Forum Discussion
Windows Hello for Business Event id 45 on domain controllers
Clients: Windows 11 24H2
Domain controllers Server 2022
Windows Hello for Business Cloud (kerberos) trust
After the April 8th, 2025 updates to our domain controllers, we have started receiving Event id 45 on the domain controllers for the client that have Windows Hellow for Business setup. I
t looks like this event is tied to a self signed certificate that is added to the machine in the user's personal certficate store with an intended purposes of Smart card logon. This certificate is good for 30 years.
To get this working in the future, it needs to be added to the NTauth store. Since these are self-signed certificates, what should be doing so that when these are blocked in the future that windows Hello for Business continues to work.
4 Replies
Event ID 45 traditionally indicates issues related to authentication problems by certificate-related events. Since you mentioned that these self-signed certificates might be blocked in the future, let's explore what you can do to maintain the functionality of Windows Hello for Business:
The NTAuth store is a crucial repository where CA certificates are stored for all users and computers in a domain. When a self-signed certificate is used for Smart Card logon, it must be added to the NTAuth store for Windows Hello for Business to work properly.
I'm seeing the same thing and wondering the same.
More information can be found here: https://www.reddit.com/r/entra/comments/1jzfm4o/cve202526647_hello_for_business_cloud_trust_issues/?share_id=Mk2TRxhyodfTujN6U8Sy7&utm_content=2&utm_medium=ios_app&utm_name=iossmf&utm_source=share&utm_term=22 It you setup is really using Cloud trust, this appears to be a bug involved with this as well even though it is using cloud connect -- klist will show you if you have kerberous tickets.
