This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 77%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBM%3C/text%3E%3C/svg%3E)
User Device Registration
Event ID 360
Windows Hello for Business provisioning will not be launched.
Device is AAD joined ( AADJ or DJ++ ): Yes
User has logged on with AAD credentials: Yes
Windows Hello for Business policy is enabled: Yes
Windows Hello for Business post-logon provisioning is enabled: Yes
Local computer meets Windows hello for business hardware requirements: Yes
User is not connected to the machine via Remote Desktop: Yes
User certificate for on premise auth policy is enabled: Yes
Machine is governed by enrollment authority policy.
Cloud trust for on premise auth policy is enabled: No
User account has Cloud TGT: Not Tested
See https://go.microsoft.com/fwlink/?linkid=832647 for more details.
Event ID 362
Windows Hello for Business provisioning will not be launched.
Device is AAD joined ( AADJ or DJ++ ): Yes
User has logged on with AAD credentials: Yes
Windows Hello for Business policy is enabled: Yes
Windows Hello for Business post-logon provisioning is enabled: Yes
Local computer meets Windows hello for business hardware requirements: Yes
User is not connected to the machine via Remote Desktop: Yes
User certificate for on premise auth policy is enabled: Yes
Enterprise user logon certificate enrollment endpoint is ready: Yes
Enterprise user logon certificate template is : Yes
User has successfully authenticated to the enterprise STS: No
Certificate enrollment method: enrollment authority
See https://go.microsoft.com/fwlink/?linkid=832647 for more details.
AAD Errors
*Error: 0xCAA5001C Token broker operation failed.
Operation name: GetTokenSilently, Error: -895418359 (0xcaa10009), Description: The value specified for 'clientId' must be non-empty.
Logged at WebAccountProcessor.cpp, line: 652, method: AAD::Core::WebAccountProcessor::ReportOperationError.
Enterprise STS Logon failure. Status: 0xC000006D Correlation ID: 12D0E4F1-7F17-4087-B7D4-026E58338C8E
OAuth response error: invalid_grant
Error description: MSIS9682: Received invalid OAuth JWT Bearer request. The certificate used to sign JWT Bearer request is not from a registered device with a Transport key.
CorrelationID:
Http request status: 400. Method: POST Endpoint Uri: https://fs.xxxx.xxx/adfs/oauth2/token/ Correlation ID: 12D0E4F1-7F17-4087-B7D4-026E58338C8E*
dsregcmd
+----------------------------------------------------------------------+
| Device State |
+----------------------------------------------------------------------+
AzureAdJoined : YES
EnterpriseJoined : NO
DomainJoined : YES
DomainName : xxxxx
Device Name : MyPC.xxxx.com
+----------------------------------------------------------------------+
| Device Details |
+----------------------------------------------------------------------+
DeviceAuthStatus : SUCCESS
+----------------------------------------------------------------------+
| User State |
+----------------------------------------------------------------------+
NgcSet : NO
WorkplaceJoined : NO
WamDefaultSet : YES
WamDefaultAuthority : organizations
WamDefaultId : https://login.microsoft.com
WamDefaultGUID : {B16898C6-A148-4967-9171-64D755DA8520} (AzureAd)
+----------------------------------------------------------------------+
| SSO State |
+----------------------------------------------------------------------+
AzureAdPrt : YES
AzureAdPrtUpdateTime : 2021-10-15 11:54:04.000 UTC
AzureAdPrtExpiryTime : 2021-10-29 11:54:03.000 UTC
AzureAdPrtAuthority : https://login.microsoftonline.com/baaf30d9-bdd3-4de1-815f-59e774096377
EnterprisePrt : NO
EnterprisePrtAuthority : https://fs.xxxx.xxx:443/adfs
+----------------------------------------------------------------------+
| Diagnostic Data |
+----------------------------------------------------------------------+
AadRecoveryEnabled : NO
Executing Account Name : ***\*******
KeySignTest : PASSED
+----------------------------------------------------------------------+
| Ngc Prerequisite Check |
+----------------------------------------------------------------------+
IsDeviceJoined : YES
IsUserAzureAD : YES
PolicyEnabled : YES
PostLogonEnabled : YES
DeviceEligible : YES
SessionIsNotRemote : YES
CertEnrollment : enrollment authority
AdfsRefreshToken : NO
AdfsRaIsReady : YES
LogonCertTemplateReady : YES ( StateReady )
PreReqResult : WillNotProvision
It have run through every article I can think of and I am stuck at this point.
My device is writing back to AD and is in Azure AD. I have re-registered, confirmed the 'ugs' entry in ADFS and so on. I just don't know where to go from here. I have run back and forth so many times I am starting to lose track of my changes. Any help would be great.
I have read that I may need an NDES Server to allow for SSO but I am not sure I need to go this route at the moment. I would like to get this working first.