Problems with Windows Hello for Business in hybrid Cloud Trust scenario, but only on Windows 10

active-directoryentra-idgroup-policymicrosoft-intune

So I went through the process of deploying WHFB. I set up all the prereqs (as far as I know) following the Cloud Trust deployment guide. I added four test machines to the test OU with the appropriate WHFB GPO applied. Two of these machines, which are running Windows 11, worked flawlessly. On next boot we were able to enroll and everything is working fine. However, I'm now testing the two Windows 10 (22H2) machines and they still show "This setting is managed by your administrator" and cannot be enrolled. I have confirmed with RSOP that the policy did apply. When I check the event viewer, I see the following events (On both machines):

LEVEL Summary
Info Windows Hello for Business prerequisites check started.
Success Windows Hello for Business successfully completed the remote desktop prerequisite check.
Success The Primary Account Primary Refresh Token prerequisite check completed successfully.
Success The device registration prerequisite check completed successfully.
Info Windows Hello for Business certificate enrollment configurations:
Certificate Enrollment Method: RA
Certificate Required for On-Premise Auth: true
Success Windows Hello for Business is enabled.
Error Windows Hello for Business post-logon provisioning is not enabled.
Success The device meets Windows Hello for Business hardware requirements.
Error The Secondary Account Primary Refresh Token prerequisite check failed.
Error Windows Hello for Business failed to locate a certificate registration authority.
Error Windows Hello for Business prerequisites check failed.
Error: 0x1

And then that entire series of events repeats like 3 times.

The devices show as Hybrid-Joined. AD Sync is working fine. I don't see any obvious problems. I don't understand why it's even looking for a CA since I'm using Cloud Trust and the two Win11 devices are working fine (and do not show any of these errors in their event logs).

Any guidance appreciated.

Best Answer

I recheck your error message and I suspect your computer miss some settings.

As we talked you have no Intune policy so these would be these GPO;

Important to make sure these 3 settings are set in the minimum to make sure WHfB use the Cloud Kerberos Thust method.

It's a Computer GPO, except one which can set set in Computer or User.

Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business
Use Windows Hello for Business - Enabled
or
User Configuration\Administrative Templates\Windows Components\Windows Hello for Business
Use Windows Hello for Business - Enabled

Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business
Use cloud Kerberos trust for on-premises authentication - Enabled

Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business
Use a hardware security device - Enabled

Reference: https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust?WT.mc_id=EM-MVP-5004117&tabs=gpo#tabpanel_1_gpo

Related Topic