Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, January 2, 2018 9:19 PM | 1 vote
Hello,
I am trying to figure out how to resolve this issue that I have with my Windows 10 device. Every time that I log into Windows with the pin it will pop up the attached image in the lower right hand corner. If I log in with my password it doe not give the message, but if I lock the screen and then log back in with my pin the next time it brings up the message again. Does anyone know why it keeps saying this, and how to get rid of the messages? I am connected to AAD and I am running Windows version 1709. We are not pushing out any policies with AAD, so I know that is not the problem. Thanks in advance for your help. 
All replies (21)
Tuesday, January 2, 2018 11:33 PM
Go to Settings>Accounts and see if there are warning messages such as Verify account.
If that looks OK, change your pin while logged in. It sounds like your PIN was created using an earlier password, not your current one.
Bill
Wednesday, January 3, 2018 6:25 AM
Resolutions:
1. Run GPEDIT.MSC. Under computer configuration, expand administrative templates>system>logon. Select the "Always wait for the network at computer startup" value. The default state is "not configured". Set this to "On".
2. Make sure you logoff from all computers if you logon more than one computer using the same username. Changing the password by using Ctrl+Alt+Del. Then logon.
3. Use "net use * /d" command to delete all mapping drives. Then use "net use \servername password /u:domainname\username" to cache the credentials. Log on again.
Besides, I see a same situation in Microsoft Community, try the solution here to check result.
Change the LOGON HOURS of the account to have no restructions, in Active Directory
Disable the Kerberos DES SECURITY on the account, in Active Directory
Regards
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Wednesday, January 3, 2018 2:45 PM | 1 vote
Bill,
I have tried this a few different ways and it does not seem to fix the issue. I even logged in with my password, then did I forgot pin to totally reset the pin. When I locked my screen and logged in with my new pin the message popped up again.
Wednesday, January 3, 2018 2:57 PM
Teemo,
We are not running Active Directory. We are using Azure Active Directory, but it does not have all the same settings.
Thursday, January 4, 2018 1:35 AM
Even though stay in the different scenario, you could also try my suggestion, instead of waiting for other solution, why not try existing idea.
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Thursday, January 4, 2018 8:53 PM
Teemo,
I should have been more specific, I have tried as many as I can. Azure AD does not give all the same options that on premise AD gives, so some of these things I am not able to try.
- This option did not work.
2. I tried this one as well, but also did not resolve the problem.
3. I am not really sure how to go about trying this option. Because we are logging into AAD I am not totally sure what server address I would use as they are not our servers. I would not mind giving this option a shot if I knew how to do it with the Azure servers.
4. I tried to go to the MMC and add the user and groups snap in. After that, I tried to go to my user account to check the Kerberos, and LOGON HOURS. However, because it is an AAD account it does not show up in the user list. It only shows the local accounts that are on the computer. Since the user account is not listed there I am unable to try this option as well. There might be a place in the Azure web portal for these settings, but I have not found it yet.
I did not mean to make it look like I was unwilling to try your ideas, I should have done a full write up. I am very appreciative of your suggestions on this problem.
Sunday, April 15, 2018 2:48 PM
Did you resolve this? I'm getting the same issue.
I recently changed the default email/login (the domain) for my Office 365 account. I use this account to sign into my Windows 10 machines (two machines - one Enterprise, one Workstation Pro).
Since I changed the account every time I unlock the machine using either Windows Hello or my PIN I am immediately prompted to re-enter my credentials via the message:
"Windows needs your current credentials. Please lock this computer, then unlock it using your most recent password or smart card"
If I lock the PC and then unlock it using the password (not Hello or PIN) the problem is resolved until I unlock it again using either Hello or PIN - at which point the same message is raised.
One of the machines has had Windows reinstalled since the domain change, but still sees the issues. I have also logged out of both devices and changed my password via the admin portal. But I still see the issue.
I do not see any errors in the Windows event log that tie up to the time when this message appears, or when the PC's are unlocked.
One option to consider is that this AAD tenant was previously sync'd to an on-premise domain. But it is no longer synced. This was removed intentionally several months before this problem started.
Many thanks
Simon
Tuesday, April 17, 2018 1:44 PM
Simon12345,
No, I have not resolved this issue yet. I do believe that it does have to do with previously being sync'd to an on-premise domain. I have not been able to get the message to go away. We have a new employee that we setup their computer after we had disconnected from the on-prem, so he shouldn't have the problem, but he has the same issue.
Also, we have another network that has the same setup as us except, it has never been sync'd with an on-prem domain. They do not get the same message, so I think it has to do with the AAD/on-prem sync.
However, we did find some logs on the DC that could end up being useful, but I have not had the time to track this one down yet. Each time we login to a computer with a pin it creates an error log on our DC. There are two types of logs "Kerberos-Key-Distribution-Center" (Event ID 21) and "User Device Registration" (Event IDs 304 and 204).
Kerberos-Key-Distribution-Center: Event 21
The client certificate for the user {DomainName\UserName} is not valid, and resulted in a failed smartcard logon. Please contact the user for more information about the certificate they're attempting to use for smartcard logon. The chain status was : The operation completed successfully.
User Device Registration Event 304
Automatic registration failed at join phase. Exit code: Unknown HResult Error code: 0x801c03f2. Server error: empty. Debug Output:\r\n joinMode: Join
drsInstance: azure
registrationType: sync
tenantType: managed
tenantId: {ID}
configLocation: undefined
errorPhase: join
adalCorrelationId: undefined
adalLog: undefined
adalLog: undefined
adalResponseCode: 0x0
.
User Device Registration Event 204
The get join response operation callback failed with exit code: Unknown HResult Error code: 0x801c03f2.
Activity Id: {ID}
The server returned HTTP status: 400
Server response was: {"ErrorType":"DirectoryError","Message":"The device object by the given id (ID) is not found.","TraceId":"ID","Time":"04-17-2018 14:00:39Z"}
Simon, could you take a look at your DC and see if you are getting these same event in your logs?
Thursday, May 17, 2018 8:49 AM
Has anyone solved this annoyance?
I am connected to a domain.
If I use anything other than my password (PIN, Face, Fingerprint), it shows this notification shortly after it unlocks.
GT
Thursday, June 21, 2018 3:57 PM
I have this problem, just started happening yesterday.
windows 10, azure joined but not domain joined, intune policy stating that users can login with PIN or Fingerprint
we do have an on-premises DC but all the policies come from intune
Thursday, July 5, 2018 8:44 AM
Same situation and environment here.
Very anoing
Sunday, July 8, 2018 9:27 PM
Also, have the same issue. Fresh build, never been joined to any other domain. AAD joined and issue happened from day 1.
Tuesday, July 24, 2018 5:35 PM
Momominta,
I have tried the options that are mentioned in the link you provided, but they did not resolve the issue.
Thanks,
Friday, August 3, 2018 8:38 AM
I do have the same issue.
i'd be interested if you have a solution :)
Friday, November 2, 2018 3:36 PM | 1 vote
Same issue here - anyone have a fix yet?
Device is Azure AD joined. User is seeing "Windows needs your current credentials. Please lock your device and then unlock with your smart card" error, no matter what logon method (password/pin/biometric). We have an on-premises domain with Hybrid Azure AD joined devices and AAD Connect, but this device should be separate, as it does not deal at all with the corporate infrastructure.
The user has been seeing this on login every day for a month. We've tried a number of fixes like clearing Windows credentials, removing/re-adding PIN/biometrics, logging in with different logon methods, but it is consistently appearing no matter what logon method is attempted. It only happens on the corporate network.
Thursday, January 3, 2019 2:04 AM
Same issue here. Device is both Domain and AzureAD joined.
Friday, January 4, 2019 10:50 AM
I have the same problem and you need to configure something to make this work:
weiker
Friday, January 18, 2019 2:19 PM
Same problem. Created a topic on Reddit about it.
https://www.reddit.com/r/Intune/comments/aha7cc/windows_needs_your_current_credentials_anyone/
We do not have hybrid, no Azure AD Connect, no on-premise AD.
Friday, April 12, 2019 2:37 PM
I too am having this problem. I'm Azure joined as well, but I do believe in my case at least, the problem is that I renamed my PC's network name. This is apparently a no-no for an azure joined system. It still works, all the azure stuff works fine, but something is out of whack. I work remotely, and it looks like I'm going to have to take a trip to the main office to have it fixed.
At least it doesn't keep me from using the computer.
Charles.
Wednesday, November 13, 2019 11:57 AM
I had this issue, it was due to the mapped network drives using local AD credentials while signed in with Azure credentials. It thinks the Windows credentials are not up to date. The mapped network drives are accessible as normal, it is just an annoying pop up.
Checked by removing all mapped network drives and no longer getting the pop up.
Friday, November 15, 2019 12:45 PM
Go to search, type credential, click "Credential Manager"
Click "Windows Credentials"
Remove all credentials, sign out, then log in with Password.
You may have to re-enter some 365 app credentials, but this will resolve the "needs current credentials" popup
<sub></sub><sup></sup><strike></strike>