Azure AD joined PIN Reset Allowed Domains Issue
The user can launch the PIN reset flow from above lock using the "I forgot my PIN" link in the PIN credential provider. Selecting this link will launch a full screen UI for the PIN experience on Azure AD Join devices. Typically, this UI will display an Azure authentication server page where the user will authenticate using Azure AD credentials and complete multi-factor authentication.
In federated environments authentication may be configured to route to AD FS or a third party identity provider. If the PIN reset flow is launched and attempts to navigate to a federated identity provider server page, it will fail and display the "We can't open that page right now" error if the domain for the server page is not included in an allow list.
If you are a customer of Azure US Government cloud, PIN reset will also attempt to navigate to a domain that is not included in the default allow list. This results in the "We can't open that page right now" being shown.
### Resolving Azure AD joined PIN Reset Allowed Domains Issue
To resolve this error, a list of allowed domains for PIN reset can be configured using the [ConfigureWebSignInAllowedUrls](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-authentication#authentication-configurewebsigninallowedurls) policy. For information on how to configure this policy, see [PIN Reset - Configure Web Sign-in Allowed URLs for Third Party Identity Providers on Azure AD Joined Devices](hello-feature-pin-reset.md#Configure-Web-Sign-in-Allowed-URLs-for-Third-Party-Identity-Providers-on-Azure-AD-Joined-Devices).
## Hybrid Key Trust Logon Broken Due to User Public Key Deletion ## Hybrid Key Trust Logon Broken Due to User Public Key Deletion
Applies to: Applies to:

2
windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
View File

@ -207,7 +207,7 @@ The [ConfigureWebSignInAllowedUrls](https://docs.microsoft.com/windows/client-ma
1. Review the configuration that is shown on the Review + create page to make sure that it is accurate. Click create to save the profile and apply it to the configured groups. 1. Review the configuration that is shown on the Review + create page to make sure that it is accurate. Click create to save the profile and apply it to the configured groups.
> [!NOTE] > [!NOTE]
> For Azure Government, there is a known issue with PIN reset on Azure AD Joined devices failing. When the user attempts to launch PIN reset, the PIN reset UI shows an error page that says, "We can't open that page right now." The ConfigureWebSignInAllowedUrls policy can be used to work around this issue. If you are experiencing this issue and you are a US government customer, set **login.microsoftonline.us** as the value for the ConfigureWebSignInAllowedUrls policy. If you are experiencing this issue and you are a Chinese government customer, set **login.partner.microsoftonline.cn** as the value for the ConfigureWebSignInAllowedUrls policy. > For Azure Government, there is a known issue with PIN reset on Azure AD Joined devices failing. When the user attempts to launch PIN reset, the PIN reset UI shows an error page that says, "We can't open that page right now." The ConfigureWebSignInAllowedUrls policy can be used to work around this issue. If you are experiencing this problem and you are using Azure US Government cloud, set **login.microsoftonline.us** as the value for the ConfigureWebSignInAllowedUrls policy.
## Related topics ## Related topics