Problems with Windows Hello for Business in hybrid Cloud Trust scenario, but only on Windows 10

active-directoryentra-idgroup-policymicrosoft-intune

So I went through the process of deploying WHFB. I set up all the prereqs (as far as I know) following the Cloud Trust deployment guide. I added four test machines to the test OU with the appropriate WHFB GPO applied. Two of these machines, which are running Windows 11, worked flawlessly. On next boot we were able to enroll and everything is working fine. However, I'm now testing the two Windows 10 (22H2) machines and they still show "This setting is managed by your administrator" and cannot be enrolled. I have confirmed with RSOP that the policy did apply. When I check the event viewer, I see the following events (On both machines):

LEVEL	Summary
Info	Windows Hello for Business prerequisites check started.
Success	Windows Hello for Business successfully completed the remote desktop prerequisite check.
Success	The Primary Account Primary Refresh Token prerequisite check completed successfully.
Success	The device registration prerequisite check completed successfully.
Info	Windows Hello for Business certificate enrollment configurations: Certificate Enrollment Method: RA Certificate Required for On-Premise Auth: true
Success	Windows Hello for Business is enabled.
Error	Windows Hello for Business post-logon provisioning is not enabled.
Success	The device meets Windows Hello for Business hardware requirements.
Error	The Secondary Account Primary Refresh Token prerequisite check failed.
Error	Windows Hello for Business failed to locate a certificate registration authority.
Error	Windows Hello for Business prerequisites check failed. Error: 0x1

And then that entire series of events repeats like 3 times.

The devices show as Hybrid-Joined. AD Sync is working fine. I don't see any obvious problems. I don't understand why it's even looking for a CA since I'm using Cloud Trust and the two Win11 devices are working fine (and do not show any of these errors in their event logs).

Any guidance appreciated.

Best Answer

I recheck your error message and I suspect your computer miss some settings.

As we talked you have no Intune policy so these would be these GPO;

Important to make sure these 3 settings are set in the minimum to make sure WHfB use the Cloud Kerberos Thust method.

It's a Computer GPO, except one which can set set in Computer or User.

Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business
Use Windows Hello for Business - Enabled
or
User Configuration\Administrative Templates\Windows Components\Windows Hello for Business
Use Windows Hello for Business - Enabled

Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business
Use cloud Kerberos trust for on-premises authentication - Enabled

Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business
Use a hardware security device - Enabled

Reference: https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust?WT.mc_id=EM-MVP-5004117&tabs=gpo#tabpanel_1_gpo

Related Solutions

Deploying .msi application through GPO doesn’t work

Diagnosing 'silent' MSI installation failures can be done like this:

Firstly, check your GPO is applying correctly. Use the Group Policy Management Console to run a report on a target machine, and view this report to check that the GPO that assigns the software installation is applying correctly. If this part isn't working right then there's no point in going any further. Both a fault in the GPO in question or in any other GPO that should be applied before or alongside it can cause a workstation to stop processing GPOs.

With that done, check the event logs on the target machine:

Open Computer management -> event viewer -> Windows Logs - Application

You're looking for errors with a source of MsiInstaller (and any other events that get logged at the same time of course).

Finally, a lot of applications record their own log as part of the installation process. If you can find the local folder that the MSI installation was ran from then there may be a detailed error log inside that (of course, if you can find errors in the windows event viewer then this will hopefully also mention the application logfile and tell you where to find it)

Also check that the following setting is being applied to the target computers via GPO, and if not, set it and then run gpupdate /force from a command line on a target computer, and reboot.

Computer Settings

  -> Administrative Templates
    -> System
      -> Logon
        -> Always wait for the network at computer startup and logon – Enabled

Local Group Policy not updating. RSOP and GPResult show stale data

Test file share connectivity and permissions

Test command at workstation:

nslookup %USERDNSDOMAIN%

net view %USERDNSDOMAIN%

cd \\%USERDNSDOMAIN%\SYSVOL\%USERDNSDOMAIN%\

and check file permissions in folders: Policies and scripts

Check other ports' connectivity

open and check port at domain infrastructure

Instructions here: Active Directory Firewall Ports - Let's Try To Make This Simple

Nuke local registry key

delete registry key:

reg delete HKLM\SOFTWARE\Policies /f
reg delete HKCU\Software\Policies /f

Nuke local folder

delete folder:

RD /S /Q %windir%\System32\GroupPolicy