Windows Hello for Business is one of the best security improvements you can deploy across your estate — but it breaks silently, in ways that are genuinely hard to diagnose. A user opens their laptop, taps their PIN, and gets a generic "Something went wrong" screen. They call the helpdesk. The helpdesk resets the PIN. It works. Until it doesn't again, two weeks later, on a different device. This post shows you how to stop that cycle by deploying an Intune Proactive Remediation pair that detects and repairs WHfB automatically, before the user ever notices.
Both scripts are free and open source. Download them from the Imran76Awan/WHFB repository on GitHub — no sign-in required.
What actually breaks in Windows Hello for Business
WHfB has four moving parts that all need to be healthy at the same time. When any one of them drifts, authentication fails:
The Windows Hello key stored in C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Ngc\. Tied to the user and device. If it gets corrupted or the folder permissions break, WHfB cannot function.
The Primary Refresh Token is what gives users seamless SSO to Azure AD resources. WHfB relies on a valid PRT. If the PRT expires or the WAM token broker loses its session, sign-in fails even if the NGC key itself is healthy.
Four Windows services underpin the stack: KeyIso (CNG Key Isolation), NgcSvc, NgcCtnrSvc, and TokenBroker (Web Account Manager). Any of them in Stopped state = broken authentication.
TPM 2.0 must be present, enabled, and ready. WHfB policy must not be explicitly disabled in the registry. BIOS updates can reset TPM ownership. GPO conflicts can set Enabled=0 and silently block provisioning.
How to verify — run dsregcmd /status
Before you deploy anything, run this on an affected device and look at these specific fields. This is the exact output the detection script parses.
A broken device shows AzureAdPrt : NO or NgcSet : NO. That is your trigger to remediate.
What broken WHfB looks like in Event Viewer
Before deploying the detection script, you can confirm the failure by looking at two event logs. Open Event Viewer and navigate to Applications and Services Logs → Microsoft → Windows → User Device Registration → Admin. A device with a missing PRT shows Event ID 104:
For NGC key failures, check Applications and Services Logs → Microsoft → Windows → HelloForBusiness → Operational. Event ID 302 tells you WHfB provisioning was attempted and failed:
dsregcmd /status is more reliable than Event Viewer for confirming the broken state.
The Detection Script — Detect-WHfB.ps1
The detection script runs 6 checks. It exits 0 (compliant, no action) or 1 (non-compliant, trigger remediation). It can run as SYSTEM or as the logged-on user — PRT and NGC checks are more accurate in user context, so schedule it to run as the logged-on user when possible.
The script uses a simple dsregcmd /status parser that converts each Key : Value line into a hashtable — no external module required, works on every Windows 10/11 device:
For the policy check, the script checks three different registry locations because different versions of Windows and different GPO/MDM paths write to different keys:
The Remediation Script — Remediate-WHfB.ps1
The remediation script runs as SYSTEM (the default Intune context) and works through five repair steps in order. It logs everything to C:\ProgramData\WHfB-Repair\WHfB-Remediate_{computername}_{timestamp}.log. The NGC cleanup step only runs if the NGC key is actually missing or broken — healthy keys are never touched.
The clever part: running user-context commands from SYSTEM
Here is the problem with PRT refresh: dsregcmd /refreshprt only works in user context — it reaches the WAM token broker, which is session-bound. But Intune remediations run as SYSTEM. If you call dsregcmd /refreshprt from SYSTEM it silently does nothing.
The solution is Invoke-AsLoggedOnUser — a function that registers a one-time scheduled task under the logged-on user's principal, fires it 3 seconds later, waits 15 seconds, then cleans it up:
LogonType Interactive with the logged-on user as principal. Windows Task Scheduler injects it into the user's active session, giving it access to the WAM token broker that handles Azure AD authentication. The task fires in user context even though the script registering it is running as SYSTEM. This is the same pattern used by SCCM/ConfigMgr for user-context deployments.
Proof it worked — live remediation output
Here is the actual output from running this on a device with a broken PRT and no NGC key. Pre-remediation state: AzureAdPrt=NO, NgcSet=NO. Post-remediation: both restored without a reboot.
Clear-Tpm will invalidate your BitLocker protectors on every encrypted drive on the device. If you do not have the BitLocker recovery key saved in Entra ID or AD before you clear it, the drive becomes unrecoverable. The remediation script deliberately never touches the TPM. If TPM health is the actual failure, it needs a BIOS-level fix — not a script.
Deploy to Intune — step by step
- Name: WHfB Health Monitor
- Detection script: Upload
Detect-WHfB.ps1— Run as logged-on credentials: Yes — Run with 64-bit PowerShell: Yes - Remediation script: Upload
Remediate-WHfB.ps1— Run as logged-on credentials: No (run as SYSTEM) — Run with 64-bit PowerShell: Yes - Schedule: Every 1 hour (or Daily — detection is lightweight)
- Scope: Assign to your All Windows Hello for Business users group
Reading the logs after remediation
Every remediation run writes a timestamped log to C:\ProgramData\WHfB-Repair\. Open it from a remote session or collect it via Intune device diagnostics. The format is easy to scan — look for [FAIL] or [WARN] entries first, then check whether the Post-Remediation State section shows PRT and NGC as YES.
Microsoft documentation references
- Windows Hello for Business overview — Microsoft Learn
- Troubleshoot Windows Hello for Business — Microsoft Learn
- Remediations (Proactive Remediations) in Microsoft Intune — Microsoft Learn
- Troubleshoot devices using dsregcmd — Microsoft Entra
- Windows Hello for Business event reference — Microsoft Learn
Detect-WHfB.ps1 and Remediate-WHfB.ps1 are part of the open-source EndpointIQ toolkit on GitHub. The remediation covers every common WHfB failure mode — PRT expiry, NGC corruption, stopped services, failed hybrid join — without touching the TPM or BitLocker. Safe to deploy broadly, not just to devices you already know are broken.