Windows Hello for business for Hybrid Entra Joined devices

Ahmed Sh 100

Environment:

-No UPN matching between onprem AD and Azure, Third party federation and User provisioning .

-Hybrid Entra Joined devices

-Enrolled to Intune using device credentials as SCCM is setup with co management (Cloud Attach).

Question:

Whether setting up Windows hello for business (Which was working before enrollment) using GPO / or Intune. An error is returned.

Pin:

"this sign in option is only available when connected to your organization's network"

"Fingerprint and Face"

"The option is currently unavailable"

Multiple methods to setup WFH was attempted and none worked so far.

-Devices -> Win 10 -> Enrollment -> "Configure Windows hello for business"

-Using Custom settings as described here(CSP or GPO):

https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/configure

-Biometrics devices updated/ Windows updates installed/ All devices and users affected in the organization.

-What could be the issue? Any best effort to get the windows hello for business working again?

Givary-MSFT 30,251 Reputation points Microsoft Employee

2024-07-08T09:34:42.29+00:00

@Ahmed Sh Thank you for reaching out to us, to start troubleshooting would recommend reviewing the dsregcmd.exe /status - https://learn.microsoft.com/en-us/samples/azure-samples/dsregtool/dsregtool/

Review the below event logs for more details/to get guidance.

Application and Service Logs > Microsoft > Windows > HelloForBusiness

Application and Service Logs > Microsoft > Windows > User Device Registration

Application and Service Logs > Microsoft > Windows > AAD

Is this a new setup ? was it working before ?

Let me know if you have any further questions, feel free to post back.
Ahmed Sh 100 Reputation points

2024-07-08T10:08:29.2033333+00:00

@Givary-MSFT

in AAD logs, I can see mainly the same error over and over even though the device is hybrid Entra joined successfully(as per Dsregcmd /status output) and is receiving policies from Intune.

Error seems to point to enabling Kerberos cloud trust however not sure if it will work in my setup/environment.

================

Error from AAD logs:

AAD Cloud AP plugin call GenericCallPkg returned error: 0xC0048512

============

From User Device Registration:

Windows Hello for Business provisioning will not be launched.

Device is AAD joined ( AADJ or DJ++ ): Not Tested

User has logged on with AAD credentials: No

Windows Hello for Business policy is enabled: Not Tested

Windows Hello for Business post-logon provisioning is enabled: Not Tested

Local computer meets Windows hello for business hardware requirements: Not Tested

User is not connected to the machine via Remote Desktop: Yes

User certificate for on premise auth policy is enabled: Not Tested

Machine is governed by none policy.

Cloud trust for on premise auth policy is enabled: Not Tested

User account has Cloud TGT: Not Tested

See https://go.microsoft.com/fwlink/?linkid=832647 for more details.

==================================

From Hello for business:

The Microsoft Passport Container service started successfully.
Givary-MSFT 30,251 Reputation points Microsoft Employee

2024-07-08T10:59:07.1166667+00:00

@Ahmed Sh Thank you for sharing the logs, below information should comes as yes, device needs to be registered, review your configuration once.

Device is AAD joined ( AADJ or DJ++ ): Not Tested

What kind of WHFB is being deployed - https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/deploy/ ?

If its a cloud trust, review this doc - https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust?tabs=intune make sure the steps are completed as mentioned here.

Let me know if this doesn't help.
Ahmed Sh 100 Reputation points

2024-07-08T11:38:00.37+00:00

@Givary-MSFT A good question would be which type of WFHB would be recommended here?

In my test environment I am replicating the error and have since deployed cloud Kerberos trust. But the event viewer clearly shows errors in AAD logs due to what I assume is user not being synced to cloud (Only device is synced since this is a a co-management scenario and auto enroll to Intune is done using device credentials), However there is no plan to sync users to cloud in production environment since there is a third party federation/provisioning service in place and no upn matching between cloud and onpremise.

1 answer

ZhoumingDuan-MSFT 10,730 Reputation points Microsoft Vendor

2024-07-05T02:45:42.01+00:00

@Ahmed Sh, Thanks for posting in Q&A.

To clarify this issue, please share with us the following information.

1.What kind of deployment do you use to configure Windows Hello for Business?

2.Could you please share the screenshot of returned error?

3.Check if there exist some useful message in Applications and Services logs\Microsoft\Windows\HelloforBusiness\Operational and Microsoft\Windows\User Device Registration\Admin and Microsoft\Windows\Security-Kerberos\Operational under Event Viewer.

4.Please also check whether the device meet the requirements.

Also, here is a link about the know deployment issues you can refer.

https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-deployment-issues

If there is any update, feel free to contact me.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Please sign in to rate this answer.
Ahmed Sh 100 Reputation points

2024-07-05T06:30:54.0966667+00:00

@ZhoumingDuan-MSFT

-Three different methods were used, GPO to enable biometrics, GPO for Windows hello for business, CSP Intune using settings catalogue, CSP using OMA-URI, in two different environments we have the same issue.

Regarding the infrastructure needed for Hybrid entra deployments, I am aware kerberos implementation is required but my issue is with the pre-requisites as explained below...........

A DC (server 2016 or 2019 with the latest updates) -> Available (Any DC? We have multiple DCs for different domains due to mergers, etc...)

MFA --------> What kind of MFA? As third party is also providing MFA currently as identity is third party federated.

AzureAD AD Kerberos powershell module-> Available

AD Connect configured (I have User Sync, Password Hash Sync, Password Writeback enabled in my Demo lab) -----------------> Not available, Ad connect is setup to sync computers only, reason being users are third party federated and provisioned(domain is changed to cloud domain upon provisioning by third party ) i.e. no upn match between onpremise AD and Cloud.

A client PC (Windows 10 or Windows 11 with the latest updates) -> Available An intune license ->Available

A device or VM with a TPM 2.0 chip -> Available

ZhoumingDuan-MSFT 10,730 Reputation points Microsoft Vendor

2024-07-05T08:45:29.8033333+00:00

@Ahmed Sh, Thanks for your reply.After the deep research, I find that the error message is may related to your network, you can try to use a VPV to enable WHfB or refer the link to check the requirement and deployment or you can try to configure AD Connect which is writing back the encryption key to on prem, this may be the issue too.

https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust?tabs=intune

Please note that you can only use either Intune or GPO when configuring Windows Hello for Business, but not both, or the Windows Hello for Business policy will not be applied.

Also, here are some similar threads you can refer.

https://learn.microsoft.com/en-us/answers/questions/1314531/configure-and-provision-windows-hello-for-business

https://learn.microsoft.com/en-us/answers/questions/1193002/windows-hello-for-business-cloud-kerberos-trust-de

https://www.reddit.com/r/Intune/comments/rxn4t4/hybrid_join_windows_hello_for_business_problems/

Hope it will help.

ZhoumingDuan-MSFT 10,730 Reputation points Microsoft Vendor

2024-07-09T08:37:25.29+00:00

@Ahmed Sh, Hope things going well.

I am currently standing by for further update from you and would like to know how things are going. If you have any questions or concerns on the recent information I've provided you, please don't hesitate to let me know.
Sign in to comment

Share via

Windows Hello for business for Hybrid Entra Joined devices

1 answer