Share via

Cannot start Windows Hello for Business deployment

Lee 26 Reputation points
2022-05-06T20:00:20.657+00:00

I have a few users with Azure AD/M 365 accounts.
I want to setup Windows Hello for Business for their Windows 10 machines. I am using Windows 10 Pro VM's on VMware to test. They are updated to 20H2.

I am trying to follow this:
https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy

Everytime I joined the machines to Azure AD it would not give me option to setup Windows Hello for Business.
There's no on-prem AD service, just Azure AD.

Windows Hello for Business is enabled here:
https://endpoint.microsoft.com/#blade/Microsoft_Intune_DeviceSettings/DevicesEnrollmentMenu/windowsEnrollment

The users are on Microsoft 365 Business Premium, which should include Intune and Azure AD Premium P1 licenses.

Just to be complete, I am doing this as a requirement to deploy Azure Virtual Desktop with Azure AD login and MFA as shown here https://learn.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows. I have finished all the rest of the requirements and user can login using Azure AD login without MFA right now (when i turn off Conditional Access for Azure Windows VM Login).

Any suggestions ?

Microsoft Security | Intune | Other
0 comments
Accepted answer
  1. Lu Dai-MSFT 28,496 Reputation points
    2022-05-10T03:08:06.66+00:00

    @Lee Thanks for your update.

    For this issue, I have done the test in my lab, same setting as yours. When I enroll the device in Settings > Accounts > Access Work or School > Connect > Join this device Azure Active Directory, it doesn't pop up Windows Hello for Business.

    However, when I use a Azure AD account login in the enrolled device, it will show the Windows Hello for Business page and ask to set PIN code. Here are some screen shots:
    200418-image.png

    200493-image.png

    200436-image.png

    Honestly, I'm not sure if Windows Hello for Business will display during enrollment. Given this situation, it is suggested to create an online support ticket to find if there is anything we are missing or if it works as what we tested. Here is the support link:
    https://learn.microsoft.com/en-us/mem/get-support

    Thanks for your understanding and hope everything goes well with you.

    1 person found this answer helpful.
    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Lu Dai-MSFT 28,496 Reputation points
    2022-05-09T02:50:05.513+00:00

    @Lee Thanks for posting in our Q&A. From your description, did you mean that you want to see Windows Hello for Business page when you use Azure AD account signing in the devices? If there is anything misunderstanding, please correct me.

    To clarify this issue, we appreciate your help to collect some information:

    1. Did you refer to the following article to enable Windows Hello for Business?
      https://learn.microsoft.com/en-us/mem/intune/protect/windows-hello
    2. Could you please check if you set "Users may join devices to Azure AD" to "All" in Azure AD portal > Devices > Device settings?
    3. Please try to check if there is any detailed error message in the device's event viewer > Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostic-Provider

    If there is anything update, feel free to let us know.

    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  2. Lee 26 Reputation points
    2022-05-09T16:36:58.64+00:00

    did you mean that you want to see Windows Hello for Business page when you use Azure AD account signing in the devices?

    1.Did you refer to the following article to enable Windows Hello for Business?
    https://learn.microsoft.com/en-us/mem/intune/protect/windows-hello

    • Yes, I did went through this article and enabled it. and double checked it when asked by Azure Chat support before posting it the question here. Please see screenshot. 200366-screenshot-000185-2022-05-09-091143-window.png

    2.Could you please check if you set "Users may join devices to Azure AD" to "All" in Azure AD portal > Devices > Device settings?

    • Yes it was set to "All". Please see screenshot. 200296-screenshot-000187-2022-05-09-091621-window.png

    3.Please try to check if there is any detailed error message in the device's event viewer > Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostic-Provider

    • I removed the AD join and re-join it to Azure AD and got errors:
    • error 404:

    MDM ConfigurationManager: Command failure status. Configuration Source ID: (D561953F-4052-4AAF-858E-1C078A28EAC2), Enrollment Name: (MDMDeviceWithAAD), Provider Name: (Policy), Command Type: (Add: from Replace or Add), CSP URI: (./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Receiver/Properties/Policy/FakePolicy/Version), Result: (The system cannot find the file specified.).
    HexInt1 0x80070002

    • error 454: MDM ConfigurationManager: Command failure status. Configuraton Source ID: (D561953F-4052-4AAF-858E-1C078A28EAC2), Enrollment Type: (MDMDeviceWithAAD), CSP Name: (DMClient), Command Type: (Add: from Replace or Add), Result: (./Vendor/MSFT/DMClient/Provider/MS DM Server/EntDMID).
      HexInt1 0x82aa0002
      .
      .

    Even with these errors, the Azure AD join was successful, but still NO prompt for Windows Hello for Business enrollment.
    Also, when I go to Intune portal >> All devices >> the VM >> Device configuration: there is no data/policy.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.