Azure AD Joined device requires an internet connection to sign-in user

Razjan Baram 1 Reputation point
2022-02-23T15:07:42.767+00:00

I have a question to which I haven't found an answer online (yet). The situation is as follows:
We have a user who has an Azure AD Joined device (Windows 10 21H2) and is allready the Primary User of the device ( I checked this in Intune). He has allready logged on succesfully multiple times but the machine does not seem to cache his credentials. This means the device requires an internet connection for him to log-on. I've looked at the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon > CachedLogonsCount value but this was allready set to it's default value of 10.

I have no idea where to look from here on so any tips or help are welcome!

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,389 questions

5 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. James Hamil 21,546 Reputation points Microsoft Employee
    2022-02-24T21:49:12.983+00:00

    Hi @Razjan Baram , I'm awaiting a response from another engineer to narrow the issue down but I have some questions/details that may help you. Are you using Windows Hello for Business at all? Also, is this just 1 user, or have there been others?

    • For Azure AD joined machines, the authentication is happening through Azure AD.
    • Even if we rely on ADFS, the login to Windows is not based on the Kerberos authentication mechanism.
    • For AAD joined machines, credential caching is not implemented in the Windows Credential Manager – a component which is manageable and allows for disabling the credential caching capabilities provided by the operating system.
    • For AAD joined machines, credential caching is related to the Primary Refresh Token that is issued when a user is authenticated against Azure AD.
    • This process is the Microsoft.AAD.BrokerPlugin framework which is a built on the newer application packaging framework.
    • This component maintains a separate cache under %LOCALAPPDATA%\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\LocalState folder.
    • These files get renewed when the PRT is refreshed/renewed.
    • Password credentials get cached in the .PWD file and WHfB credentials get cached in the .NGC file.

    The above steps were taken from a similar issue, so they not match yours exactly. However, it may help you find the issue if you want to trace it. In the meantime I am still searching for an exact solution for this and will let you know when I have one.

    Best,
    James

  2. mads.lomholt@live.no 1 Reputation point
    2022-07-15T12:20:43.787+00:00

    Any progress on the details here @James Hamil ? I seem to have a similar case: Intune/AAD, just one user with a new passord that does not update locally on the client/laptop. No Win Helo fb here either.

    Did you just delete the files with passwords/credentials in localappdata to get them rebuild?

    Before with AD-joined (not AAD) computers a restart would re-run the computer-part of GPO's with settings for (cred.manager) cached credentials, but only on a wired network. Is that old flaw in play here?

    0 comments
  3. Radim Bártek 1 Reputation point
    2022-11-23T07:14:20.56+00:00

    Hello,

    I have a little bit similar question. I have AAD joined device, on-prem(ADDS) user synced to AAD and ADFS. Question(I cannot find answer), how it is working in the situation: User is signed to the computer, he turn off the computer and travel to holiday. When he starts the computer (14 days later) on the hotel (without internet connection) is he able to log in to Windows? Is there any exact time for credential caching - how long can computer keep the user credentials (authenticated over ADFS) keep for user login?

    Thank you for answers or ideas..

    0 comments
  4. Darwin Vinoth 21 Reputation points
    2023-06-06T06:43:00.5133333+00:00

    Yes, the user will be able to log in to Windows 14 days later on the hotel (without internet connection) if the device is Azure AD joined and the user is synced to Azure AD and ADFS. The user's credentials will be cached on the device for up to 14 days, so they will be able to log in without an internet connection.

    Here is how it works:

    1. When the user signs in to the device, their credentials are cached on the device.
    2. The device then connects to Azure AD and authenticates the user's credentials.
    3. Azure AD then sends a token back to the device, which the device uses to authenticate the user for the next 14 days.

    If the user's device is not connected to the internet for more than 14 days, the user will not be able to log in without re-entering their credentials.

    Here are some additional things to keep in mind:

    • The 14-day credential caching period is the default value. You can change this value in Azure AD by going to Settings > Devices > Conditional Access > Session control > Maximum session age.
    • If the user's device is lost or stolen, you can revoke the user's access to Azure AD by going to Users > Active users > select the user > Manage > Revoke access.
    • You can also configure Azure AD to require users to re-enter their credentials every time they sign in. This can be done by going to Settings > Devices > Conditional Access > Session control > Sign-in frequency.
    0 comments
  5. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    Comments have been turned off. Learn more