Windows 10 Pin Error
Fix Windows 10 PIN error 1 Sign out and then sign in again. Here is the list of error codes which can be resolved. 2 Unjoin the device from Azure AD and rejoin. 3 TPM Issues on Windows 10 PIN Error. In the Start, type 'tpm.msc.' It will reveal. 4 Configuration Issues. 0x801C0016: The.
-->Applies to
- Windows 10
When you set up Windows Hello in Windows 10, you may get an error during the Create a PIN step. This topic lists some of the error codes with recommendations for mitigating the problem. If you get an error code that is not listed here, contact Microsoft Support.
Where is the error code?
The following image shows an example of an error during Create a PIN.
Error mitigations
When a user encounters an error when creating the work PIN, advise the user to try the following steps. Many errors can be mitigated by one of these steps.
- Try to create the PIN again. Some errors are transient and resolve themselves.
- Sign out, sign in, and try to create the PIN again.
- Reboot the device and then try to create the PIN again.
- Unjoin the device from Azure Active Directory (Azure AD), rejoin, and then try to create the PIN again. To unjoin a desktop PC, go to Settings > System > About and select Disconnect from organization. To unjoin a device running Windows 10 Mobile, you must reset the device.
- On mobile devices, if you are unable to setup a PIN after multiple attempts, reset your device and start over. For help on how to reset your phone go to Reset my phone.If the error occurs again, check the error code against the following table to see if there is another mitigation for that error. When no mitigation is listed in the table, contact Microsoft Support for assistance.
| Hex | Cause | Mitigation |
|---|---|---|
| 0x80090005 | NTE_BAD_DATA | Unjoin the device from Azure AD and rejoin. |
| 0x8009000F | The container or key already exists. | Unjoin the device from Azure AD and rejoin. |
| 0x80090011 | The container or key was not found. | Unjoin the device from Azure AD and rejoin. |
| 0x80090029 | TPM is not set up. | Sign on with an administrator account. Click Start, type 'tpm.msc', and select tpm.msc Microsoft Common Console Document. In the Actions pane, select Prepare the TPM. |
| 0x8009002A | NTE_NO_MEMORY | Close programs which are taking up memory and try again. |
| 0x80090031 | NTE_AUTHENTICATION_IGNORED | Reboot the device. If the error occurs again after rebooting, reset the TPM or run Clear-TPM. |
| 0x80090035 | Policy requires TPM and the device does not have TPM. | Change the Windows Hello for Business policy to not require a TPM. |
| 0x80090036 | User canceled an interactive dialog. | User will be asked to try again. |
| 0x801C0003 | User is not authorized to enroll. | Check if the user has permission to perform the operation. |
| 0x801C000E | Registration quota reached. | Unjoin some other device that is currently joined using the same account or increase the maximum number of devices per user. |
| 0x801C000F | Operation successful, but the device requires a reboot. | Reboot the device. |
| 0x801C0010 | The AIK certificate is not valid or trusted. | Sign out and then sign in again. |
| 0x801C0011 | The attestation statement of the transport key is invalid. | Sign out and then sign in again. |
| 0x801C0012 | Discovery request is not in a valid format. | Sign out and then sign in again. |
| 0x801C0015 | The device is required to be joined to an Active Directory domain. | Join the device to an Active Directory domain. |
| 0x801C0016 | The federation provider configuration is empty | Go to http://clientconfig.microsoftonline-p.net/FPURL.xml and verify that the file is not empty. |
| 0x801C0017 | The federation provider domain is empty | Go to http://clientconfig.microsoftonline-p.net/FPURL.xml and verify that the FPDOMAINNAME element is not empty. |
| 0x801C0018 | The federation provider client configuration URL is empty | Go to http://clientconfig.microsoftonline-p.net/FPURL.xml and verify that the CLIENTCONFIG element contains a valid URL. |
| 0x801C03E9 | Server response message is invalid | Sign out and then sign in again. |
| 0x801C03EA | Server failed to authorize user or device. | Check if the token is valid and user has permission to register Windows Hello for Business keys. |
| 0x801C03EB | Server response http status is not valid | Sign out and then sign in again. |
| 0x801C03EC | Unhandled exception from server. | sign out and then sign in again. |
| 0x801C03ED | Multi-factor authentication is required for a 'ProvisionKey' operation, but was not performed. -or- Token was not found in the Authorization header. -or- Failed to read one or more objects. -or- The request sent to the server was invalid. | Sign out and then sign in again. If that doesn't resolve the issue, unjoin the device from Azure Active Directory (Azure AD) and rejoin. |
| 0x801C03EE | Attestation failed. | Sign out and then sign in again. |
| 0x801C03EF | The AIK certificate is no longer valid. | Sign out and then sign in again. |
| 0x801C03F2 | Windows Hello key registration failed. | ERROR_BAD_DIRECTORY_REQUEST. Another object with the same value for property proxyAddresses already exists. To resolve the issue refer to Duplicate Attributes Prevent Dirsync. |
| 0x801C044D | Authorization token does not contain device ID. | Unjoin the device from Azure AD and rejoin. |
| Unable to obtain user token. | Sign out and then sign in again. Check network and credentials. | |
| 0x801C044E | Failed to receive user credentials input. | Sign out and then sign in again. |
Errors with unknown mitigation
For errors listed in this table, contact Microsoft Support for assistance.
| Hex | Cause |
|---|---|
| 0X80072F0C | Unknown |
| 0x80070057 | Invalid parameter or argument is passed. |
| 0x80090020 | NTE_FAIL |
| 0x80090027 | Caller provided a wrong parameter. If third-party code receives this error, they must change their code. |
| 0x8009002D | NTE_INTERNAL_ERROR |
| 0x801C0001 | ADRS server response is not in a valid format. |
| 0x801C0002 | Server failed to authenticate the user. |
| 0x801C0006 | Unhandled exception from server. |
| 0x801C000B | Redirection is needed and redirected location is not a well known server. |
| 0x801C000C | Discovery failed. |
| 0x801C0013 | Tenant ID is not found in the token. |
| 0x801C0014 | User SID is not found in the token. |
| 0x801C0019 | The federation provider client configuration is empty |
| 0x801C001A | The DRS endpoint in the federation provider client configuration is empty. |
| 0x801C001B | The device certificate is not found. |
| 0x801C03F0 | There is no key registered for the user. |
| 0x801C03F1 | There is no UPN in the token. |
| 0x801C044C | There is no core window for the current thread. |
Related topics
-->Applies to
- Windows 10
Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a password?On the surface, a PIN looks much like a password. A PIN can be a set of numbers, but enterprise policy might allow complex PINs that include special characters and letters, both upper-case and lower-case. Something like t758A! could be an account password or a complex Hello PIN. It isn't the structure of a PIN (length, complexity) that makes it better than a password, it's how it works.
Watch Dana Huang explain why a Windows Hello for Business PIN is more secure than a password.
PIN is tied to the device
One important difference between a password and a Hello PIN is that the PIN is tied to the specific device on which it was set up. That PIN is useless to anyone without that specific hardware. Someone who steals your password can sign in to your account from anywhere, but if they steal your PIN, they'd have to steal your physical device too!
Even you can't use that PIN anywhere except on that specific device. If you want to sign in on multiple devices, you have to set up Hello on each device.
PIN is local to the device
A password is transmitted to the server -- it can be intercepted in transmission or stolen from a server. A PIN is local to the device -- it isn't transmitted anywhere and it isn't stored on the server.When the PIN is created, it establishes a trusted relationship with the identity provider and creates an asymmetric key pair that is used for authentication. When you enter your PIN, it unlocks the authentication key and uses the key to sign the request that is sent to the authenticating server.
Note
For details on how Hello uses asymetric key pairs for authentication, see Windows Hello for Business.
PIN is backed by hardware
The Hello PIN is backed by a Trusted Platform Module (TPM) chip, which is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. All Windows 10 Mobile phones and many modern laptops have TPM.
User key material is generated and available within the Trusted Platform Module (TPM) of the user device, which protects it from attackers who want to capture the key material and reuse it. Because Hello uses asymmetric key pairs, users credentials can't be stolen in cases where the identity provider or websites the user accesses have been compromised.
The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. After too many incorrect guesses, the device is locked.
PIN can be complex
The Windows Hello for Business PIN is subject to the same set of IT management policies as a password, such as complexity, length, expiration, and history. Although we generally think of a PIN as a simple four-digit code, administrators can set policies for managed devices to require a PIN complexity similar to a password. You can require or block: special characters, uppercase characters, lowercase characters, and digits.
What if someone steals the laptop or phone?
To compromise a Windows Hello credential that TPM protects, an attacker must have access to the physical device, and then must find a way to spoof the user's biometrics or guess his or her PIN—and all of this must be done before TPM anti-hammering protection locks the device.You can provide additional protection for laptops that don't have TPM by enabling BitLocker and setting a policy to limit failed sign-ins.
Configure BitLocker without TPM
Use the Local Group Policy Editor (gpedit.msc) to enable the following policy:
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > Require additional authentication at startup
In the policy option, select Allow BitLocker without a compatible TPM, and then click OK.
Go to Control Panel > System and Security > BitLocker Drive Encryption and select the operating system drive to protect.Set account lockout threshold
FedEx would then convert the 6-digit postal codes to the 5-digit postal codes to facilitate smooth customs clearance.The FedEx internal system is now calibrated for the 5-digit postal code, and starting April 4, 2016, the FedEx system will only accept 5-digit postal codes on shipping documents for all shipments to and from Korea and in all FedEx shipping tools, including ‘Get Rates & Transit Times’ and ‘Schedule and Manage Pickups’ on fedex.com. While FedEx internally converted its system to the 5-digit postal code, customers were asked to continue use of the old 6-digit system for shipments to and from Korea. Jeollabuk-do south korea postal code.
Use the Local Group Policy Editor (gpedit.msc) to enable the following policy:
Computer Configuration > Windows Settings > Security Settings > Account Policies > Account Lockout Policy > Account lockout threshold
Set the number of invalid logon attempts to allow, and then click OK.
Why do you need a PIN to use biometrics?
Windows Hello enables biometric sign-in for Windows 10: fingerprint, iris, or facial recognition. When you set up Windows Hello, you're asked to create a PIN first. This PIN enables you to sign in using the PIN when you can't use your preferred biometric because of an injury or because the sensor is unavailable or not working properly.
If you only had a biometric sign-in configured and, for any reason, were unable to use that method to sign in, you would have to sign in using your account and password, which doesn't provide you the same level of protection as Hello.