M
Muhammad Shiraz AlamKhan
I have a Hybrid Azure AD environment in my company. We have chosen the Windows Hello for Business key trust model and Carefully followed the following guide:
Configure Hybrid Windows Hello for Business key trust Settings - Microsoft 365 Security
Let me also give some details about our environment:
Still now we have no prompt for activating PIN or Biometric by Windows Hello for Business! after checking the event log (Event Viewer > Applications and Service Logs\Microsoft\Windows\User Device Registration\Admin) I found these event id's:
359:
Windows Hello for Business provisioning has encountered an error during policy evaluation.
ExitCode: The system cannot find the file specified.
Method: DmIsNgcCertPayloadReceived
See What's new in Active Directory Federation Services for Windows Server 2016 for more details
360:
Windows Hello for Business provisioning will not be launched.
Device is AAD joined ( AADJ or DJ++ ): Yes
User has logged on with AAD credentials: No
Windows Hello for Business policy is enabled: Yes
Windows Hello for Business post-logon provisioning is enabled: Yes
Local computer meets Windows hello for business hardware requirements: Yes
User is not connected to the machine via Remote Desktop: Yes
User certificate for on premise auth policy is enabled: Yes
Machine is governed by mobile device management policy.
See What's new in Active Directory Federation Services for Windows Server 2016 for more details.
361:
Windows Hello for Business provisioning will not be launched.
Device is AAD joined ( AADJ or DJ++ ): Yes
User has logged on with AAD credentials: No
Windows Hello for Business policy is enabled: Yes
Windows Hello for Business post-logon provisioning is enabled: Yes
Local computer meets Windows hello for business hardware requirements: Yes
User is not connected to the machine via Remote Desktop: Yes
User certificate for on premise auth policy is enabled: Yes
MDM user certificate enrollment is ready: Error
Certificate enrollment method: mobile device management
See What's new in Active Directory Federation Services for Windows Server 2016 for more details
362:
Windows Hello for Business provisioning will not be launched.
Device is AAD joined ( AADJ or DJ++ ): Yes
User has logged on with AAD credentials: No
Windows Hello for Business policy is enabled: Yes
Windows Hello for Business post-logon provisioning is enabled: Yes
Local computer meets Windows hello for business hardware requirements: Yes
User is not connected to the machine via Remote Desktop: Yes
User certificate for on premise auth policy is enabled: Yes
Enterprise user logon certificate enrollment endpoint is ready: Not Tested
Enterprise user logon certificate template is : Not Tested
User has successfully authenticated to the enterprise STS: Not Tested
Certificate enrollment method: mobile device management
See What's new in Active Directory Federation Services for Windows Server 2016 for more details.
Continue reading...
Configure Hybrid Windows Hello for Business key trust Settings - Microsoft 365 Security
Let me also give some details about our environment:
- Windows Server 2019 DC
- Azure Active directory with Endpoint manager
- Windows 10 Pro 20H2
- Intune Policy for Windows Hello for Business
Still now we have no prompt for activating PIN or Biometric by Windows Hello for Business! after checking the event log (Event Viewer > Applications and Service Logs\Microsoft\Windows\User Device Registration\Admin) I found these event id's:
359:
Windows Hello for Business provisioning has encountered an error during policy evaluation.
ExitCode: The system cannot find the file specified.
Method: DmIsNgcCertPayloadReceived
See What's new in Active Directory Federation Services for Windows Server 2016 for more details
360:
Windows Hello for Business provisioning will not be launched.
Device is AAD joined ( AADJ or DJ++ ): Yes
User has logged on with AAD credentials: No
Windows Hello for Business policy is enabled: Yes
Windows Hello for Business post-logon provisioning is enabled: Yes
Local computer meets Windows hello for business hardware requirements: Yes
User is not connected to the machine via Remote Desktop: Yes
User certificate for on premise auth policy is enabled: Yes
Machine is governed by mobile device management policy.
See What's new in Active Directory Federation Services for Windows Server 2016 for more details.
361:
Windows Hello for Business provisioning will not be launched.
Device is AAD joined ( AADJ or DJ++ ): Yes
User has logged on with AAD credentials: No
Windows Hello for Business policy is enabled: Yes
Windows Hello for Business post-logon provisioning is enabled: Yes
Local computer meets Windows hello for business hardware requirements: Yes
User is not connected to the machine via Remote Desktop: Yes
User certificate for on premise auth policy is enabled: Yes
MDM user certificate enrollment is ready: Error
Certificate enrollment method: mobile device management
See What's new in Active Directory Federation Services for Windows Server 2016 for more details
362:
Windows Hello for Business provisioning will not be launched.
Device is AAD joined ( AADJ or DJ++ ): Yes
User has logged on with AAD credentials: No
Windows Hello for Business policy is enabled: Yes
Windows Hello for Business post-logon provisioning is enabled: Yes
Local computer meets Windows hello for business hardware requirements: Yes
User is not connected to the machine via Remote Desktop: Yes
User certificate for on premise auth policy is enabled: Yes
Enterprise user logon certificate enrollment endpoint is ready: Not Tested
Enterprise user logon certificate template is : Not Tested
User has successfully authenticated to the enterprise STS: Not Tested
Certificate enrollment method: mobile device management
See What's new in Active Directory Federation Services for Windows Server 2016 for more details.
Continue reading...