If you encounter the error message ‘Something went wrong and your PIN isn’t available‘ with status code ‘0xc00000bb‘ on your Windows 11/10 PC, read this post to learn how to fix the error.
When you attempt to sign in to your Windows 11/10 device using a Windows Hello for Business (WHFB) certificate or key trust, the authentication process may fail if the domain controller cannot validate the client’s certificate, leading to the following error message:
Your credentials could not be verified
The above message is often accompanied by another error message that reads:
Something went wrong and your PIN isn’t available (status: 0xc00000bb, substatus: 0x0). Click to set your PIN again.
What causes ‘Something went wrong and your PIN isn’t available’ error with status code ‘0xc00000bb’?
When using WHFB in a Windows domain environment, the authentication process involves validating a certificate that the client machine sends to the domain controller. The domain controller must verify that this certificate is legitimate and has been issued by a trusted Certificate Authority (CA). The domain controller uses its Key Distribution Center (KDC) service to perform the validation. During the validation, the KDC service checks if it can find the issuing CA certificate in a specific registry key known as the NTAuth store, which is located at:
HKLM\Software\Microsoft\EnterpriseCertificates\NTAuth\Certificates
If the CA certificate is missing from this store, the domain controller cannot trust the client’s certificate, leading to authentication failures.
Something went wrong and your PIN isn’t available (0xc00000bb)
To fix the error message ‘Something went wrong and your PIN isn’t available‘ with status code ‘0xc00000bb‘ in Windows 11/10, start by identifying the issue following these steps:
Ensure the device can reach the necessary network resources, including domain controllers, Certificate Authorities, and any relevant AAD or AD FS endpoints.
Open the Certificate Authority snap-in. Right-click the issuing CA server and select Properties.
In the General tab, choose the current certificate if multiple certificates are present, then select View Certificate.
Go to the Details tab and find the Thumbprint attribute. Note the thumbprint of the issuing CA certificate.
On the domain controller, open the registry and navigate to:
HKLM\Software\Microsoft\EnterpriseCertificates\NTAuth\Certificates
Check if a folder with the thumbprint value exists under this registry key. If it doesn’t, you need to export the CA certificate and ensure it’s published to the NTAuth store on both domain controllers and client machines to fix the issue.
Note: The EnterpriseCertificates registry key represents a location in the Active Directory where trusted certificates are stored. During a Group Policy update, these certificates are automatically imported into the registry of all client machines, member servers, and domain controllers within the Active Directory forest. This ensures that all devices in the domain trust the same set of certificates.
Fix Something went wrong and your PIN isn’t available (0xc00000bb)
Open the Certificate Authority snap-in > right-click the issuing CA server > select Properties.
In the General tab, select the current certificate (if there are multiple certificates), then select View Certificate.
Export the certificate using the Copy to File option and save it as IssuingCA.cer.
Sign in with your Enterprise administrator credentials on the domain controller and execute the following commands:
certutil -dspublish -f IssuingCA.cer NTAuthCA
certutil -enterprise -addstore NTAuth IssuingCA.cer
Run gpupdate /force
and verify the CA thumbprint in the following registry key:
HKLM\Software\Microsoft\EnterpriseCertificates\NTAuth\Certificates
Wait for Active Directory replication to complete.
Run gpupdate /force
on client computers to ensure the CA thumbprint is created on the client computers as well.
If the issue persists after trying the above steps, contact Microsoft Support for further assistance.
That’s all! I hope this helps.
Similar errors:
Something went wrong and your PIN isn’t available Error Code 0xd000a002 | 0xc000006d | 0x80090011 | 0x80090027 | 0xd0000225.
How to solve Something happened and your PIN isn’t available?
Error message ‘Something happened and your PIN isn’t available‘ on Windows 11/10 typically indicates an issue with the Windows Hello PIN configuration. To resolve the issue, log in with your password using the ‘Sign-in options’ link at the login screen, remove your existing PIN (or delete the NGC folder), and then add a new PIN. If you don’t remember the password, boot into the Safe Mode with Command Prompt, enable the built-in Administrator account, restart your computer, log in using the built-in Administrator account, and see if you can reset the password for your standard account via Control Panel > User Accounts.
Read: Fix PIN Error 0x80280013 on Windows.
Why does it say PIN is unavailable?
The message ‘Your PIN isn’t unavailable’ generally indicates an issue with the Windows Hello for Business (WHFB) configuration or the PIN setup on your device, which may be caused by a corrupted PIN configuration, incorrect settings, profile corruption, or issues with the Trusted Platform Module (TPM). Problems with the Windows Hello for Business settings or certificates can lead to PIN-related errors if the system can’t validate the PIN with the associated certificate.