locked
Windows Hello for Business - The prerequisite check failed RRS feed

  • Question

  • I have implemented Windows Hello for Business on a lab environment (on-premise, not hybrid).

    But the Windows Hello provisioning does not work on my hosts. When I check my settings to add a pin manually, I get this message.

    This sign-in option is only available when connected to your organization's network

    This is very curious because I checked and my host is connected to the domain and can ping my Domain Controller.

    I also get the following errors, I checked the GPO's multiple times and I am really stuck. I don't know what I am missing here.

    Windows Hello for Business prerequisites check failed.

    Windows Hello for Business failed to locate a certificate registration authority.

    The Secondary Account Primary Refresh Token prerequisite check failed.

    Windows Hello for Business provisioning will not be launched.

    Device is AAD joined = yes

    User has logged on with AAD credentials = no

    Windows Hello for Business policy is enabled = yes

    Windows Hello for Business post-logon provisioning is enabled = yes

    User is not connected to the machine via Remote Desktop = yes

    User certificate for on premise auth policy is enabled = yes

    Enterprise user logon certificate enrollment endpoint is ready = no

    Enterprise user logon certificate template = not tested

    User has successfully authenticated to the enterprise STS = no

    Certificate enrollment method: enrollment authority.

    Does anyone know what might be the problem?

    Thanks in advance for your help!

    Sunday, April 12, 2020 1:46 PM

All replies

  • If you are using key based trust deployment then you check if the setting “Use certificate for on-premises authentication” is enabled in the group policy. The setting will let client look for a certificate registration authority. can you please disable the policy and try logging again.  

    Also, refer to the documentation to validate the prerequisites.

    Monday, April 13, 2020 9:17 PM
  • I have disabled the policy and it still won't work. I still get the prerequisites check and Secondary Primary Refresh Token prerequisites check failed.

    Windows Hello for Business still won't provision:

    Windows Hello for Business provisioning will not be launched.

    Device is AAD joined = yes

    User has logged on with AAD credentials = no

    Windows Hello for Business policy is enabled = yes

    Windows Hello for Business post-logon provisioning is enabled = yes

    User is not connected to the machine via Remote Desktop = yes

    User certificate for on premise auth policy is enabled = no

    I have also double checked the documentation link you send and everything is set up

    Wednesday, April 15, 2020 12:32 PM
  • Can you please run dsregcmd /status command from your device and provide the output here.  Also, check if AzureAdPrt is set to Yes  as WHFB works only when AzureAdPrt is set to yes.
    Wednesday, April 15, 2020 11:08 PM
  • Just checking in if you are you still having this issue ? 

    Please let me know if you find above reply useful. If yes, do click on 'Mark as answer' link in above reply. This will help other community members facing similar query to refer to this solution. Thanks.

    Wednesday, April 22, 2020 5:06 PM
  • Yes I still have the same issue, I ran the dsregcmd command and came to the conclusion that neither AzureAdPrt or EntreprisePrt is issued. This is my output:

    Microsoft Windows [Version 10.0.18363.418]
    (c) 2019 Microsoft Corporation. All rights reserved.

    C:\Windows\system32>dsregcmd /status

    +----------------------------------------------------------------------+
    | Device State                                                         |
    +----------------------------------------------------------------------+

                 AzureAdJoined : NO
              EnterpriseJoined : YES
                  DomainJoined : YES
                    DomainName : JDNWHFBKEY

    +----------------------------------------------------------------------+
    | Device Details                                                       |
    +----------------------------------------------------------------------+

                      DeviceId : 7581a8f5-8473-4341-bddc-53efc8ff2cce
                    Thumbprint : C8CBCE912ECEB71EB263E0CD437F830D0FC3114D
     DeviceCertificateValidity : [ 2020-04-09 10:04:39.000 UTC -- 2030-04-07 10:14:39.000 UTC ]
                KeyContainerId : 84be0aef-62e4-45b1-805c-4c26db329e8a
                   KeyProvider : Microsoft Platform Crypto Provider
                  TpmProtected : YES

    +----------------------------------------------------------------------+
    | Tenant Details                                                       |
    +----------------------------------------------------------------------+

                    TenantName :
                      TenantId : 383a3889-5bc9-47a3-846c-2b70f0b7fe0e
                           Idp : login.windows.net
                   AuthCodeUrl : https://fs.jdnwhfbkey.com/adfs/oauth2/authorize
                AccessTokenUrl : https://fs.jdnwhfbkey.com/adfs/oauth2/token
                        MdmUrl :
                     MdmTouUrl :
              MdmComplianceUrl :
                   SettingsUrl :
                JoinSrvVersion : 1.0
                    JoinSrvUrl : https://fs.jdnwhfbkey.com/EnrollmentServer/device/
                     JoinSrvId : urn:ms-drs:434DF4A9-3CF2-4C1D-917E-2CD2B72F515A
                 KeySrvVersion : 1.0
                     KeySrvUrl : https://fs.jdnwhfbkey.com/EnrollmentServer/key/
                      KeySrvId : urn:ms-drs:434DF4A9-3CF2-4C1D-917E-2CD2B72F515A
            WebAuthNSrvVersion : 1.0
                WebAuthNSrvUrl : https://fs.jdnwhfbkey.com/webauthn/383a3889-5bc9-47a3-846c-2b70f0b7fe0e/
                 WebAuthNSrvId : urn:ms-drs:434DF4A9-3CF2-4C1D-917E-2CD2B72F515A
        DeviceManagementSrvVer : 1.0
        DeviceManagementSrvUrl : https://fs.jdnwhfbkey.com/manage/383a3889-5bc9-47a3-846c-2b70f0b7fe0e/
         DeviceManagementSrvId : urn:ms-drs:434DF4A9-3CF2-4C1D-917E-2CD2B72F515A

    +----------------------------------------------------------------------+
    | User State                                                           |
    +----------------------------------------------------------------------+

                        NgcSet : NO
               WorkplaceJoined : NO
                 WamDefaultSet : ERROR

    +----------------------------------------------------------------------+
    | SSO State                                                            |
    +----------------------------------------------------------------------+

                    AzureAdPrt : NO
           AzureAdPrtAuthority :
                 EnterprisePrt : NO
        EnterprisePrtAuthority :

    +----------------------------------------------------------------------+
    | Diagnostic Data                                                      |
    +----------------------------------------------------------------------+

            AadRecoveryEnabled : NO
                   KeySignTest : PASSED

    +----------------------------------------------------------------------+
    | Ngc Prerequisite Check                                               |
    +----------------------------------------------------------------------+

                IsDeviceJoined : YES
                 IsUserAzureAD : NO
                 PolicyEnabled : YES
              PostLogonEnabled : YES
                DeviceEligible : YES
            SessionIsNotRemote : YES
                CertEnrollment : none
                  PreReqResult : WillNotProvision

    I have been troubleshooting device registration but eveything seems to work fine on that end.

    Thursday, April 23, 2020 9:29 AM
  • Have you tried looking into the event log for any errors.  

    1. You can launch event viewer and browse to Application and Service logs > Microsoft > Windows > AAD
    2. Select Analytic, Right click Analytic and select enable.

    Then sign-out the user and sign in to repro the issue. 

    Now go to the event viewer and browse to “Application and Service logs > Microsoft > Windows > AAD” and look at Operational and Analytic logs.

    Based on the error you need to further troubleshoot the issue. 

    Friday, April 24, 2020 11:09 PM
  • The logs tell me that the Logon fails indeed also the STS Enterprise Logon fails and the URI: adfs/oauth2/token gives me errors.

    I am troubleshooting to find the cause of these problems.

    Monday, April 27, 2020 1:19 PM
  • Can you please provide the error you are getting ? 
    Tuesday, April 28, 2020 6:19 PM
  • I get these errors:

    Http request status 400. POST Endpoint URI adfs/oauth2/token

    OAuth response error: unauthorized_client

    Enterprise ST Logon failure

    This has something to do with the Federation Services right?

    Monday, May 11, 2020 1:24 PM