Low severityauthentication
Power BI Error:
AADSTS130004, Windows Hello / NGC key missing
What does this error mean?
Sign-in failed because the user has no Next Generation Credentials (NGC) key registered in Entra ID (Azure AD).
Common causes
- 1Windows Hello for Business provisioning never completed on the device (PIN setup interrupted or skipped)
- 2The user's NGC key was deleted, expired, or unregistered from Entra ID but the device still tries to sign in with it
- 3Device is not properly Entra ID joined / Hybrid joined, so the NGC key was never written to the user principal
- 4Stale or corrupted NGC container in the local Windows profile (often after profile reset or domain migration)
- 5Conditional Access or authentication method policy blocks/removed Windows Hello for the user, leaving no valid NGC key
How to fix it
- 1On the affected device, sign in with password + MFA, then go to Settings → Accounts → Sign-in options → Windows Hello PIN → Set up / Remove and re-create the PIN to re-provision the NGC key
- 2If re-provisioning fails, delete the local NGC container: as admin run `certutil -DeleteHelloContainer`, reboot, and set up Windows Hello again
- 3Verify the device is correctly joined: `dsregcmd /status` — confirm AzureAdJoined=YES and NgcSet=YES under SSO State / Ngc Prerequisite Check
- 4In the Entra admin center, check the user's Authentication methods and Devices blade — remove stale device registrations and ensure Windows Hello for Business is allowed by the Authentication methods policy
- 5If the issue is fleet-wide, validate the Windows Hello for Business policy (Intune / GPO) and the certificate trust / key trust configuration with your identity admin