You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: windows-365/enterprise/connection-errors.md
+17-4Lines changed: 17 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -34,12 +34,25 @@ The following errors can occur when connecting to a Cloud PC.
34
34
35
35
## Errors when connecting to an Azure AD join Cloud PC
36
36
37
-
**Potential cause**: Possible causes for connection errors include:
37
+
### The logon attempt failed
38
+
**Potential cause**: The Cloud PC VM is denying PKU2U protocol requests. The PKU2U protocol is only triggered in the following cases:
38
39
39
-
- Windows sign-in works directly against Azure AD, potentially triggering Azure AD authentication controls.
40
-
- Sign-in attempts from the Windows desktop client to a Cloud PC use a different protocol, called PKU2U.
40
+
- The Cloud PC is Azure AD joined.
41
+
- The user is connecting from the Windows desktop client.
42
+
- The user's physical device is either Azure AD registered, Azure AD joined, or Hybrid Azure AD joined to the same organization as the Cloud PC.
41
43
42
-
**Possible solution**: Follow the guidance to [troubleshoot connections to Azure AD joined VMs](/azure/virtual-desktop/troubleshoot-azure-ad-connections?context=/windows-365/context/pr-context).
44
+
**Possible solution**: Enable PKU2U protocol requests on your Cloud PC. To do this:
45
+
46
+
1.[Create a filter for all Cloud PCs](create-filter).
47
+
2. Create a device configuration policy [using the settings catalog](/mem/intune/configuration/settings-catalog.md).
48
+
3. On the **Configuration settings** page, search for and select **Network Security Allow PKU2U Authentication Requests**, then select **Allow**.
49
+
50
+
5. On the **Assignments** page, select **Add all devices** > **Edit filter** > **Include filtered devices in assignment** > select the filter you created for all Cloud PCs.
51
+
6. Complete the creation of the device configuration policy.
52
+
53
+
**Potential cause**: [Per-user multi-factor authentication](/azure/active-directory/authentication/howto-mfa-userstates) is enabled for the user account. Per-user multi-factor authentication is not supported for users connecting to Azure AD joined Cloud PCs since it blocks login.
54
+
55
+
**Possible solution**: Disable per-user multi-factor authentication for all users connecting to Cloud PCs. Then, [set an Azure AD conditional access policy](set-conditional-access-policies) and assign it to the appropriate users.
0 commit comments