There is a failure pattern that breaks Windows Hello for Business silently and completely: the device is Hybrid Joined, the TPM is fine, the NGC key is provisioned — and WHfB still doesn't work. The reason is almost always the same. The Primary Refresh Token is missing.
No PRT means no passwordless. The device looks healthy in Intune. Compliance shows green. But the user gets a sign-in prompt they can't complete, calls the service desk, and an engineer manually runs dsregcmd /refreshprt on their machine. This post covers the two-script Intune Proactive Remediation I built to detect and automatically fix that — before the user ever notices.
What is a Primary Refresh Token?
The PRT is a long-lived token issued by Azure AD to a device when a user signs in. It sits in the credential store and is silently used to obtain access tokens for cloud resources — including the token that Windows Hello for Business needs to complete PIN setup.
AzureAdJoined : YES
DomainJoined : YES
AzureAdPrt : NO <-- PRT missing
AzureAdPrtExpiryTime : <-- emptyThat output from dsregcmd /status is the exact problem. A device can be perfectly Hybrid Joined, have a healthy TPM, and have the NGC key fully provisioned — but if the PRT is gone, WHfB provisioning cannot complete. Authentication to Azure AD resources also silently degrades: Outlook prompts for credentials, Teams re-authenticates, SSO stops working.
- ✗ WHfB provisioning fails
- ✗ Conditional Access blocks access
- ✗ SSO to cloud apps breaks
- ✗ Outlook / Teams re-authenticate
- ✗ No error visible in Intune console
- ✓ WHfB PIN setup completes
- ✓ Conditional Access passes
- ✓ SSO works across all Azure AD apps
- ✓ Silent token refresh every ~4 hours
- ✓ 14-day validity, auto-renewed
Why PRT goes missing
The PRT can disappear for several reasons, none of which produce a clear alert:
- Hybrid join breaks after re-imaging — the device re-joins the domain but the AAD registration does not complete cleanly
- AAD Connect sync lag — the device object isn't synced to Azure AD yet at the time of sign-in
- TokenBroker state corruption — stale in-memory token cache blocks new PRT acquisition
- WAM cache corruption — stale registry entries in the Web Account Manager cache conflict with new token requests
- Expired PRT not renewed — PRT valid for 14 days, renews every ~4 hours when active, but doesn't renew when the device is offline for an extended period
- Conditional Access changes — a new CA policy blocks the PRT issuance flow silently
The solution: two scripts, one Intune Remediation
The automation runs as an Intune Proactive Remediation. The detection script checks PRT health and exits 0 or 1. If non-compliant, Intune automatically runs the remediation script.
Important: Both scripts must run as the logged-on user, not SYSTEM. dsregcmd /refreshprt only works in user context — running it as SYSTEM silently does nothing.
| Script | Role | Run context |
|---|---|---|
Detect-PRT.ps1 | Checks 4 health conditions, exits 0 or 1 | Logged-on user |
Remediate-PRT.ps1 | 6-step staged PRT recovery | Logged-on user |
What the detection script checks
The script parses dsregcmd /status and evaluates four conditions. Each check outputs a colour-coded result:
- AzureAdJoined = YES — device must be Azure AD or Hybrid Joined
- DomainJoined = YES — device must be domain joined (Hybrid Join check)
- AzureAdPrt = YES — PRT must be present
- PRT expiry — PRT must not be expired or expiring within 4 hours (proactive refresh)
Exit 0 = compliant (Intune takes no action). Exit 1 = non-compliant (Intune runs the remediation script).
What the remediation script does — 6 steps
The remediation script works through six escalating steps. Each step checks whether the PRT is restored before moving to the next. It stops the moment the PRT is obtained.
| Step | Action | Notes |
|---|---|---|
| 1 | Restart TokenBroker service | Clears stale in-memory token state |
| 2 | dsregcmd /refreshprt | Standard PRT refresh — fixes most cases |
| 3 | Trigger Automatic-Device-Join task + refresh | Re-establishes hybrid join state |
| 4 | Clear WAM token cache (registry) + refresh | Removes stale tokens blocking new PRT |
| 5 | dsregcmd /debug /refreshprt | Verbose, more thorough internal refresh |
| 6 | dsregcmd /forcerecovery + re-trigger join | Aggressive — resets device registration state |
| 7 | Diagnostic snapshot + root cause identification | Exits 1, log saved for escalation |
Step 6 — force recovery: dsregcmd /forcerecovery resets the device registration state and re-triggers the hybrid join process. It only runs when Steps 1–5 have all failed. The script re-triggers Automatic-Device-Join and runs a final /refreshprt after recovery to give the PRT a chance to issue after re-registration.
Colour scheme
Step-by-step: Add to Intune Proactive Remediations
Step 1 — Create a new script package
Go to Intune > Devices > Remediations > + Create script package. Name it something like PRT Health Check and Repair.
Step 2 — Upload both scripts
- Detection script file:
Detect-PRT.ps1 - Remediation script file:
Remediate-PRT.ps1 - Run script in 64-bit PowerShell: Yes
- Run using logged-on credentials: Yes — this is critical, both scripts must run as the user
Step 3 — Set the schedule
Set the schedule to Every 1 hour or Daily. Hourly catches a broken PRT before it affects the user's session.
Step 4 — Assign to your device group
Assign to your Hybrid AAD Joined Windows 10/11 device group. Start with a pilot group before rolling to the full estate.
Reading the results
After deployment, go to Devices → Remediations → your package → Device status:
- Without issues — detection exited 0, PRT is healthy
- With issues (remediated) — detection exited 1, remediation ran and obtained a PRT
- Remediation failed — check the log at
%LOCALAPPDATA%\PRT-Repair\on the device. The log includes a root cause indicator: broken hybrid join, missing device object in AAD, no DC line-of-sight, or Conditional Access blocking token issuance
PRT vs WHfB: These two remediations work together. The PRT remediation fixes the token layer. The WHfB remediation fixes the NGC key layer. Run PRT first — there is no point repairing the NGC key if the PRT is missing.
Get the scripts
Both scripts are available on GitHub alongside the WHfB remediation scripts.
🔗 View on GitHub — Imran76Awan/WHFB/PRT Remediation
Tip: To test locally before deploying to Intune, run Detect-PRT.ps1 first to confirm exit code 1, then run Remediate-PRT.ps1 in the same user session. The colour-coded output (green = OK, cyan = ACTION running, red = FAIL) lets you follow each step in real time. The full log is written to %LOCALAPPDATA%\PRT-Repair\.