master-client(-management)

Take Windows Up to 11

Category: Windows 10

“Something went wrong” error when enabling Windows 10 facial authentication

Problem

When I was at a customer’s site lately and tried to enable the Windows Hello face recognition feature I encountered an error. After pressing the Get started button on the Windows Hello setup page Sorry, something went wrong was displayed without further explanations.

Windows Hello Setup
Windows Hello Setup Error

When I checked the Windows Event Log I could find a DistributedCOM error with the EventID 10016 which stated that the application did not have the local activation permission for the COM application.

Windows eventlog error DCOM

After that I looked up the APPID from the event in the Component Services and found out that it was the RuntimeBroker which controls the execution of the AppX(Universial)-Apps. Thinking about that I remembered that we had limited the access to the camera to certain AppX-Apps via Group Policy.

Component Services

I opened regedit as an Administrator and removed the value

HKLM:\Software\Policies\Microsoft\Windows\AppPrivacy!LetAppsAccessCamera

and tested again. Then it worked! So I just needed to find out which AppX needs access to the camera. I looked up the installed AppX with the PowerShell command:

Get-AppxPackage | select Name | sort

There it was the Microsoft.BioEnrollment_cw5n1h2txyewy AppX which looked like the app I was searching for. I reset my registry changes with a Group Policy update and added the AppX name to the value of:

HKLM:\Software\Policies\Microsoft\Windows\AppPrivacy!LetAppsAccessCamera_UserInControlOfTheseApps

Registry privacy camera

After that I tested again and it still worked to setup the facial recognition.

Camera working

Solution

Adding the AppX Microsoft.BioEnrollment_cw5n1h2txyewy to the Put user in control of these specific apps or the Force allow these specific apps fields of the Let Windows apps access the camera setting in the GPO under Computer Settings\Administrative Templates\Windows Components\App Privacy resolved the issue and users are able to use their face to authenticate on Windows.

GPO settings camera privacy

Windows 10 1803 ADMX Files SearchOCR error $(string.Win7Only) not found

Problem

Update 2: On 7/13/2018 Microsoft released Version 2.0 of the 1803 ADMX files without the issue
Update: Included feedback from @Jtracy_ItPro regarding multiple orphaned ADML files.

I just updated the Windows 10 ADMX files in the Central Policy Store of my lab domain with the Windows 10 1803 ADMX files. After that I got the error that the resource $(string.Win7Only) referenced in attribute displayName could not be found when accessing the Administrative Templates with the Group Policy Editor.

ADMX Error

I checked the mentioned searchocr.admx and the corresponding searchocr.adml file and found out that the modified dates differed by around three years (2015 and 2018).
Looking at the extracted 1803 ADMX files from the download revealed that they only include the SearchOcr.ADML files not the corresponding ADMX.

ADMX 1803

The c:\Windows\PolicyDefinitions folder of a running instance of Windows 10 1803 does not contain the two files.

Solution

Update 2: On 7/13/2018 Microsoft released Version 2.0 of the 1803 ADMX files without the issue

As long as I cannot find the 1803 version of the SearchOcr.admx I restored the old SearchOcr.adml file(s) from my backup and the error went away. Or even better remove the SearchOcr.ADML from every language that you want to import to the Central Policy Store.

@Jtracy_ItPro pointed out to me that the SearchOcr.adml is not the only orphaned ADML in the ADMX pack. The following list ADML files are orphaned in the 1803 ADMX pack as well

  • fileservervssagent.adml
  • microsoft-windows-geolocation-wlpadm.adml
  • microsoft-windows-messaging-grouppolicy.adml
  • searchocr.adml
  • terminalserver-winip.adml
  • userdatabackup.adml
  • wwansvc-admin-group-policy-data.adml

Any of these files can cause similar errors if you already have an older version of the ADMX and ADML in your Central Policy Store.

Therefore I wrote a small PowerShell function to find any orphaned ADMLs in a PolicyDefinitions folder.

You can use this function to find and remove any orphaned ADML before importing the files to the Central Policy Store