![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(137.6, 85%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJL%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 85%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVS%3C/text%3E%3C/svg%3E)
The message corresponds to WHfB/PIN status 0xC00000BB: “Your PIN or this option is temporarily unavailable.” In a hybrid/Entra-joined environment, this is typically a sign-in method issue on the domain side rather than the device, and in your case it’s scoped to a single user account.
For a domain admin with account‑specific failures across multiple devices, focus on:
- Verify the exact error/status
- On a device where the issue occurs, attempt PIN sign-in and note if the detailed status shows
0xc00000bb(for example in the “Something went wrong and your PIN isn't available (status: 0xc00000bb, substatus:0x0)” style message). - This confirms it is the same WHfB/Kerberos sign-in path issue described for 0xC00000BB.
- Check domain controller support for WHfB sign-in
- 0xC00000BB indicates the destination domain controller does not support the login method, most often because the KDC service does not have the proper certificate to support WHfB logon, or the client cannot verify the KDC certificate CRL.
- Since other users can sign in with PIN on the same devices, verify that all domain controllers in the sites you use have:
- A valid KDC certificate suitable for WHfB sign-in.
- The issuing CA certificate present in the NTAuth store on the domain controllers.
- Validate issuing CA in NTAuth (certificate/Key trust WHfB) If using WHfB certificate or key trust:
- On a domain controller, open Certificate Authority snap-in.
- Right-click the issuing CA server → Properties → General → select the current CA certificate → View Certificate → Details → note the Thumbprint.
- On the same domain controller, open Registry Editor and go to:
-
HKLM\Software\Microsoft\EnterpriseCertificates\NTAuth\Certificates
-
- Confirm there is a subkey whose name matches the issuing CA certificate thumbprint.
- If missing, the KDC cannot validate WHfB certificates, which causes “credentials could not be verified” / 0xC00000BB‑type failures.
- Ensure Group Policy has replicated this NTAuth entry to all domain controllers and clients.
- Confirm client NTAuth sync
- On a client where your PIN fails, check the same registry location:
-
HKLM\Software\Microsoft\EnterpriseCertificates\NTAuth\Certificates
-
- Verify that the same issuing CA thumbprint exists there as well.
- If not, force Group Policy update and certificate store sync, then test again.
- Test with alternate sign-in and re-provision WHfB for this account Because the issue is account‑specific:
- Sign in using password or smart card on an affected device.
- Remove the existing WHfB credentials for this user on that device:
- In Settings → Accounts → Sign-in options, remove the PIN and any WHfB biometrics for this account.
- Sign out and sign back in, then attempt to set up WHfB again.
- If PIN creation fails with a specific WHfB error code (for example 0x801C03EF, 0x801C03F2, 0x801C044D, 0x801C044E, 0x801C0451), use the corresponding mitigation:
- 0x801C03EF (AIK certificate no longer valid): sign out and sign in again.
- 0x801C03F2 (key registration failed / directory proxyAddresses conflict): resolve any duplicate attributes and ensure the Mail/Email address in Entra ID matches the primary SMTP in proxyAddresses.
- 0x801C044D (authorization token missing device ID): unjoin and rejoin the device to Entra ID.
- 0x801C044E (failed to receive credentials input): sign out and sign in again.
- 0x801C0451 (user token switch account): delete the Web Account Manager token broker files under
%LOCALAPPDATA%\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AC\TokenBroker\Accounts\*.*and reboot.
- Validate WHfB sign-in path specifically for this account Because other users (including other domain admins) work on the same machines, compare:
- WHfB provisioning state and keys for your account vs. a working admin account.
- Any differences in Entra ID attributes (UPN, proxyAddresses, Mail/Email) that might affect WHfB key registration (especially if 0x801C03F2 appears during PIN setup).
- If sign-in still fails with 0xC00000BB
- After confirming CA/NTAuth/KDC certificate configuration and re-provisioning WHfB for this user, if the error persists only for this account, collect:
- Exact error text and status/substatus.
- Event logs from the client and domain controller during the failed sign-in.
- Use these to further isolate whether the failure is in certificate validation (NTAuth/KDC) or in WHfB provisioning for the user.
References: