Windows Hello (Failed in logs, shows correctly)

Iron Contributor

Hi

 

I have created a Identity protection policy.

JimmyWork_0-1652167341391.png

Checking the profile settings everything says succeeded.

JimmyWork_1-1652167379787.png

Checking my logs on the device i get.

 

 

 

 

MDM ConfigurationManager: Command failure status. Configuraton Source ID: (4ED2BB8C-C735-44FE-8683-4DD7FCBB4288), Enrollment Type: (MDMDeviceWithAAD), CSP Name: (PassportForWork), Command Type: (Clear: first phase of Delete), CSP URI: (./Vendor/MSFT/PassportForWork/05dc4370-49fa-46a1-8b8b-2dd3063cd475/Policies/UsePassportForWork), Result: (Unknown Win32 Error code: 0x86000002).

MDM ConfigurationManager: Command failure status. Configuraton Source ID: (4ED2BB8C-C735-44FE-8683-4DD7FCBB4288), Enrollment Type: (MDMDeviceWithAAD), CSP Name: (PassportForWork), Command Type: (Clear: first phase of Delete), CSP URI: (./Vendor/MSFT/PassportForWork/05dc4370-49fa-46a1-8b8b-2dd3063cd475/Policies/RequireSecurityDevice), Result: (Unknown Win32 Error code: 0x86000002).

MDM ConfigurationManager: Command failure status. Configuraton Source ID: (4ED2BB8C-C735-44FE-8683-4DD7FCBB4288), Enrollment Type: (MDMDeviceWithAAD), CSP Name: (PassportForWork), Command Type: (Clear: first phase of Delete), CSP URI: (./Vendor/MSFT/PassportForWork/05dc4370-49fa-46a1-8b8b-2dd3063cd475/Policies/PINComplexity/MinimumPINLength), Result: (Unknown Win32 Error code: 0x86000002).

 

 

 

 

Checking the device group policy.

JimmyWork_2-1652167553107.png

When deploing the device Windows Hello for Bussiness is activated and I use fingerprint and pin.
Not sure whats going on here really, woudl appriciate all the help.

Windows 11 Enterprise

11 Replies

Hi when pushing settings with Intune, those changes doesnt show up in you local gpo but you could find them in the policymanager registry keys.

I guess the most important question... does it work as expected ? When reading the question it only shows that error in the log? 0x86000002

 

Also a good question would be if you were running HAADJ or AADJ?

Thank you for answering, where in the registry can i verify it?
It seems to be working on the device, I mean i'm using Windows Hello and I was force to make the Windows Hello setup during the enrollment.

But i can't seem to find the registry, i dont have these in my registry.
https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.MicrosoftPassportForWork::MSPa...
Hi,
Could you check out

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork

@Rudy_Ooms_MVP 

I only seem to have this.

JimmyWork_0-1652172898751.png

Keys in: 05dc4370-49fa-46a1-8b8b-2dd3063cd475
Default, REG_SZ. value not set

 

Keys in: Biometrics
FacialFeaturesUseEnhancedAntiSpoofing, 1

UseBiometrics, 1

 

Keys in: SecurityKey
UseSecurityKeyForSignin, 1

@JimmyWork 

 

And if you unfold that guid folder

Rudy_Ooms_MVP_0-1652173339561.png

 

@Rudy_Ooms_MVP 

Then i can see this, so the settings seems to work.

JimmyWork_0-1652190712335.png

 

So it looks indeed... mmm if it works.. it works :) ? and if Intune is green you are pretty lucky :p
Not really sure why the logs says what it says every time I run a sync and i really don't want to see that in the logs, is no one else having this issue? I will test on another device re-deploy and see if I have the same issue on a Windows 10 device.

@JimmyWork Did you fix it getting this im using a github cript to check even logs and its coming up with this in RED - EventlogWatson.ps1 from msEndpointmrg)intuneDebug logs 

 

10/31/2022 10:29:23 ERROR:454 MDM ConfigurationManager: Command failure status. Configuraton Source ID: (46760EB6-014B-4C57-8192-95B6436DEC5E), Enrollment Type: (MDMDeviceWithAAD), CSP Name: (PassportForWork), Command Type: (Clear: first phase of Delete), Result: (./Vendor/MSFT/PassportForWork/587b6ea1-3db9-4fe1-a9d7-85d4c64ce5cc/Policies/PINComplexity/SpecialCharacters)

I did not spend more time on it, I can only say that 2 devices that I can check right now have the same issue in the event logs. The polices are working correct and all our polices will be re-worked soon so I will compare the changes then and see if it fixes it.
By the way: We've got the same issues, e.g. with EnablePinRecovery.
Everything is working as expected, including the PIN Recovery via Windows Lockscreen. But the Eventlog shows this one.
At the moment of writing i already successfully ignored this for months. :D
MDM ConfigurationManager: Command failure status. Configuraton Source ID: (F3156709-A590-4342-AD16-95EB0ADBFDBC), Enrollment Type: (MDMDeviceWithAAD), CSP Name: (PassportForWork), Command Type: (Clear: first phase of Delete), CSP URI: (./Vendor/MSFT/PassportForWork/e3bf0573-d789-4529-92a8-26d54b1aac87/Policies/EnablePinRecovery), Result: (Unknown Win32 Error code: 0x86000002).