Windows Hello for Business 0x80090010 NTE_PERM
Hi all, I'm encountering an issue with Windows Hello for Business on the latest version of Windows (July 2025 update). The setup process fails during initialisation, and no biometric or PIN options are being provisioned for the user. Environment: Windows version: 11 24H2 Enterprise (latest update) Deployment mode: Hybrid Cloud Trust Hybrid joined devices Symptoms: Users are prompted to set up WHfB but the process fails at the last step with error 0x80090010 Users who already have WHfB authentication methods created can successfully login Event ID 311 & 303 in the User Device Registration logs Screenshots: Troubleshooting so far: Unjoined and rejoined to Entra ID Granted modify permissions on folder in which NGC container would be created Rolled back to June 2025 update (this worked) So it seems like this is caused or related to the latest Windows Update, which is rather unfortunate for us as we are just beginning to rollout WHfB for our organisation. I'm posting here to raise awareness of the issue, if there is a more appropriate place to post then please suggest.
My Azure login is stuck at MFA and cannot proceed
In August, I was still able to log in to Azure, and by logging in through GitHub I could bypass 2FA. But now, no matter how I try, logging in via GitHub always requires 2FA. I can’t access my Azure account anymore—nothing works. The system prompts me to use Microsoft Authenticator to confirm a two-digit code in real time. My Microsoft Authenticator on my iPhone is logged into the same Microsoft account, but I’m not receiving any verification requests for Azure login. No matter how much I refresh, nothing shows up. I’ve already updated the Microsoft Authenticator app to the latest version from the App Store. However, my personal Microsoft account works fine and can log in without any issues.TAP Question
Hi All I hope you are well. Anyway, I'm looking for some clarification over Temporary Access Passes (TAP) as our testing seems to reveal some different results from those listed in the MS documentation. Here's the scenario's. My understanding: Require MFA policy deployed via Conditional Access New user F3 user starts Issue TAP to user where they can then setup MFA themselves via My Security Info etc Testing results: Require MFA policy deployed via Conditional Access New user F3 user starts User can setup MFA themselves via MS Auth app on a mobile device or via My Security Info in a browser MS TAP Info page: "The most common use for a TAP is for a user to register authentication details during the first sign-in or device setup, without the need to complete extra security prompts." Ref: Configure a Temporary Access Pass in Microsoft Entra ID to register passwordless authentication methods - Microsoft Entra ID | Microsoft Learn Have I missed understood something here and if a new user can indeed still setup MFA is there any real need for a TAP for first time user? Info appreciated. SK
NgcSet stays NO despite working WHFB setup - RPC 0x800706ba error
Hi everyone, I need help with a Windows Hello for Business certificate trust deployment that's almost working but stuck on the final step. **What's Working:** - Manual certificate enrollment works perfectly: `certreq -enroll -user -config "MyCA.domain.local\MyCA-CA" "MyWHFBTemplate"` - TPM 2.0 is ready, enabled, and functional - All Group Policies applied correctly (computer and user) - CA server healthy, templates published **What's NOT Working:** - `dsregcmd /status` shows `NgcSet : NO` (should be YES) - `NgcSvc` (Microsoft Passport) service is stopped on client - Getting error: "RPC server is unavailable (0x800706ba)" during automatic certificate enrollment - PIN setup fails because NGC containers won't create **The Strange Part:** Manual certificate enrollment works perfectly, but automatic enrollment fails with RPC errors. Both should use the same communication path to the CA. **Environment:** - On-premises certificate trust deployment (no Azure AD) - Domain-joined Windows 11 clients - Windows Server 2019/2022 infrastructure **Questions:** 1. Should NgcSvc start automatically when WHFB policies are applied? 2. Why would manual cert enrollment work but automatic fail with RPC errors? 3. Is there a difference in how system context vs user context accesses the CA? Has anyone seen this specific combination before? Any ideas what could cause this behavior? Thanks for any help!
Best setup for multiple machines
I have a live account for my email address as I have a surface and originally registered for an account to use for machine backups, browsing syncing etc. I also use onenote and wanted it syncing to a 365 onedrive account so I signed up for office 365 business basics so that I could sync onedrive and all of the associated attachments, audio records etc to it. I would love to use use the paid business account but I cant sign into the surface with the business account, only home accounts as I dont have pro. The next issue is that I use another laptop, android tablet and phone also signing into the business 365 account. These all used to sync fine but now, all other devices disconnect as the one you have signed into it connects. Not a major issue, you sign into the device you want to use, sync and then continue However i jump from device to device that often that it starts to grate on me that i cant just grab a device and sync. Is there any way I can register each device so that they are trusted and then more than one device can stay connected.Web Sign-In: Alert QR Code/Code for Mobile
Had 2FA turned off in the work account, on the web login screen a reminder only a few logins allowed without the Authenticator. Fair enough so instead of logging in, got out the Android tablet and installed the Authenticator and logged in with the account there, no problems. A few minutes later attempted to log in to the account on web, this time it presented a QR code with the link "phonefactor:/activateaccount .... mobileappcommunicator.auth ..." which didn't seem to go well in Android using QR scanner or camera. The web login suggested an alternative to the QR code, an 8? digit code, but nothing in the Authenticator app seemed to want it. All of a sudden everything seems to work fine, the web login (with a note that 2FA was used in the login) and the Authenticator on the tablet, thus turning out as a good news ending to a slightly shaky start. :)MFA Rollout Question(s)
Hi All I hope you are well. Anyway, I'm normally more active in the Intune space but I have been tasked with rolling out MFA to a lot of non technical users. One of the questions is: What if I forget my phone with the MS Authenticator app on it? I can't seem to find any documentation or clear answer to this. Any ideas? SK
Microsoft Authenticator Passkeys for Entra ID on unmanaged devices
Hello, has anyone successfully registered passkeys on an unmanaged phone in an organisation with device compliance policies? Use case is to provide a phishing-resistant MFA option via Authenticator app for logging into apps on their desktop. Users already have authenticator app on their phone and do number matching MFA. https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-register-passkey-authenticator?tabs=iOS When I select "Create a passkey" - I need to log into my account. However I'm blocked from successful authentication because I have conditional access policies to require compliant devices. As my mobile phone is not enrolled into Intune, I never get to the step where the passkey is created and registered. Based on the constraints - it seems like passkeys cannot be used for unmanaged/BYOD devices for organisations that have device compliance policies. It can only be used for users who have enrolled their mobile phone. Looking to see if anyone has tips or different experience using passkeys on unmanaged mobile phones to log into Entra?failed set-up of a passkey for a personal MS account
After scanning the QR code (on the PC screen) in the Authenticator app on the Iphone, the error message “Error adding the passkey - Microsoft Authenticator does not support this passkey” (translated from German) appears. What does this mean ? How to prevent? Any help is appreciated.How to add Passkey for Entra ID / M365 Identity to Windows Hello or third-party password manager?
I manage many M365 tenants and can't add all of them to Windows as an account. Because of this I would like to add passkeys for those accounts to either a third-party password manager or (preferred) Windows Hello. So far I haven't found a way to do this. The passkey dialog at https://mysignins.microsoft.com/security-info only allows me to add a passkey to a physical key. So: So how can I add M365 passkeys to Windows Hello?
