Migrate from Windows Hello to Windows Hello For Business (WHFB)

Description:

You have deployed Windows Hello in the past to several machines in the organizations. Recently you got direction from Management to deploy Windows Hello For Business (WHFB) for your organization. 
You have enable the Hybrid Cloud Kerberos trust and the configured required group policy. However, on the test machine, no WHFB got the prompt for provision. You have try to restart and make sure the WFHB group policy apply correctly.

Resolution:

Since you previously deployed Windows Hello, you need to make sure the "old" policy is being disabled.
Go to "Computer Configuration\Administrative Templates\System\Logon\Turn on convenience PIN sign-in". Make sure it is Disabled.

Multiple Prompt when creating Azure AD Kerberos Server object

Description:

You want to Deploy Windows Hello For Business with Hybrid Cloud Kerberos type in your environment.
You have met all the require prerequisites. However when trying to create Azure AD Kerberos Server object using below PowerShell command you encounter multiple prompt asking for Azure AD credential.

# Specify the on-premises Active Directory domain. A new Azure AD
# Kerberos Server object will be created in this Active Directory domain.
$domain = $env:USERDNSDOMAIN
# Enter an Azure Active Directory global administrator username and password.
$cloudCred = Get-Credential -Message 'An Active Directory user who is a member of the Global Administrators group for Azure AD.'
# Enter a domain administrator username and password.
$domainCred = Get-Credential -Message 'An Active Directory user who is a member of the Domain Admins group.'
# Create the new Azure AD Kerberos Server object in Active Directory
# and then publish it to Azure Active Directory.
Set-AzureADKerberosServer -Domain $domain -CloudCredential $cloudCred -DomainCredential $domainCred

Resolution:

Make sure the Azure AD Global Administrator account that you are using during configuration are not included in any of Azure AD Conditional Access rules. You may also need to close the previous PowerShell session and try again.

ADRMS and SharePoint IRM Integration Error - 0x80020009

Description:

You have configure ADRMS properly in your environment. Now you want to make SharePoint to use ADRMS. At the SharePoint Central Admin, you specify the location of the RMS Server.

However when you try to open a document protected with RMS, there's a pop-up error saying couldn't find the document. At the SharePoint event viewer you saw the following error:

Information Rights Management (IRM): There was a problem while ensure IRM client. Status value: -1, error value: 0x80020009.

[Information Rights Management (IRM): There was a problem while creating the generic issuance license template.

All issuance licenses for protected documents are constructed from a generic, base issuance license template.

Additional Data

Error value: 0x800704DC

Resolution:

Please go to the SharePoint Central Admin and make sure you already select or type in the correct RMS cluster server address. Use HTTPS instead of HTTP when typing the RMS cluster address.

Sample SQL Script to Update ADRMS Configuration Database during Parallels Upgrade

UPDATE [dbo].[DRMS_ClusterPolicies]

SET PolicyData = '' --(your new string with updated information goes between the ' ' )
WHERE PolicyName='CertificationUserKeyStorageConnectionString'
 
UPDATE [dbo].[DRMS_ClusterPolicies]
SET PolicyData = '' --(your new string with updated information goes between the ' ' )
WHERE PolicyName='DirectoryServicesCacheDatabase'
 
UPDATE [dbo].[DRMS_ClusterPolicies]
SET PolicyData = '' --(your new string with updated information goes between the ' ' )
WHERE PolicyName='LoggingDatabaseServer'

Update AD RMS Config Database using SQL Server Management Studio during Parallels Upgrade

Description:

During AD RMS Parallels Upgrade, you need to modify the restored database to point to the new database servers.

Resolution:

1. Log on to the AD RMS configuration database server as local Administrator or another user account that is a member of the local Administrators group.
2. Click Start, point to All Programs, point to Microsoft SQL Server 2012, and then click SQL Server Management Studio.
3. On the Connect to Server page, ensure that the new database server name is listed in the Server name box, and then click Connect.
4. Expand Databases, expand DRMS_Config_<RMS cluster name>_<Port>, and then expand Tables.
5. Right-click DRMS_ClusterPolicies, and then click Open Table.
6. In the results pane, change the value in the PolicyData column of the LoggingDatabaseServer row to the new RMS database server name.
7. Change the value in the PolicyData column of the CertificationUserKeyStorageConnectionString row to reflect the new database server. The value should be data source=<new database server name>;integrated where <new database server name> is the name of the new database server.
8. Repeat steps 6–7 for the value in the PolicyData column of the DirectoryServicesCacheDatabase row.
9. Close Microsoft SQL Server Management Studio.