Share via

Windows Hello - DisablePostLogonProvisioning Intune CSP fails on some client

Thomas 0 Reputation points
2024-09-10T15:26:04.69+00:00

Hello,

we're about to deploy Windows Hello for Business (WhfB) in our Hybrid environment.

For that, we're using the Account Protection policy to enable WhfB scoped on user groups.

At first, we don't want to force users to enroll WhfB, for which we like to set DisablePostLogonProvisioning = true.

We've done this by deploying an OMA-URI according to the documentation (see CSP-Documentation and WhfB Configuration guide)

The policy assignments are successful for about 80% of all our clients. But its critical for us to achieve at least 95%. Because of the successful-rate, I assume that the CSP is configured correctly. Double-checked it as well....

I had no luck yet finding an error-pattern by looking at the devices on which the assignments have failed.

All compliant. Some run win 10, other win 11. All had the necessary builds (eg. KB5035942) installed.

Intune displays the following error when clicking on an assignment: Error code: -2016281112 when clicking on the error code, it turns into the code 0x87d1fde8 on the site-panel. No description or any other useful information.

Looking in the client event logs, I'll find an Error in "DeviceManagement-Enterprise-Diagnostic-Provider" with Event-ID 404 and the description:

MDM-ConfigurationManager: Command error status. Configuration source ID: (<xyz>), Registry name: (MDMDeviceWithAAD), Provider Name: (PassportForWork), Command Type: (Add: from Replace or Add), CSP URI: (./Device/Vendor/MSFT/PassportForWork/<TenantID>/Policies/DisablePostLogon Provisioning), Result: (Fatal Error).

We also deployed the UseCloudTrustForOnPremAuth setting with an OMA-URI, for which we achieved the 95% success-rate. But same error on the failed 5%.

 

Anyone an Idea where this comes from and how to solve this?

I'd be very grateful if we'll find a solution.

Regards, Thomas

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
11,500 questions
Windows 11
Windows 11
A Microsoft operating system designed for productivity, creativity, and ease of use.
9,478 questions
Microsoft Intune Security
Microsoft Intune Security
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
412 questions
Microsoft Intune Configuration
Microsoft Intune Configuration
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Configuration: The process of arranging or setting up computer systems, hardware, or software.
1,885 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,992 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. ZhoumingDuan-MSFT 12,580 Reputation points Microsoft Vendor
    2024-09-11T05:55:41.7433333+00:00

    @Thomas, Thanks for posting in Q&A.

    From your description, I know you want to deploy Intune csp setting but failed on some devices.

    Based on my research, there are some suggestions to fix this issue.

    1.The error code 0x87d1fde8 can be caused that the OMA-URI used in the above-mentioned policy is not correct, so please check whether the OMA-URI is correct.

    2.Please check if there exist conditional access policies applied for the failed 5% devices.

    3.It seems "UsePassportForWork" needs to be set for "DisablePostLogonProvisioning" to be honored.

    https://www.reddit.com/r/Intune/comments/y9gr60/disable_mandatory_windows_hello_for_business/

    Non-official, just for reference.

    4.You can try to disable DisablePostLogonProvisioning using GPO following the link below.

    https://blog.matrixpost.net/disable-windows-hello-for-business-prompt-on-azure-ad-joined-devices/

    Please check above information, if there is any update, feel free to let me know.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  2. Neuvi Jiang 1,150 Reputation points Microsoft Vendor
    2024-09-11T07:52:14.2733333+00:00

    Hi Thomas,

    Thank you for posting in the Q&A Forums.

    Check the Intune policy and configuration:

    Make sure the Intune policy you created is compatible with your device. For example, if you're trying to push a Windows Hello policy to a device that doesn't support Windows Hello for Business, then this may result in an error.

    Check for any conflicting policies, especially those related to device security or user authentication.

    Update Windows and Intune clients:

    Ensure that all devices have been updated to the latest version of Windows 10 or Windows 11.

    Check that the Intune Client Agent (Company Portal app installed on the device) is the latest version.

    Check device hardware compatibility:

    Make sure the device hardware supports Windows Hello for Business (e.g. fingerprint reader, facial recognition camera, etc.).

    Check detailed logs:

    In addition to the client-side event logs, you can also view Intune's server-side logs (if available).

    Use the MDM Diagnostics Tool or other diagnostic tools to gather more detailed log information.

    Test different devices:

    Try applying the same policy to different devices to determine if the problem is specific to certain devices or device models.

    Best regards

    NeuviJ

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.