You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: windows-365/enterprise/connection-errors.md
+6-3Lines changed: 6 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -35,20 +35,23 @@ The following errors can occur when connecting to a Cloud PC.
35
35
## Errors when connecting to an Azure Active Directory (Azure AD) joined Cloud PC
36
36
37
37
### The logon attempt failed
38
-
**Potential cause #1**: The Cloud PC denied PKU2U protocol requests. The PKU2U protocol is only triggered in the following cases:
38
+
**Potential cause #1**: Either the Cloud PC or the user's physical device denied PKU2U protocol requests. The PKU2U protocol is only triggered in the following cases:
39
39
40
40
- The Cloud PC is Azure AD joined.
41
41
- The user is connecting from the Windows desktop client.
42
42
- The user's physical device is Azure AD registered, Azure AD joined, or hybrid Azure AD joined to the same organization as the Cloud PC.
43
43
44
-
**Possible solution**: Turn on PKU2U protocol requests on your Cloud PC:
44
+
**Possible solution**: Turn on PKU2U protocol requests on both the Cloud PC and the user's physical device:
45
45
46
46
1.[Create a filter for all Cloud PCs](create-filter.md#create-a-filter-for-all-cloud-pcs).
47
47
2. Create a device configuration policy [using the settings catalog](/mem/intune/configuration/settings-catalog).
48
48
3. On the **Configuration settings** page, search for and select **Network Security Allow PKU2U Authentication Requests** > **Allow**.
49
49
50
50
5. On the **Assignments** page, select **Add all devices** > **Edit filter** > **Include filtered devices in assignment** > select the filter you created for all Cloud PCs.
51
-
6. Complete the creation of the device configuration policy.
51
+
6. On the **Assignments** page, also select an Azure AD group containing the user or the user's physical device.
52
+
7. Complete the creation of the device configuration policy.
53
+
54
+
If you only manage the user's physical device through Group Policy or you don't manage the user's physical device, you (or the user) can manage this setting through the [allow PKU2U authentication requests to this computer to use online identities](/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities) policy.
52
55
53
56
**Potential cause #2**: [Per-user multi-factor authentication](/azure/active-directory/authentication/howto-mfa-userstates) is turned on for the user account. Because it blocks sign-in, per-user multi-factor authentication isn't supported for users connecting to Azure AD joined Cloud PCs.
0 commit comments