Failure to Trigger WHFB Provisioning on AAD Joined Computers (NGC Check says Will Provision)

1 year ago
Ruian Ding
2 minutes

The customer requested to use Windows Hello for Business (WHFB) on their AAD-joined machines. By default, WHFB provisioning should initiate automatically since AAD join is designed to enforce the use of this feature. However, one user failed to trigger the WHFB provisioning page during sign-in. After investigating the issue and examining the output of the dsregcmd /status command, everything appeared to be functioning correctly, and WHFB was expected to provision.

+———————————————————————-+
| Ngc Prerequisite Check |
+———————————————————————-+
IsDeviceJoined : YES
IsUserAzureAD : YES
PolicyEnabled : YES
PostLogonEnabled : YES
DeviceEligible : YES
SessionIsNotRemote : YES
CertEnrollment : none
CloudTGT : YES
PreReqResult : WillProvision

Furthermore, the logs from the user’s device registration indicated that WHFB provisioning would take place. Here are the relevant log details:

Windows Hello for Business provisioning will be launched.
Device is AAD joined (AADJ or DJ++): Yes
User has logged on with AAD credentials: Yes
Windows Hello for Business policy is enabled: Yes
Windows Hello for Business post-logon provisioning is enabled: Yes
Local computer meets Windows Hello for Business hardware requirements: Yes
User is not connected to the machine via Remote Desktop: Yes
User certificate for on-premise authentication policy is enabled: No
Machine is governed by none policy.
Cloud trust for on-premise authentication policy is enabled: No
User account has Cloud TGT: Not Tested


In an attempt to trigger the provisioning for testing purposes, we used the command ms-cxh://nth/aad. The user was expected to see the following window pop up:

However, this attempt failed with the following error message: “You’ll need a new app to open this ms-cxh link.”

Based on this error, it seems that the operating system may be corrupted. To resolve the issue, you can try using the following PowerShell command to reinstall the CXH (Cloud Experience Host) app:

Add-Appxpackage -RegisterByFamilyName -MainPackage (($(Get-AppXPackage -user (whoami) <em>CloudExperience</em>).PackageFamilyName))