|
| 1 | +--- |
| 2 | +title: Connection Fails with an Interactive Window Could Not Be Shown Error |
| 3 | +description: Helps resolve the connection error - an interactive window could not be shown. |
| 4 | +manager: dcscontentpm |
| 5 | +ms.date: 04/02/2025 |
| 6 | +ms.topic: troubleshooting |
| 7 | +ms.reviewer: kaushika, erikje, v-lianna |
| 8 | +--- |
| 9 | +# Windows 365 Link connection fails with error "an interactive window could not be shown" |
| 10 | + |
| 11 | +This article helps resolve the connection error "an interactive window could not be shown." |
| 12 | + |
| 13 | +After you authenticate on the sign-in screen, you might encounter the following error message when connecting to your Cloud PC: |
| 14 | + |
| 15 | +> Something went wrong. |
| 16 | +An authentication issue occurred where an interactive window could not be shown. Please try again later. |
| 17 | + |
| 18 | +The connection attempts via Windows 365 Link use non-interactive single sign-on and can't prompt for user authentication. If you see this error, Windows 365 resources might be protected by a Conditional Access policy that requires interactive authentication. For more information, see [Set Conditional Access policies for Windows 365](/windows-365/enterprise/set-conditional-access-policies). |
| 19 | + |
| 20 | +The common causes of this error are: |
| 21 | + |
| 22 | +- Missing user action policy |
| 23 | +- Conditional Access policy not assigned |
| 24 | +- Mismatched access controls |
| 25 | +- Unsupported access controls |
| 26 | + |
| 27 | +For configuration details, see [Conditional Access policies for Windows 365 Link](/windows-365/link/conditional-access-policies). |
| 28 | + |
| 29 | +## Missing user action policy |
| 30 | + |
| 31 | +Interactive authentication should occur during the sign-in stage. This commonly requires a new Conditional Access policy because the sign-in only triggers [User actions](/entra/identity/conditional-access/concept-conditional-access-cloud-apps#user-actions) policies to **Register or join devices**, whereas the connection triggers **Resources** policies. |
| 32 | + |
| 33 | +## Conditional Access policy not assigned |
| 34 | + |
| 35 | +If the **User actions** policy exists, confirm if you're in the scope of the assignments of users. |
| 36 | + |
| 37 | +## Mismatched access controls |
| 38 | + |
| 39 | +The sign-in stage generates a security token that is used in the connection stage. If the Conditional Access policies in either stage have the access controls configured differently, an authentication issue might occur. Ensure the access control setting on the **User actions** policy used for the sign-in stage matches (or is stronger than) the setting on the **Resources** policy used for the connection stage. |
| 40 | + |
| 41 | +## Unsupported access controls |
| 42 | + |
| 43 | +A Conditional Access policy applied to resources might use controls that are unavailable for **User actions** policies. Some **Grant** controls, such as device compliance or [custom controls](/entra/identity/conditional-access/controls), can't be used with **User actions** policies. Some **Session** controls, such as **Sign-in frequency**, can't be used with **User actions** policies. If a **User actions** policy applied during the connection stage requires any of these unsupported controls, modifications are required to accommodate the use of Windows 365 Link devices. |
| 44 | + |
| 45 | +## Confirm the problem |
| 46 | + |
| 47 | +Conditional Access sign-in logs can be used to verify how Conditional Access policies are (or aren't) being applied to the sign-in and connection attempts. |
| 48 | + |
| 49 | +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/) > **Protection** > **Conditional Access** > **Sign-in logs**. |
| 50 | +2. Select the **User sign-ins (interactive)** tab and use filters to find entries for the sign-in. For example, try using: |
| 51 | + |
| 52 | + - **Resource**: **Device Registration Service** |
| 53 | + - **Username**: \<enter the UPN of the user> |
| 54 | + - **Date**: \<select a relevant interval> |
| 55 | + |
| 56 | +3. Select an entry to review if the details are: |
| 57 | + |
| 58 | + - **Basic info** / **Authentication requirement**: **Single-factor** |
| 59 | + - **Basic info** / **Status**: **Success** |
| 60 | + - **Conditional Access** / **Result**: **Not Applied** |
| 61 | + |
| 62 | +4. Select the **User sign-ins (non-interactive)** tab and use filters to find entries for the connection. For example, try using: |
| 63 | + |
| 64 | + - **Application**: **Windows 365 Client** |
| 65 | + - **Username**: \<enter the UPN of the user> |
| 66 | + - **Date**: \<select a relevant interval> |
| 67 | + |
| 68 | +5. Expand the results and select an entry to review if the details are: |
| 69 | + |
| 70 | + - **Basic info** / **Authentication requirement**: **Multifactor** |
| 71 | + - **Basic info** / **Status**: **Interrupted** |
| 72 | + - **Conditional Access** / **Result**: \<any failures occurred> |
| 73 | + |
| 74 | +If you encounter entries similar to the preceding ones, then a combination of those Conditional Access policies likely causes the error. |
| 75 | + |
| 76 | +For configuration details, see [Conditional Access policies for Windows 365 Link](/windows-365/link/conditional-access-policies). |
0 commit comments