Initial WHfB Registration Failed - How to enable registration again?

Question

Hi,

We have a user which failed their initial Windows Hello for Business registration. I believe she tried using a FIDO2 key during the registration accidentally so it failed, she did go through the registration process though.

We are unable to get the registration process to start again. We've tried removing her from the group which puts her in scope of the Intune policy for WHfB and readding but not getting any further. We have removed authentication methods etc. but still not working.

Results of dsregcmd /status:

+----------------------------------------------------------------------+
| Ngc Prerequisite Check                                               |
+----------------------------------------------------------------------+
            IsDeviceJoined : YES
             IsUserAzureAD : NO
             PolicyEnabled : NO
          PostLogonEnabled : YES
            DeviceEligible : YES
        SessionIsNotRemote : YES
            CertEnrollment : none
                  CloudTGT : UNKNOWN
              PreReqResult : WillNotProvision

Any idea how we can get this user to have another registration attempt?

Answer 1

Hello @Son,

Thank you for posting your query on Microsoft Q&A.

Based on your issue description, I understand that you have a user which failed their initial Windows Hello for Business registration.

You are unable to get the registration process to start again. You have tried removing her from the group which puts her in scope of the Intune policy for WHfB and readding but not getting any further. You have also removed authentication methods etc. but still not working.

Firstly, based on the NGC Prerequisite Check output after running dsregcmd/status in the Command Prompt which you have provided, I can see that PreReqResult: WillNotProvision which means one of the Pre-requisites is not met to setup Windows Hello for Business.

Since you have mentioned that you have removed authentication methods for the affected user and still it is not working, please revoke the Multifactor Authentication sessions and again re-register for MFA for that affected user by following the below mentioned steps.

1. Sign in to the Microsoft Entra admin center as at least an Authentication Administrator.
2. Browse to Identity > Users > All users.
3. Choose the user you wish to perform an action on and select Authentication methods.
4. Select Revoke multifactor authentication sessions and then select Require Re-register for Multi factor Authentication as mentioned in the below Screenshot.

Now prepare the users to provision and use Windows Hello for Business by following the below document.

Prepare users to provision and use Windows Hello for Business | Microsoft Learn

Please make sure to follow the below steps and check the behavior.

Clear Local Device Information:

If the issue still persists, please make sure to remove the user’s device from Microsoft Entra ID and Intune completely, reset the device, and then attempt re-registration. This would involve:

• Removing the user’s device from Microsoft Entra ID (go to Microsoft Entra ID > Devices, then remove the affected device).
• Removing the device from Intune (go to Intune > Devices, then remove the affected device).
• Re-enrolling the device once it's been removed from both.

I hope this above information provided is helpful. Please feel free to reach out if you have any further questions.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".