So I went through the process of deploying WHFB. I set up all the prereqs (as far as I know) following the Cloud Trust deployment guide. I added four test machines to the test OU with the appropriate WHFB GPO applied. Two of these machines, which are running Windows 11, worked flawlessly. On next boot we were able to enroll and everything is working fine. However, I'm now testing the two Windows 10 (22H2) machines and they still show "This setting is managed by your administrator" and cannot be enrolled. I have confirmed with RSOP that the policy did apply. When I check the event viewer, I see the following events (On both machines):
LEVEL | Summary |
---|---|
Info | Windows Hello for Business prerequisites check started. |
Success | Windows Hello for Business successfully completed the remote desktop prerequisite check. |
Success | The Primary Account Primary Refresh Token prerequisite check completed successfully. |
Success | The device registration prerequisite check completed successfully. |
Info | Windows Hello for Business certificate enrollment configurations: Certificate Enrollment Method: RA Certificate Required for On-Premise Auth: true |
Success | Windows Hello for Business is enabled. |
Error | Windows Hello for Business post-logon provisioning is not enabled. |
Success | The device meets Windows Hello for Business hardware requirements. |
Error | The Secondary Account Primary Refresh Token prerequisite check failed. |
Error | Windows Hello for Business failed to locate a certificate registration authority. |
Error | Windows Hello for Business prerequisites check failed. Error: 0x1 |
And then that entire series of events repeats like 3 times.
The devices show as Hybrid-Joined. AD Sync is working fine. I don't see any obvious problems. I don't understand why it's even looking for a CA since I'm using Cloud Trust and the two Win11 devices are working fine (and do not show any of these errors in their event logs).
Any guidance appreciated.
I recheck your error message and I suspect your computer miss some settings.
As we talked you have no Intune policy so these would be these GPO;
Important to make sure these 3 settings are set in the minimum to make sure WHfB use the Cloud Kerberos Thust method.
It's a Computer GPO, except one which can set set in Computer or User.
Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business
Use Windows Hello for Business - Enabled
or
User Configuration\Administrative Templates\Windows Components\Windows Hello for Business
Use Windows Hello for Business - Enabled
Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business
Use cloud Kerberos trust for on-premises authentication - Enabled
Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business
Use a hardware security device - Enabled
Reference: https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust?WT.mc_id=EM-MVP-5004117&tabs=gpo#tabpanel_1_gpo