WHfB - Hybrid Certificate Trust - Failed provisioning
After setting up Windows Hello for Business, in a Hybrid Azure AD joined Certificate Trust Deployment scenario, i ended up with the following events in my test client machine after a failed provisioning.
I reviewed my setup, but i must be missing something. Any help would be highly appreciated.
##############################
Microsoft-Windows-AAD/Operational
TimeCreated : 13/05/2020 11:57:04
Id : 1082
Message : Key error: DecodingProtectedCredentialKeyFatalFailure
Error description: AADSTS9002313: Invalid request. Request is malformed or invalid.
Trace ID: 834deec1-21d8-48c2-bae5-7f795e312f00
Correlation ID: 88bc2dda-ba2a-42dc-a9da-7b9f362f7d7a
Timestamp: 2020-05-13 22:57:04Z
CorrelationID: 88bc2dda-ba2a-42dc-a9da-7b9f362f7d7a
TimeCreated : 13/05/2020 11:57:03
Id : 1118
Message : Enterprise STS Logon failure. Status: 0xC000006D Correlation ID: FE6DBC4F-69BB-426B-933B-0BADB38A1361
TimeCreated : 13/05/2020 11:57:03
Id : 1081
Message : OAuth response error: invalid_grant
Error description: MSIS9683: Received invalid OAuth JWT Bearer request. Transport key for the device is invalid. It must be a RSA public key blob or TPM storage key blob.
CorrelationID:
TimeCreated : 13/05/2020 11:57:03
Id : 1025
Message : Http request status: 400. Method: POST Endpoint Uri: https://adfs.domain.com/adfs/oauth2/token/ Correlation ID: FE6DBC4F-69BB-426B-933B-0BADB38A1361
TimeCreated : 13/05/2020 11:56:01
Id : 1082
Message : Key error: DecodingProtectedCredentialKeyFatalFailure
Error description: AADSTS9002313: Invalid request. Request is malformed or invalid.
Trace ID: 4a2197fa-c85f-4ea0-af79-1a830e1d2d00
Correlation ID: f6141ebb-116c-4701-9118-80124017b6d1
Timestamp: 2020-05-13 22:56:02Z
CorrelationID: f6141ebb-116c-4701-9118-80124017b6d1
TimeCreated : 13/05/2020 11:56:01
Id : 1118
Message : Enterprise STS Logon failure. Status: 0xC000006D Correlation ID: E5C246DD-9FFF-4E07-92A5-61389B08C64A
TimeCreated : 13/05/2020 11:56:01
Id : 1081
Message : OAuth response error: invalid_grant
Error description: MSIS9683: Received invalid OAuth JWT Bearer request. Transport key for the device is invalid. It must be a RSA public key blob or TPM storage key blob.
CorrelationID:
TimeCreated : 13/05/2020 11:56:01
Id : 1025
Message : Http request status: 400. Method: POST Endpoint Uri: https://adfs.domain.com/adfs/oauth2/token/ Correlation ID: E5C246DD-9FFF-4E07-92A5-61389B08C64A
#######################################
Microsoft-Windows-HelloForBusiness/Operational
TimeCreated : 13/05/2020 11:57:00
Id : 5520
Message : Device unlock policy is not configured on this device.
TimeCreated : 13/05/2020 11:56:03
Id : 7054
Message : Windows Hello for Business prerequisites check failed.
Error: 0x1
TimeCreated : 13/05/2020 11:56:03
Id : 8205
Message : Windows Hello for Business successfully located a usable sign-on certificate template.
TimeCreated : 13/05/2020 11:56:03
Id : 8206
Message : Windows Hello for Business successfully located a certificate registration authority.
TimeCreated : 13/05/2020 11:56:03
Id : 7211
Message : The Secondary Account Primary Refresh Token prerequisite check failed.
TimeCreated : 13/05/2020 11:56:03
Id : 8202
Message : The device meets Windows Hello for Business hardware requirements.
TimeCreated : 13/05/2020 11:56:03
Id : 8204
Message : Windows Hello for Business post-logon provisioning is enabled.
TimeCreated : 13/05/2020 11:56:03
Id : 8203
Message : Windows Hello for Business is enabled.
TimeCreated : 13/05/2020 11:56:03
Id : 5204
Message : Windows Hello for Business certificate enrollment configurations:
Certificate Enrollment Method: RA
Certificate Required for On-Premise Auth: true
TimeCreated : 13/05/2020 11:56:03
Id : 8200
Message : The device registration prerequisite check completed successfully.
TimeCreated : 13/05/2020 11:56:03
Id : 8201
Message : The Primary Account Primary Refresh Token prerequisite check completed successfully.
TimeCreated : 13/05/2020 11:56:03
Id : 8210
Message : Windows Hello for Business successfully completed the remote desktop prerequisite check.
TimeCreated : 13/05/2020 11:56:03
Id : 3054
Message : Windows Hello for Business prerequisites check started.
TimeCreated : 13/05/2020 11:56:00
Id : 8025
Message : The Microsoft Passport Container service started successfully.
TimeCreated : 13/05/2020 11:56:00
Id : 8025
Message : The Microsoft Passport service started successfully.
TimeCreated : 13/05/2020 11:55:07
Id : 5520
Message : Device unlock policy is not configured on this device.
#######################################
Microsoft-Windows-User Device Registration/Admin
TimeCreated : 13/05/2020 11:56:59
Id : 331
Message : Automatic device join pre-check tasks completed. Debug output:\r\n preCheckResult: DoNotJoin
deviceKeysHealthy: YES
isJoined: YES
isDcAvailable: YES
isSystem: YES
keyProvider: Microsoft Platform Crypto Provider
keyContainer: c9bc09fb-e9bd-4de7-b06a-f8798e6f377c
dsrInstance: AzureDrs
elapsedSeconds: 0
resultCode: 0x1
TimeCreated : 13/05/2020 11:56:59
Id : 335
Message : Automatic device join pre-check tasks completed. The device is already joined.
TimeCreated : 13/05/2020 11:56:03
Id : 360
Message : Windows Hello for Business provisioning will not be launched.
Device is AAD joined ( AADJ or DJ++ ): Yes
User has logged on with AAD credentials: Yes
Windows Hello for Business policy is enabled: Yes
Windows Hello for Business post-logon provisioning is enabled: Yes
Local computer meets Windows hello for business hardware requirements: Yes
User is not connected to the machine via Remote Desktop: Yes
User certificate for on premise auth policy is enabled: Yes
Machine is governed by enrollment authority policy.
See https://go.microsoft.com/fwlink/?linkid=832647 for more details.
TimeCreated : 13/05/2020 11:56:03
Id : 362
Message : Windows Hello for Business provisioning will not be launched.
Device is AAD joined ( AADJ or DJ++ ): Yes
User has logged on with AAD credentials: Yes
Windows Hello for Business policy is enabled: Yes
Windows Hello for Business post-logon provisioning is enabled: Yes
Local computer meets Windows hello for business hardware requirements: Yes
User is not connected to the machine via Remote Desktop: Yes
User certificate for on premise auth policy is enabled: Yes
Enterprise user logon certificate enrollment endpoint is ready: Yes
Enterprise user logon certificate template is : Yes
User has successfully authenticated to the enterprise STS: No
Certificate enrollment method: enrollment authority
See https://go.microsoft.com/fwlink/?linkid=832647 for more details.
TimeCreated : 13/05/2020 11:55:09
Id : 331
Message : Automatic device join pre-check tasks completed. Debug output:\r\n preCheckResult: DoNotJoin
deviceKeysHealthy: YES
isJoined: YES
isDcAvailable: YES
isSystem: YES
keyProvider: Microsoft Platform Crypto Provider
keyContainer: c9bc09fb-e9bd-4de7-b06a-f8798e6f377c
dsrInstance: AzureDrs
elapsedSeconds: 1
resultCode: 0x1
TimeCreated : 13/05/2020 11:55:09
Id : 335
Message : Automatic device join pre-check tasks completed. The device is already joined.
TimeCreated : 13/05/2020 11:55:05
Id : 369
Message : The Workstation Service logged a device registration message.
Message: AutoJoinSvc/WJComputeWorkplaceJoinTaskState: Machine is already joined to Azure AD.
TimeCreated : 13/05/2020 11:55:05
Id : 369
Message : The Workstation Service logged a device registration message.
Message: AutoJoinSvc/WJSetScheduledTaskState: Running task "\Microsoft\Windows\Workplace Join\Automatic-Device-Join".
TimeCreated : 13/05/2020 11:55:05
Id : 369
Message : The Workstation Service logged a device registration message.
Message: AutoJoinSvc/WJComputeWorkplaceJoinTaskState: Global policy found with value 1.
asked on Server Fault May 15, 2020 by 
Ricardo Garrido
Ricardo Garrido1 Answer
I came across a similar situation some days ago. No way was I able to get the Enterprise Primary Refresh Token and start provisioning.
I was getting the same error as you are on my ADFS node:
Error description: MSIS9683: Received invalid OAuth JWT Bearer request. Transport key for the device is invalid. It must be a RSA public key blob or TPM storage key blob.
I ran some wireshark and found out that when you login into the PC you're about to provision and it attempts to authenticate against ADFS to obtain the Enterprise PRT, the ADFS most likely reaches into AD to obtain the Transport Key that the error mentions.
This Transport Key is supposed to be stored under the attribute msDS-KeyCredentialLink under CN=RegisteredDevices, DC=contoso, DC=com. This container gets populated by Azure AD Connect through Device Writeback. Problem was, in my case, the attribute wasn't populated so the ADFS was coming up empty. I checked all the permissions on the container but everything seemed alright. What eventually helped was forcing a Domain Schema Refresh through Azure AD Connect. But since all the permissions were right to begin with, I think it was the full sync cycle that AAD Connect initiated after that that actually solved my problem and populated the attribute.
TL;DR: For some reason, AAD Connect might not be syncing public key blobs for your Azure AD Registered devices back into on-prem AD, force him to do so:
Import-Module ADSync
Start-ADSyncSyncCycle -PolicyType Initial
Hope this helps.
Cheers
answered on Server Fault Jun 2, 2020 by 
mirrorofstripes
mirrorofstripesUser contributions licensed under CC BY-SA 3.0