This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(73.60000000000001, 96%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETM%3C/text%3E%3C/svg%3E)
Hi,
I am deploying WHfB Cloud Trust in Hybrid Azure AD. I followed the Microsoft Documentation: https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust
First I tried using GPO and it works well. I can see the event 358 saying WHfB cloud trust is enabled and the computer got the TGT ticket. Everything works fine.
But then I removed the GPO and tried using Intune. The users are prompted to create the PIN and they are able to log in but it fails randomly. I checked the event viewer and now in the event 358 it says that Cloud Trust is not enabled and the TGT ticket is "not tested"
Both the configuration profiles in Intune (enablement with OMA uri and PIN Reqs) are applied, the state is "Succeded" for the computers. Why is Cloud Trust not enabled? I guess everything is ok in AD and the computer as when I enable the GPO it works fine and I can see how the secret is stored and read in Azure AD. Thanks
Regards.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Toni Martínez , From your description, it seems we enable windows hello for business and configure cloud Kerberos trust policy in Intune. It applied successfully. And PIN is setup. But "cloud trust for on premise auth policy is enabled" and "user account has cloud TGT" show not tested. I have added tags "azure-active-directory" and "windows-10-security" to involve related support to see if any suggestion can be provided.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
As I understand you are deploying Windows Hello for Business Cloud Trust using Intune. Users log in fails randomly.
The Not Tested state is reported if cloud Kerberos trust is not being enforced by policy or if the device is Azure AD joined.
Also help me with the output of klist cloud_debug to investigate further.
Let me know if you have any further questions.
Finally I managed to find the problem. I put the tenant ID in the OMA-URI without the dashes(-). Once I added the dashes it started to work. Thanks.
@Toni Martínez Thanks for the update and detailed steps you tried to resolve this issue. I will work with my team to have this issue behavior documented in our public docs and steps you tried to resolve the issue.
Please remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution.