0x801C03EC Windows Hello for Business Provisioning
Troubleshooting Windows Hello
0x801C03EC Windows Hello for Business Provisioning
Troubleshooting Windows Hello

0x801C03EC Windows Hello for Business Provisioning

Scenario

In my lab I received the error 0x801C03EC when provisioning Windows Hello on my Windows 11 test device. A quick search pointed me towards https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation which explained this to mean “Server response http status is not valid” and that signing out and back in would resolve it. It did not!

Assuming it to just be a transient cloud issue, I continued with the scenario I was actually wanting to test and thought no more about it. The next day when signing in I received the same error – it had not resolved itself overnight! Seems I have a configuration problem to investigate.

Looking in the Windows event logs I spotted the following error: 

NGC key registration failed. 
Exit code: Unknown HResult Error code: 0x801c03ec 
Client request ID: 00000000-0000-0000-0000-000000000000 
Server request ID: b6fb5f8d-bf40-426f-b7e1-480c5c1c45ea 
Error code: internal_server_error 
Server error message: Invalid Policy: 'User Credential Policy Json deserialization failure with error Error converting value "IssuerSubjectAndPolicyOID" to type 'Microsoft.AzureAD.UserCredentialPolicy.ObjectModel.X509CertificateRuleType'. Path 'credentials[10].settings.authenticationModeConfiguration.x509CertificateRule[0].x509CertificateRuleType', line 1, position 4361.' 
Recommended client response: error_fail 
Server response: {"error":{"code":"internal_server_error","message":"Invalid Policy: 'User Credential Policy Json deserialization failure with error Error converting value \"IssuerSubjectAndPolicyOID\" to type 'Microsoft.AzureAD.UserCredentialPolicy.ObjectModel.X509CertificateRuleType'. Path 'credentials[10].settings.authenticationModeConfiguration.x509CertificateRule[0].x509CertificateRuleType', line 1, position 4361.'","response":"error_fail","target":"ProvisionKey","clientrequestid":"b6fb5f8d-bf40-426f-b7e1-480c5c1c45ea","time":"01-04-2024 12:07:57Z","innererror":{"trace":null,"context":null}}}

Resolution

The error points to it being certificate related but as I’m using Cloud Kerberos Trust I was a little confused. I then remembered I had previously been experimenting with Entra Certificate Based Authentication and had enabled certificate based authentication for this user.

My test machine had been rebuilt via Autopilot, and because I was after a “clean” system I had excluded most policies including the user being issued a certificate.

I headed over to the Entra Admin Center and removed the user from the group to which I scoped the Certificate Based Authentication settings Authentication Methods policy.

Immediately afterwards, Windows Hello provisioning worked as expected!