Forum Discussion

prakashx86's avatar
prakashx86
Copper Contributor
Nov 13, 2025

Access denied. 0x80090010 Enroll cert of Windows hello for Business with on-prem PKI CA Server

We have created Certficate Template from on-prem CA Server ( Windows server 2019 ) using this link : https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/rdp-sign-in?tabs=intune

However We can not Enroll Certificate Windows Hello for Business Certificate from User's Desktop ( Windows 11 ) and every time error occurred or Access Denied (

Certificate enrollment for Domain\UserName failed to enroll for a WHfBCertificateAuthentication certificate with request ID N/A from -ERCA.Domain.local\Domain-ERCA-CA-1 (Access denied. 0x80090010 (-2146893808 NTE_PERM))

 

 

We have also given Read and Enroll permission to EveryOne and Autheticated Users from CA Certficiate template , but still same erro

 

 

Please advise if anything more can be done to resolve this issue.

PKI
pki general questions
Root CA
windows server

5 Replies

  • FIRAT_BOYAN's avatar
    FIRAT_BOYAN
    MCT
    Feb 15, 2026

    Hello,

    Error 0x80090010 NTE_PERM during Windows Hello for Business certificate enrollment is almost always a key attestation or private key permission issue, not a simple Enroll ACL problem.

    Granting Read and Enroll to Everyone or Authenticated Users on the template is not sufficient for WHfB.

    Focus on these points:

    1. Template compatibility

    Ensure the WHfBCertificateAuthentication template is set to:

    • Certification Authority: Windows Server 2016 or later
    • Certificate recipient: Windows 10 or later

    If compatibility is set lower, WHfB key storage provider behaviour can break.

    2. Cryptography tab

    • Provider must be Microsoft Platform Crypto Provider.
    • Key type must be ECC P256 or RSA with appropriate key length.

    If you selected Legacy CSP, WHfB will fail with NTE_PERM.

    3. Key Attestation tab

    If Require key attestation is enabled but your clients do not meet TPM attestation requirements, enrollment fails with Access denied.

    For testing, set:

    • Do not require key attestation
    • Then retry enrollment.

    4. CA permissions

    Check the Certification Authority console.

    • Right click CA > Properties > Security.
    • Ensure Authenticated Users or the specific user group has Request Certificates permission on the CA itself.

    Template permissions alone are not enough.

    5. Private key ACL on client

    NTE_PERM can occur if the user context cannot access the TPM backed key container.

    Verify that the device is Azure AD joined or Hybrid joined and that WHfB provisioning completed successfully before certificate enrollment.

    6. Autoenrollment context

    WHfB certificate enrollment should occur in user context after WHfB key creation.

    Confirm with:

    certutil -user -store my

    If no WHfB key pair exists, certificate enrollment will fail.

    Most common root cause in this scenario:

    Key Attestation required on the template while TPM attestation is not properly configured in the CA. Disable attestation requirement and test again.

    • b1ff's avatar
      b1ff
      Copper Contributor
      Feb 16, 2026

      Great, thanks for the effort! But unfortunately, none of this helped me so far.

    • b1ff's avatar
      b1ff
      Copper Contributor
      Feb 06, 2026

      We are experiencing the exact same problem.

      Did you ever find a solution for this?