WHfB - Hybrid Certificate Trust - Failed provisioning

Question

After setting up Windows Hello for Business, in a Hybrid Azure AD joined Certificate Trust Deployment scenario, i ended up with the following events in my test client machine after a failed provisioning.

I reviewed my setup, but i must be missing something. Any help would be highly appreciated.

    ##############################

Microsoft-Windows-AAD/Operational


TimeCreated : 13/05/2020 11:57:04 
Id          : 1082
Message     : Key error: DecodingProtectedCredentialKeyFatalFailure
              Error description: AADSTS9002313: Invalid request. Request is malformed or invalid.
              Trace ID: 834deec1-21d8-48c2-bae5-7f795e312f00
              Correlation ID: 88bc2dda-ba2a-42dc-a9da-7b9f362f7d7a
              Timestamp: 2020-05-13 22:57:04Z
              CorrelationID: 88bc2dda-ba2a-42dc-a9da-7b9f362f7d7a


TimeCreated : 13/05/2020 11:57:03 
Id          : 1118
Message     : Enterprise STS Logon failure. Status: 0xC000006D Correlation ID: FE6DBC4F-69BB-426B-933B-0BADB38A1361

TimeCreated : 13/05/2020 11:57:03 
Id          : 1081
Message     : OAuth response error: invalid_grant
              Error description: MSIS9683: Received invalid OAuth JWT Bearer request. Transport key for the device is invalid. It must be a RSA public key blob or TPM storage key blob.
              CorrelationID: 


TimeCreated : 13/05/2020 11:57:03 
Id          : 1025
Message     : Http request status: 400. Method: POST Endpoint Uri: https://adfs.domain.com/adfs/oauth2/token/ Correlation ID: FE6DBC4F-69BB-426B-933B-0BADB38A1361

TimeCreated : 13/05/2020 11:56:01 
Id          : 1082
Message     : Key error: DecodingProtectedCredentialKeyFatalFailure
              Error description: AADSTS9002313: Invalid request. Request is malformed or invalid.
              Trace ID: 4a2197fa-c85f-4ea0-af79-1a830e1d2d00
              Correlation ID: f6141ebb-116c-4701-9118-80124017b6d1
              Timestamp: 2020-05-13 22:56:02Z
              CorrelationID: f6141ebb-116c-4701-9118-80124017b6d1


TimeCreated : 13/05/2020 11:56:01 
Id          : 1118
Message     : Enterprise STS Logon failure. Status: 0xC000006D Correlation ID: E5C246DD-9FFF-4E07-92A5-61389B08C64A

TimeCreated : 13/05/2020 11:56:01 
Id          : 1081
Message     : OAuth response error: invalid_grant
              Error description: MSIS9683: Received invalid OAuth JWT Bearer request. Transport key for the device is invalid. It must be a RSA public key blob or TPM storage key blob.
              CorrelationID: 


TimeCreated : 13/05/2020 11:56:01 
Id          : 1025
Message     : Http request status: 400. Method: POST Endpoint Uri: https://adfs.domain.com/adfs/oauth2/token/ Correlation ID: E5C246DD-9FFF-4E07-92A5-61389B08C64A



#######################################
Microsoft-Windows-HelloForBusiness/Operational


TimeCreated : 13/05/2020 11:57:00 
Id          : 5520
Message     : Device unlock policy is not configured on this device.

TimeCreated : 13/05/2020 11:56:03 
Id          : 7054
Message     : Windows Hello for Business prerequisites check failed.

              Error: 0x1

TimeCreated : 13/05/2020 11:56:03 
Id          : 8205
Message     : Windows Hello for Business successfully located a usable sign-on certificate template.

TimeCreated : 13/05/2020 11:56:03 
Id          : 8206
Message     : Windows Hello for Business successfully located a certificate registration authority.

TimeCreated : 13/05/2020 11:56:03 
Id          : 7211
Message     : The Secondary Account Primary Refresh Token prerequisite check failed.

TimeCreated : 13/05/2020 11:56:03 
Id          : 8202
Message     : The device meets Windows Hello for Business hardware requirements.

TimeCreated : 13/05/2020 11:56:03 
Id          : 8204
Message     : Windows Hello for Business post-logon provisioning is enabled.

TimeCreated : 13/05/2020 11:56:03 
Id          : 8203
Message     : Windows Hello for Business is enabled.

TimeCreated : 13/05/2020 11:56:03 
Id          : 5204
Message     : Windows Hello for Business certificate enrollment configurations: 

              Certificate Enrollment Method: RA
              Certificate Required for On-Premise Auth: true

TimeCreated : 13/05/2020 11:56:03 
Id          : 8200
Message     : The device registration prerequisite check completed successfully.

TimeCreated : 13/05/2020 11:56:03 
Id          : 8201
Message     : The Primary Account Primary Refresh Token prerequisite check completed successfully.

TimeCreated : 13/05/2020 11:56:03 
Id          : 8210
Message     : Windows Hello for Business successfully completed the remote desktop prerequisite check.

TimeCreated : 13/05/2020 11:56:03 
Id          : 3054
Message     : Windows Hello for Business prerequisites check started.

TimeCreated : 13/05/2020 11:56:00 
Id          : 8025
Message     : The Microsoft Passport Container service started successfully.

TimeCreated : 13/05/2020 11:56:00 
Id          : 8025
Message     : The Microsoft Passport service started successfully.

TimeCreated : 13/05/2020 11:55:07 
Id          : 5520
Message     : Device unlock policy is not configured on this device.



#######################################
Microsoft-Windows-User Device Registration/Admin


TimeCreated : 13/05/2020 11:56:59 
Id          : 331
Message     : Automatic device join pre-check tasks completed. Debug output:\r\n preCheckResult: DoNotJoin
              deviceKeysHealthy: YES
              isJoined: YES
              isDcAvailable: YES
              isSystem: YES
              keyProvider: Microsoft Platform Crypto Provider
              keyContainer: c9bc09fb-e9bd-4de7-b06a-f8798e6f377c
              dsrInstance: AzureDrs
              elapsedSeconds: 0
              resultCode: 0x1


TimeCreated : 13/05/2020 11:56:59 
Id          : 335
Message     : Automatic device join pre-check tasks completed. The device is already joined.

TimeCreated : 13/05/2020 11:56:03 
Id          : 360
Message     : Windows Hello for Business provisioning will not be launched. 
              Device is AAD joined ( AADJ or DJ++ ): Yes 
              User has logged on with AAD credentials: Yes 
              Windows Hello for Business policy is enabled: Yes 
              Windows Hello for Business post-logon provisioning is enabled: Yes 
              Local computer meets Windows hello for business hardware requirements: Yes 
              User is not connected to the machine via Remote Desktop: Yes 
              User certificate for on premise auth policy is enabled: Yes 
              Machine is governed by enrollment authority policy. 
              See https://go.microsoft.com/fwlink/?linkid=832647 for more details.

TimeCreated : 13/05/2020 11:56:03 
Id          : 362
Message     : Windows Hello for Business provisioning will not be launched. 
              Device is AAD joined ( AADJ or DJ++ ): Yes 
              User has logged on with AAD credentials: Yes 
              Windows Hello for Business policy is enabled: Yes 
              Windows Hello for Business post-logon provisioning is enabled: Yes 
              Local computer meets Windows hello for business hardware requirements: Yes 
              User is not connected to the machine via Remote Desktop: Yes 
              User certificate for on premise auth policy is enabled: Yes 
              Enterprise user logon certificate enrollment endpoint is ready: Yes 
              Enterprise user logon certificate template is : Yes 
              User has successfully authenticated to the enterprise STS: No 
              Certificate enrollment method: enrollment authority 
              See https://go.microsoft.com/fwlink/?linkid=832647 for more details.

TimeCreated : 13/05/2020 11:55:09 
Id          : 331
Message     : Automatic device join pre-check tasks completed. Debug output:\r\n preCheckResult: DoNotJoin
              deviceKeysHealthy: YES
              isJoined: YES
              isDcAvailable: YES
              isSystem: YES
              keyProvider: Microsoft Platform Crypto Provider
              keyContainer: c9bc09fb-e9bd-4de7-b06a-f8798e6f377c
              dsrInstance: AzureDrs
              elapsedSeconds: 1
              resultCode: 0x1


TimeCreated : 13/05/2020 11:55:09 
Id          : 335
Message     : Automatic device join pre-check tasks completed. The device is already joined.

TimeCreated : 13/05/2020 11:55:05 
Id          : 369
Message     : The Workstation Service logged a device registration message. 
              Message: AutoJoinSvc/WJComputeWorkplaceJoinTaskState: Machine is already joined to Azure AD.


TimeCreated : 13/05/2020 11:55:05 
Id          : 369
Message     : The Workstation Service logged a device registration message. 
              Message: AutoJoinSvc/WJSetScheduledTaskState: Running task "\Microsoft\Windows\Workplace Join\Automatic-Device-Join". 

TimeCreated : 13/05/2020 11:55:05 
Id          : 369
Message     : The Workstation Service logged a device registration message. 
              Message: AutoJoinSvc/WJComputeWorkplaceJoinTaskState: Global policy found with value 1.

Answer 1

I came across a similar situation some days ago. No way was I able to get the Enterprise Primary Refresh Token and start provisioning.

I was getting the same error as you are on my ADFS node:

Error description: MSIS9683: Received invalid OAuth JWT Bearer request. Transport key for the device is invalid. It must be a RSA public key blob or TPM storage key blob.

I ran some wireshark and found out that when you login into the PC you're about to provision and it attempts to authenticate against ADFS to obtain the Enterprise PRT, the ADFS most likely reaches into AD to obtain the Transport Key that the error mentions.

This Transport Key is supposed to be stored under the attribute msDS-KeyCredentialLink under CN=RegisteredDevices, DC=contoso, DC=com. This container gets populated by Azure AD Connect through Device Writeback. Problem was, in my case, the attribute wasn't populated so the ADFS was coming up empty. I checked all the permissions on the container but everything seemed alright. What eventually helped was forcing a Domain Schema Refresh through Azure AD Connect. But since all the permissions were right to begin with, I think it was the full sync cycle that AAD Connect initiated after that that actually solved my problem and populated the attribute.

TL;DR: For some reason, AAD Connect might not be syncing public key blobs for your Azure AD Registered devices back into on-prem AD, force him to do so:

Import-Module ADSync
Start-ADSyncSyncCycle -PolicyType Initial

Hope this helps.

Cheers