Windows Hello for Business (WHfB) is one of those technologies that looks clean in the Microsoft docs but creates a very specific failure pattern in the real world: a device is Azure AD joined, the user has a valid Primary Refresh Token, Conditional Access is enforcing passwordless — and yet WHfB is still not set up. NgcSet = NO. The user gets a prompt they don't understand, calls the service desk, and an engineer walks them through five screens they'll forget by next week.
This post covers the two-script Intune Proactive Remediation solution I built to detect that gap and silently fix it — automatically, at scale, without touching a healthy device.
Why WHfB breaks silently
The WHfB provisioning flow requires three things to line up: the device must be registered, the user must have an active PRT, and the NGC cryptographic key must be provisioned. Any one of these can break independently, and none of them will surface as a clean alert in the Intune console.
The most common failure pattern is NgcSet = NO on an otherwise healthy device — the device is joined, the PRT is present, the TPM is fine, but the NGC key is gone. Deleted by a cleanup operation, corrupted, or never fully provisioned after a re-enrolment. Standard compliance policies won't catch this cleanly.
Run dsregcmd /status on a broken device and you'll see:
AzureAdJoined : YES
DomainJoined : YES
AzureAdPrt : YES
NgcSet : NO <-- WHfB not provisioned
NgcKeyId : <-- empty
That's the gap these scripts close.
The solution: two scripts, one Intune Remediation
The automation runs as an Intune Proactive Remediation — a detection/remediation pair that Intune runs on a schedule. The detection script evaluates the device and returns an exit code. If non-compliant, Intune automatically runs the remediation script.
| Script | Role | Run context |
|---|---|---|
Detect-WHfB.ps1 | Checks 6 health conditions, exits 0 or 1 | SYSTEM |
Remediate-WHfB.ps1 | Silently repairs WHfB in 5 steps | SYSTEM |
What the detection script checks
The script parses dsregcmd /status and evaluates six conditions. Each check outputs a colour-coded result — green for pass, red for fail, yellow for warnings:
- Azure AD / Hybrid Join — device must be AAD or Hybrid Joined
- Primary Refresh Token (PRT) — user must have an active PRT
- NGC key provisioning — NgcSet must be YES with a valid KeyId
- TPM health — present, enabled, ready, TPM 2.0 recommended
- Required services — KeyIso, NgcSvc, NgcCtnrSvc, TokenBroker all running
- WHfB policy — registry must not have Enabled = 0
Exit 0 = compliant (Intune takes no action). Exit 1 = non-compliant (Intune runs the remediation script).
[Screenshot: detection script output with colour-coded PASS/FAIL lines]
What the remediation script does
The remediation script runs silently as SYSTEM, using scheduled tasks to run user-context operations on the logged-on user where required:
| Step | Action | Always runs? |
|---|---|---|
| 1 | Restart WHfB services (KeyIso, NgcSvc, NgcCtnrSvc, TokenBroker) | Yes |
| 2 | Refresh PRT via dsregcmd /refreshprt as logged-on user, then /forcerecovery fallback | Yes |
| 3 | Re-trigger Hybrid AAD Join task | Only if domain-joined but not AAD-joined |
| 4 | Trigger Intune MDM sync (3 methods) | Yes |
| 5 | Clean NGC key store, dsregcmd /cleanupaccounts, retrigger UserTask-Roam | Only if NgcSet ≠ YES |
Critical rule — Step 5: The NGC cleanup only runs when the key is already missing or broken. If NgcSet = YES, Step 5 is skipped entirely. Running NGC cleanup on a healthy device deletes working WHfB keys — this safeguard was added after catching the bug in testing.
[Screenshot: remediation script output with green OK, cyan ACTION, and yellow WARN lines]
Step-by-step: Add to Intune Proactive Remediations
Proactive Remediations are under Intune > Devices > Remediations.
Step 1 — Create a new script package
Go to Devices → Remediations → + Create script package. Name it something clear like WHfB Health Check and Repair.
Step 2 — Upload both scripts
Under Settings, upload the detection and remediation scripts:
- Detection script file:
Detect-WHfB.ps1 - Remediation script file:
Remediate-WHfB.ps1 - Run script in 64-bit PowerShell: Yes
- Run using logged-on credentials: No (SYSTEM context)
Step 3 — Set the schedule
Under Assignments, set the schedule to Every 1 hour or Daily. Hourly catches broken devices faster.
Step 4 — Assign to your device group
Assign to your Windows 10/11 device group. Start with a pilot group — your IT team — before rolling to the full estate.
Reading the results
After deployment, go to Devices → Remediations → your package → Device status:
- Without issues — detection exited 0, WHfB is healthy
- With issues (remediated) — detection exited 1, remediation ran and completed
- Remediation failed — check the log at
C:\ProgramData\WHfB-Repair\on the device
For devices showing remediated but still with NgcSet = NO in the post-state: the user needs to sign out and sign back in to complete WHfB PIN setup. Everything fixable in SYSTEM context is handled automatically — the final PIN creation requires the user.
Get the scripts
Both scripts are available on GitHub. Download, review the comments, and deploy.
🔗 View on GitHub — Imran76Awan/WHFB/Intune Remediation
Tip: To test locally before deploying to Intune, run Detect-WHfB.ps1 first to confirm exit code 1, then run Remediate-WHfB.ps1 as admin. The colour-coded output (green = OK, red = FAIL, cyan = ACTION) lets you follow exactly what the script is doing at each step. The full log is written to C:\ProgramData\WHfB-Repair\.