A Windows device is unable to register a passkey for a user with Registration failed. message and returns an error:
HandleUrl(Register(PRofileManagement(PutCert("Host error: failed to store certificate"))))
The ownership of the %AppData%\Roaming\Microsoft\SystemCertificates\My\Certificates folder is not set for the user or has been unassigned.
The ownership of the folder can be changed or unassigned by upgrading the operating system. For example, Windows 10 to Windows 11 or by doing a system repair/restore on the operating system. Essentially, Microsoft's feature updates can cause this.
The ownership can be checked by navigating to %AppData%\Roaming\Microsoft\SystemCertificates\My\Certificates and ensuring the "SystemCertificates" folder and the subsequent folders are owned by the user that is attempting to create the passkey.
To check the ownership of the folder, open the properties of the folder and select the Security tab:
Open the Advanced option; it will show the ownership of the folder:
The verification of the folder's owner can be done using a PowerShell command:
Setting the current user as the folder owner will solve the issue.
This can be changed by selecting the Change link, typing in the username in the object name text box, and clicking the Check Names button. If the user was resolved to the correct user, save the changes by clicking the OK button.
The ownership can be assigned using a PowerShell command:
icacls.exe "C:\Users\<user>\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates" /setowner "<domain>\<user>" /T /C /Q > $null