This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 66%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
Hello,
When I set up Windows Hello in Windows 10 build 2004, I get the following error during the create a PIN step.
Error code: 0xCAA70010
In the background, the Aad token broker plugin failed to acquire token from the onprem ADFS server.
Error: 0xCAA70010 Certificate is invalid.
Exception of type 'class HttpException' at XMLHTTPWebRequest.cpp, line: 184, method: XMLHTTPWebRequest::ReceiveResponse.
Log: 0xcaa10083 Exception in WinRT wrapper.
Logged at AuthorizationClient.cpp, line:242, method: ADALRT::AuthorizationClient::AcquireToken.
Request: authority: https://myadfs/adfs, client: dd762716-544d-4aeb-a526-687b73838a22, redirect URI: ms-appx-web://Microsoft.AAD.BrokerPlugin/dd762716-544d-4aeb-a526-687b73838a22
Hi,
You may try the following steps:
1.Try to create the PIN again. Some errors are transient and resolve themselves.
2.Sign out, sign in, and try to create the PIN again.
3.Reboot the device and then try to create the PIN again.
4.Unjoin the device from Azure Active Directory (Azure AD), rejoin, and then try to create the PIN again. To unjoin a desktop PC, go to Settings > System > About and select Disconnect from organization.
Hope above information can help you.
Hi,
I made some progress with the problem and now I'm getting the following error code
Error Code:0x801c0451
The ADFS server returns the following error message:
error=invalid request
error_description=MSIS9681:Received invalid OAuth JWT Bearer request. the jwt bearer request with tokentype=pop must contain aza scope.
This is the oauth JWT bearer request that is being sent to my adfs server, as you can see the scope field contains only openid.
But the application "urn:ms-drs:434DF4A9-3CF2-4C1D-917E-2CD2B72F515A" has aza scope in the adfs server.
Also, if you are using ADFS on Windows Server 2019 make sure you've made the changed outlined in tis article: https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs (the part in the "! note" section, basically adding the ugs scope to this app).
It's already set up.
I see, well I can't seem to repro. Was there a specific scenario? Like an inplace upgrade of Windows or the use of the convenience PIN before? I am curious.
No, I already had a windows 10 build 1909 with windows hello fingerprint configured and working. I installed a new computer with windows 10 build 2004 in the same domain with the same user and I got the errors that I mentioned here before.
If you need more info, let me now.
Thanks!