Login

u/Final_Principle2990

▲ 2 r/WindowsHelp

[Windows 11 26200.8457] Passkey creation broken — NgcSet stays NO, bioiso.exe won't spawn, in-place repair didn't fix

Title: [Windows 11 26200.8457] Passkey WebAuthn completely broken — NgcSet stays NO, bioiso.exe won't spawn, in-place repair didn't fix

Flair: Tech Support

Body:

System:

  • Windows 11 Pro, build 26200.8457
  • ASUS ROG STRIX Z890-E Gaming WiFi
  • Intel Core Ultra 7 265K
  • 192 GB RAM
  • Intel TPM (cleared during troubleshooting)
  • No biometric hardware (no fingerprint, no Hello camera)
  • Local account, BitLocker enabled on C:
  • Not domain/AzureAD joined

Problem: Both passkey creation and authentication fail on every site. An existing Windows Hello passkey from July 2025 is still listed in Settings → Accounts → Passkeys and on the relying party (Google), but using it to sign in fails the same way as new passkey creation.

  • Chrome on Google passkey creation: "Something went wrong / We weren't able to save your changes"
  • Edge: "Can't reach Microsoft Password Manager"
  • webauthn.io with "Windows Hello" option selected: "The operation either timed out or was not allowed"
  • Signing in to Google with the existing passkey: clicks through "Use your passkey" → "Continue" → fails with "Something went wrong / Make sure Bluetooth is on" (no Windows Hello PIN prompt ever appears, suggesting Chrome falls back to cross-device passkey via Bluetooth instead of using local Windows Hello)
  • Windows Hello PIN login to Windows itself still works fine

Diagnostics:

  • dsregcmd /status shows NgcSet: NO even immediately after setting a fresh PIN
  • Same output shows CertEnrollment: none and PreReqResult: WillNotProvision
  • System Information → Running Tasks: bioiso.exe is missing (ngciso.exe IS running)
  • Virtualization-based security: Running, HVCI enforced
  • System Information shows "App Control for Business policy: Enforced" (unusual on unmanaged device?)
  • BitLocker control panel shows "For your security, some settings are managed by your system administrator" despite no work account being connected
  • PIN setup window flashed closed by itself during one reset attempt
  • After clicking "Set up PIN," UI sometimes shows "Change PIN / Remove" without prompting for entry

Things tried (none fixed it):

  • sfc /scannow (found and repaired corrupt files)
  • DISM /Online /Cleanup-Image /RestoreHealth (completed clean)
  • Full in-place repair install via Windows 11 ISO (kept files and apps)
  • Cleared TPM via tpm.msc (BitLocker suspended, recovery key saved)
  • takeown /r + icacls /grant administrators:F /t + rd /s /q on the NGC folder
  • Re-set Windows Hello PIN multiple times (including "I forgot my PIN")
  • Re-registered AAD Broker Plugin via Add-AppxPackage
  • net stop wbiosrvc && net start wbiosrvc (service starts, bioiso.exe still does not spawn)
  • Tested across 3 user accounts: original Microsoft account, converted-to-local account, brand new local account — identical failure on all three
  • Tested Chrome (including Incognito), Edge, webauthn.io — all fail
  • Toggled various Chrome flags (Passkey Unlock Manager, Passkey Unlock Error UI)
  • Toggled Google Password Manager "Automatically create a passkey"

Questions:

  1. Why won't bioiso.exe spawn despite VBS running and Biometric Service started?
  2. Is missing biometric hardware actually blocking ESS-mediated NGC provisioning for a PIN-only Windows Hello configuration?
  3. What is enforcing the "App Control for Business policy: Enforced" status on an unmanaged consumer device, and could it be related?
  4. Anything I missed before I give up and wait for the next cumulative update?
reddit.com
u/Final_Principle2990 — 6 days ago