Windows Hello for Business Deployment: How to Fix the 7 Certificate and Trust Failures That Block Phishing-Resistant MFA Rollout

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Windows Hello for Business is the strongest MFA option available on Windows endpoints because the credential is hardware-bound and the private key is non-exportable from the TPM. Deploying it at scale in a hybrid environment surfaces provisioning failures that range from TPM attestation errors to certificate trust configuration gaps. The first diagnostic step for any WHfB failure is always the Microsoft-Windows-HelloForBusiness/Operational event log on the device, not the Intune or Entra ID portals.
Choosing the Right Trust Model Before Deployment
The trust model determines how WHfB-authenticated devices obtain Kerberos tickets for on-premises resources. Choosing the wrong model causes deployment to succeed but on-premises access to fail.
Cloud Kerberos trust (recommended for new deployments): Entra ID issues a partial Kerberos TGT that the on-premises KDC converts to a full TGT. Requires:
- Entra Connect version 2.1.16.0 or later
- Azure AD Kerberos object in each on-premises domain:
Set-AzureADKerberosServer - Windows 10 21H2 / Windows 11 21H2 or later
- No PKI infrastructure required
Hybrid certificate trust (legacy): Each device receives a certificate from the on-premises CA during provisioning. The certificate is used to authenticate to on-premises resources. Requires:
- Enterprise CA with a certificate template for WHfB
- NDES or CES/CEP for certificate enrollment
- CRL distribution points accessible from all devices
Key trust: No certificates or cloud Kerberos. Requires Windows Server 2016+ DCs. On-premises Kerberos authentication uses the WHfB public key directly. Lowest infrastructure requirement but requires 2016+ DCs for all authentication paths.
For most organizations deploying or migrating today: use cloud Kerberos trust. Set it up:
# Install the Azure AD Kerberos object in each domain
Import-Module AzureADHybridAuthenticationManagement
Set-AzureADKerberosServer -Domain 'domain.com' `
-DomainCredential (Get-Credential) `
-CloudCredential (Get-Credential)
Reading the WHfB Operational Event Log
All provisioning activity is recorded in the Microsoft-Windows-HelloForBusiness/Operational log:
# Read WHfB operational events from the last 24 hours
Get-WinEvent -LogName 'Microsoft-Windows-HelloForBusiness/Operational' `
-StartTime (Get-Date).AddHours(-24) `
| Select-Object TimeCreated, Id, Message `
| Format-List
Key event IDs:
- Event 1: Provisioning started
- Event 300: Provisioning succeeded -- WHfB credential created
- Event 358: Provisioning failed -- error code in the message identifies cause
- Event 360: PIN change failed
- Event 3010: WHfB policy is configured via MDM (Intune)
- Event 1101: Certificate enrollment result during certificate trust provisioning
For Event 358, extract the error code:
Get-WinEvent -LogName 'Microsoft-Windows-HelloForBusiness/Operational' `
| Where-Object {$_.Id -eq 358} `
| Select-Object TimeCreated, @{N='ErrorCode';E={$_.Properties[0].Value}}, Message `
| Format-List
Common error codes in Event 358:
0x80090011: TPM error -- key creation failed, TPM may need clearing0x801C0451: Certificate enrollment failed (certificate trust only)0x801C044D: Entra ID join required but device is not joined0x801C03ED: MFA required for provisioning but not satisfied0x801C0003: WHfB disabled by policy
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
TPM Attestation and Hardware Failures
TPM attestation failures prevent WHfB from creating the hardware-backed key:
Failure 1: TPM not ready or not owned
# Check TPM status
Get-Tpm | Select-Object TpmPresent, TpmReady, TpmEnabled, TpmActivated, ManufacturerVersionInfo
If TpmReady = False, the TPM needs initialization. On Windows 10/11: Settings > Windows Security > Device Security > Security processor details > Troubleshoot security processor.
Failure 2: TPM firmware version not supported Some older TPM firmware versions have known vulnerabilities (ROCA, Infineon weak key). Entra ID attestation rejects these. Check:
(Get-Tpm).ManufacturerVersion
Compare against Microsoft's supported TPM firmware list. Update TPM firmware via the device manufacturer's firmware update utility.
Failure 3: Secure Boot disabled WHfB requires Secure Boot on devices enrolling with attestation. Verify in UEFI settings and confirm:
Confirm-SecureBootUEFI
# Returns True if Secure Boot is enabled
Failure 4: Virtual TPM on non-attested VM Hyper-V VMs with virtual TPMs can complete provisioning but cannot attest to physical hardware. For VDI environments, disable the TPM attestation requirement in the WHfB Intune policy (set 'Require attestation' to Not required) if physical TPMs are not available.
Intune Policy Conflicts and MDM Enrollment Issues
Conflicting Intune policies are the most common cause of WHfB provisioning failures on Intune-managed devices:
Conflict source 1: Both Identity Protection policy and Endpoint Security policy configure WHfB Intune has two places to configure WHfB: Devices > Configuration > Identity Protection, and Endpoint Security > Account Protection > Windows Hello for Business. If both are configured with conflicting settings, the device receives conflicting MDM policies and may fail provisioning.
Diagnose conflicts from the device:
# Check all WHfB-related MDM policies applied to the device
$whfbPath = 'HKLM:\SOFTWARE\Microsoft\PolicyManager\current\device\PassportForWork'
Get-ChildItem $whfbPath -Recurse | Get-ItemProperty
Conflict source 2: GPO overriding Intune MDM policy For hybrid-joined devices, a GPO in Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business may conflict with the Intune policy. MDM policy takes precedence over GPO for cloud-managed devices, but conflicts can cause unpredictable behavior.
Check the effective WHfB GPO on the device:
gpresult /Scope Computer /v | Select-String -Pattern "Hello|Passport" -Context 2
Conflict source 3: 'Use Windows Hello for Business' set to Disabled in any policy Any policy that sets 'Use Windows Hello for Business' to Disabled blocks provisioning for the entire device regardless of other settings. Search all GPOs and Intune policies for this setting.
Validating a Successful WHfB Deployment
After provisioning completes, validate the credential is correctly registered:
# Check if WHfB credential exists on the device
$ngcPath = 'C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Ngc'
if (Test-Path $ngcPath) {
Get-ChildItem $ngcPath -Recurse | Select-Object FullName, LastWriteTime
} else {
Write-Output "NGC folder not found -- WHfB credential not provisioned"
}
# Check Entra ID device registration and key registration
dsregcmd /status | Select-String -Pattern "AzureAdJoined|DomainJoined|WamDefaultSet|NgcSet|NgcKeyId"
Expected output for a successful WHfB provisioning:
AzureAdJoined : YES
NgcSet : YES
NgcKeyId : {key-id-guid}
If NgcSet is NO after the user has attempted to set up a PIN:
- Check Event 358 in WHfB/Operational log
- Verify TPM is ready:
Get-Tpm - Verify Entra ID registration:
dsregcmd /debug - Force re-registration:
dsregcmd /leavethendsregcmd /join
For at-scale validation, query Entra ID for devices with WHfB registered:
# Devices with WHfB key registered (Entra ID)
Get-MgDevice -Filter "accountEnabled eq true" -All `
| Where-Object {$_.AlternativeSecurityIds -ne $null} `
| Where-Object {$_.AlternativeSecurityIds.Type -eq 2} `
| Measure-Object
# Type 2 = WHfB public key registered
The bottom line
WHfB provisioning failures nearly always reveal themselves in the Microsoft-Windows-HelloForBusiness/Operational log on the affected device -- Event 358 with its error code is the definitive diagnostic signal. Choose cloud Kerberos trust for new hybrid deployments to eliminate PKI complexity. Verify TPM readiness and firmware version before large-scale rollout. Resolve Intune policy conflicts by consolidating WHfB configuration to a single policy location and checking for GPO overrides on hybrid-joined devices.
Frequently asked questions
Does Windows Hello for Business work on shared kiosk devices?
WHfB is designed for dedicated user devices. On shared kiosk devices (Shared PC mode in Intune), WHfB provisioning is not supported because the credential is tied to a specific user and device combination. For kiosk scenarios, use FIDO2 security keys (which are portable) or smart card authentication instead. If some users on a shared device fleet need WHfB, they need dedicated device assignments.
What is the difference between WHfB PIN and a password from a security perspective?
A WHfB PIN looks similar to a password but is fundamentally different: the PIN never leaves the device and never travels over the network. It unlocks the TPM-protected private key stored locally. If an attacker intercepts network traffic or compromises a server, they capture nothing useful -- there is no PIN to steal. A password, by contrast, is transmitted (in hashed form) and can be captured, replayed, cracked offline, or sprayed. The PIN is also device-bound: a captured PIN from Device A does not work on Device B.
How do I force a user to re-enroll in Windows Hello for Business after a device wipe?
After a device wipe and re-enrollment, WHfB provisioning happens automatically during the OOBE or at first sign-in if WHfB is required by policy. The user will be prompted to set up a PIN. If the prompt does not appear, check that the Intune WHfB policy is assigned to the user/device and that the device has completed Entra ID registration (dsregcmd /status shows AzureAdJoined: YES). The old device's WHfB key in Entra ID is automatically removed when the device object is deleted from Entra ID.
Can WHfB be used with on-premises-only environments without Entra ID?
Yes, via on-premises-only deployment. WHfB on-premises requires Active Directory, Active Directory Federation Services (ADFS), and an Enterprise CA. The deployment complexity is significantly higher than the hybrid cloud models. Most organizations with active Microsoft 365 licenses should use hybrid or cloud-only models. Pure on-premises WHfB deployment is relevant for air-gapped or restricted environments where cloud connectivity is prohibited.
How do I detect if Windows Hello for Business enrollment is failing silently for users?
Check the Microsoft-Windows-HelloForBusiness/Operational event log on affected machines for provisioning failure events (Event IDs in the 300-399 range). In Intune, go to Devices > Monitor > Device enrollment failures and filter for WHfB enrollment failures. In the Entra ID portal, the user's Authentication methods blade shows whether WHfB is registered -- if it is absent for users who should have completed enrollment, provisioning failed. Common silent failure causes: TPM firmware version not meeting requirements, device not yet registered in Entra ID when provisioning runs, or the WHfB policy not assigned to the correct device group.
How do I handle Windows Hello for Business for users who share workstations?
WHfB is designed for one primary user per device. Shared workstation scenarios require careful planning. If multiple users log in to the same machine, each user enrolls their own WHfB credential -- the gesture (PIN, biometric) is per-user. The device credential in the hardware is shared infrastructure. For kiosk or shift-based workstations where many users rotate through the same machine, consider whether WHfB is the appropriate control: the provisioning and deprovision overhead per user may make certificate-based smartcard authentication (which works identically on shared hardware) a better fit. For dedicated but temporarily shared workstations (travel laptops), WHfB functions normally -- each user who logs in provisions their own credential on that device up to the TPM key storage limit.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
