This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(16, 25%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVF%3C/text%3E%3C/svg%3E)
Hello,
I have a bit of a problem. More than an year ago I've managed to run Windows Hello for Business on-premises on Windows Server 2019 and it was running fine. One year later though our certificates don't get renewed and we started getting message "Certificate expired" or something along the line, when trying to log in using PIN or biometrics. We then got a new PC, and normally, it starts provisioning WHFB when you log in, but then we get error that we don't have certificate and the whole provisioning fails. We use certificate as a second MFA. When I check the current user certificate store I have the second certificate, but not the WHFB Authentication certificate. On one of the PCs I've managed to issue such certificate manually and it's working, but here's the "dsregcmd /status" results on the same PC and same user.
+----------------------------------------------------------------------+
| Device State |
+----------------------------------------------------------------------+
AzureAdJoined : NO
EnterpriseJoined : YES
DomainJoined : YES
DomainName : <domain name>
Device Name : <pc name>.<domain name>.org
+----------------------------------------------------------------------+
| Device Details |
+----------------------------------------------------------------------+
DeviceId : f7c113b3-18d2-4da8-baa7-45fd45431096
Thumbprint : 756CDDBC67B7FA994A05F766F81E3A5429DACDC7
DeviceCertificateValidity : [ 2019-12-17 10:50:34.000 UTC -- 2029-12-14 11:00:34.000 UTC ]
KeyContainerId : 5303e1fb-1d9b-4993-a58e-b15720fdc4be
KeyProvider : Microsoft Platform Crypto Provider
TpmProtected : YES
DeviceAuthStatus : FAILED. Error:80070047
+----------------------------------------------------------------------+
| Tenant Details |
+----------------------------------------------------------------------+
TenantName :
TenantId : 383a3889-5bc9-47a3-846c-2b70f0b7fe0e
Idp : login.windows.net
AuthCodeUrl : https://fs.<domain name>.org/adfs/oauth2/authorize
AccessTokenUrl : https://fs.<domain name>.org/adfs/oauth2/token
MdmUrl :
MdmTouUrl :
MdmComplianceUrl :
SettingsUrl :
JoinSrvVersion : 1.0
JoinSrvUrl : https://fs.<domain name>.org/EnrollmentServer/device/
JoinSrvId : urn:ms-drs:434DF4A9-3CF2-4C1D-917E-2CD2B72F515A
KeySrvVersion : 1.0
KeySrvUrl : https://fs.<domain name>.org/EnrollmentServer/key/
KeySrvId : urn:ms-drs:434DF4A9-3CF2-4C1D-917E-2CD2B72F515A
WebAuthNSrvVersion : 1.0
WebAuthNSrvUrl : https://fs.<domain name>.org/webauthn/383a3889-5bc9-47a3-846c-2b70f0b7fe0e/
WebAuthNSrvId : urn:ms-drs:434DF4A9-3CF2-4C1D-917E-2CD2B72F515A
DeviceManagementSrvVer : 1.0
DeviceManagementSrvUrl : https://fs.<domain name>.org/manage/383a3889-5bc9-47a3-846c-2b70f0b7fe0e/
DeviceManagementSrvId : urn:ms-drs:434DF4A9-3CF2-4C1D-917E-2CD2B72F515A
+----------------------------------------------------------------------+
| User State |
+----------------------------------------------------------------------+
NgcSet : YES
NgcKeyId : {D2CBC3BA-1B8B-4B58-BBAD-5B0C79FB4C36}
CanReset : DestructiveOnly
WorkplaceJoined : NO
WamDefaultSet : YES
WamDefaultAuthority : organizations
WamDefaultId : https://login.microsoft.com
WamDefaultGUID : {B16898C6-A148-4967-9171-64D755DA8520} (AzureAd)
+----------------------------------------------------------------------+
| SSO State |
+----------------------------------------------------------------------+
AzureAdPrt : NO
AzureAdPrtAuthority :
EnterprisePrt : YES
EnterprisePrtUpdateTime : 2021-02-17 07:03:33.000 UTC
EnterprisePrtExpiryTime : 2021-03-03 07:03:33.000 UTC
EnterprisePrtAuthority : https://fs.<domain name>.org:443/adfs
+----------------------------------------------------------------------+
| Diagnostic Data |
+----------------------------------------------------------------------+
AadRecoveryEnabled : NO
Executing Account Name : <domain name>\<username>, <username>@<domain name>.org
KeySignTest : PASSED
+----------------------------------------------------------------------+
| IE Proxy Config for Current User |
+----------------------------------------------------------------------+
Auto Detect Settings : YES
Auto-Configuration URL :
Proxy Server List :
Proxy Bypass List :
+----------------------------------------------------------------------+
| WinHttp Default Proxy Config |
+----------------------------------------------------------------------+
Access Type : DIRECT
For more information, please visit https://www.microsoft.com/aadjerrors
DsrCLI: logging initialized.
DsrCmdJoinHelper::Join: ClientRequestId: 726f4e56-5380-4102-9e12-8f55fd54493aPreJoinChecks Complete.
preCheckResult: DoNotJoin
deviceKeysHealthy: undefined
isJoined: undefined
isDcAvailable: undefined
isSystem: NO
keyProvider: undefined
keyContainer: undefined
dsrInstance: undefined
elapsedSeconds: 0
resultCode: 0x1
The device can NOT be joined. The process MUST run as NT AUTHORITY\SYSTEM.
And here's what same command gives for the Administrator account:
+----------------------------------------------------------------------+
| Device State |
+----------------------------------------------------------------------+
AzureAdJoined : NO
EnterpriseJoined : YES
DomainJoined : YES
DomainName : <domain name>
Device Name : <PC name>.<domain name>.org
+----------------------------------------------------------------------+
| Device Details |
+----------------------------------------------------------------------+
DeviceId : f7c113b3-18d2-4da8-baa7-45fd45431096
Thumbprint : 756CDDBC67B7FA994A05F766F81E3A5429DACDC7
DeviceCertificateValidity : [ 2019-12-17 10:50:34.000 UTC -- 2029-12-14 11:00:34.000 UTC ]
KeyContainerId : 5303e1fb-1d9b-4993-a58e-b15720fdc4be
KeyProvider : Microsoft Platform Crypto Provider
TpmProtected : YES
DeviceAuthStatus : FAILED. Error:80070047
+----------------------------------------------------------------------+
| Tenant Details |
+----------------------------------------------------------------------+
TenantName :
TenantId : 383a3889-5bc9-47a3-846c-2b70f0b7fe0e
Idp : login.windows.net
AuthCodeUrl : https://fs.<domain name>.org/adfs/oauth2/authorize
AccessTokenUrl : https://fs.<domain name>.org/adfs/oauth2/token
MdmUrl :
MdmTouUrl :
MdmComplianceUrl :
SettingsUrl :
JoinSrvVersion : 1.0
JoinSrvUrl : https://fs.<domain name>.org/EnrollmentServer/device/
JoinSrvId : urn:ms-drs:434DF4A9-3CF2-4C1D-917E-2CD2B72F515A
KeySrvVersion : 1.0
KeySrvUrl : https://fs.<domain name>.org/EnrollmentServer/key/
KeySrvId : urn:ms-drs:434DF4A9-3CF2-4C1D-917E-2CD2B72F515A
WebAuthNSrvVersion : 1.0
WebAuthNSrvUrl : https://fs.<domain name>.org/webauthn/383a3889-5bc9-47a3-846c-2b70f0b7fe0e/
WebAuthNSrvId : urn:ms-drs:434DF4A9-3CF2-4C1D-917E-2CD2B72F515A
DeviceManagementSrvVer : 1.0
DeviceManagementSrvUrl : https://fs.<domain name>.org/manage/383a3889-5bc9-47a3-846c-2b70f0b7fe0e/
DeviceManagementSrvId : urn:ms-drs:434DF4A9-3CF2-4C1D-917E-2CD2B72F515A
+----------------------------------------------------------------------+
| User State |
+----------------------------------------------------------------------+
NgcSet : NO
WorkplaceJoined : NO
WamDefaultSet : ERROR
+----------------------------------------------------------------------+
| SSO State |
+----------------------------------------------------------------------+
AzureAdPrt : NO
AzureAdPrtAuthority :
EnterprisePrt : NO
EnterprisePrtAuthority :
+----------------------------------------------------------------------+
| Diagnostic Data |
+----------------------------------------------------------------------+
AadRecoveryEnabled : NO
Executing Account Name : <domain name>\Administrator, Administrator
KeySignTest : PASSED
+----------------------------------------------------------------------+
| IE Proxy Config for Current User |
+----------------------------------------------------------------------+
Auto Detect Settings : YES
Auto-Configuration URL :
Proxy Server List :
Proxy Bypass List :
+----------------------------------------------------------------------+
| WinHttp Default Proxy Config |
+----------------------------------------------------------------------+
Access Type : DIRECT
+----------------------------------------------------------------------+
| Ngc Prerequisite Check |
+----------------------------------------------------------------------+
IsDeviceJoined : YES
IsUserAzureAD : NO
PolicyEnabled : YES
PostLogonEnabled : YES
DeviceEligible : YES
SessionIsNotRemote : YES
CertEnrollment : enrollment authority
AdfsRefreshToken : NO
AdfsRaIsReady : NO
LogonCertTemplateReady : UNKNOWN
PreReqResult : WillNotProvision
For more information, please visit https://www.microsoft.com/aadjerrors
My biggest problem is, that it was already working year and few month earlier...
I'm looking for suggestions. Thanks in advance.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(76.8, 73%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESQ%3C/text%3E%3C/svg%3E)
This is a quick note to let you know that I am currently performing research on this issue and will get back to you as soon as possible. I appreciate your patience.
If you have any updates during this process, please feel free to let me know.
Thank you. If I find out something, I'll let you know.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(240, 84%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EK%3C/text%3E%3C/svg%3E)
Were you ever able to resolve this issue?
What about the certificates you have on your AD FS server, are they still valid? Are they any error message on the AD FS server when the enrollment fails?