You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: windows-365/enterprise/connection-errors.md
+4-2Lines changed: 4 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -35,13 +35,13 @@ The following errors can occur when connecting to a Cloud PC.
35
35
## Errors when connecting to an Azure Active Directory (Azure AD) joined Cloud PC
36
36
37
37
### The logon attempt failed
38
-
**Potential cause #1**: The Cloud PC denied PKU2U protocol requests. The PKU2U protocol is only triggered in the following cases:
38
+
**Potential cause #1**: Either the Cloud PC or the user's physical device denied PKU2U protocol requests. The PKU2U protocol is only triggered in the following cases:
39
39
40
40
- The Cloud PC is Azure AD joined.
41
41
- The user is connecting from the Windows desktop client.
42
42
- The user's physical device is Azure AD registered, Azure AD joined, or hybrid Azure AD joined to the same organization as the Cloud PC.
43
43
44
-
**Possible solution**: Turn on PKU2U protocol requests on your Cloud PC:
44
+
**Possible solution**: Turn on PKU2U protocol requests on both the Cloud PC and the user's physical device:
45
45
46
46
1.[Create a filter for all Cloud PCs](create-filter.md#create-a-filter-for-all-cloud-pcs).
47
47
2. Create a device configuration policy [using the settings catalog](/mem/intune/configuration/settings-catalog).
@@ -50,6 +50,8 @@ The following errors can occur when connecting to a Cloud PC.
50
50
5. On the **Assignments** page, select **Add all devices** > **Edit filter** > **Include filtered devices in assignment** > select the filter you created for all Cloud PCs.
51
51
6. Complete the creation of the device configuration policy.
52
52
53
+
If the user's physical device is managed, assign the user or the user's physical device to the same device configuration policy. If the user's physical device is unmanaged or you manage through Group Policy, create a Group Policy Object (GPO) to [allow PKU2U authentication requests to this computer to use online identities](/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities).
54
+
53
55
**Potential cause #2**: [Per-user multi-factor authentication](/azure/active-directory/authentication/howto-mfa-userstates) is turned on for the user account. Because it blocks sign-in, per-user multi-factor authentication isn't supported for users connecting to Azure AD joined Cloud PCs.
54
56
55
57
**Possible solution**: [Remove per-user multi-factor authentication](/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows#mfa-sign-in-method-required) for all users connecting to Cloud PCs. Then, [set an Azure AD conditional access policy](set-conditional-access-policies.md) and assign it to the appropriate users.
0 commit comments