Share via

"Windows needs your current credentials..." notification after converting users to Cloud only

Mike Gaum 45 Reputation points
2024-07-24T19:41:20.3033333+00:00

We're getting rid of our local Active Directory soon and started converting On-premises synced users to Cloud only users.

I believe there are 2 ways of doing this and we chose the less recommended one by Microsoft for testing purposes since it doesn't affect all users at once.

Instead of disabling the sync between Active Directory and Entra ID, we do the following :

  1. Unsync the user in Active Directory (this deletes the user in Entra ID).
  2. Restore the user in Entra ID (takes about 15 minutes for everything to go back to normal for the user).

The following notification error started appearing from time to time on our devices :"Windows needs your current credentials. Please lock this computer, then unlock it using your most recent password or smart card."

  • The devices are exclusively joined to Entra ID / Intune.
  • The devices are not necessarily on the same network as the Active Directory.

What we tried (without success) :

  • Cleared the Credential Manager on the devices.
  • Created the following Configuration Profile in Intune :
    OMA-URI: ./Device/Vendor/MSFT/PassportForWork/<tenantID>/Policies/UseCloudTrustForOnPremAuth
    Data type: Boolean
    Value: True
  • Disabled the following key in the registry : HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.Winlogon

The notification seems to show up under different circumstances from one device to another. For example, it often appears on one device when opening a Microsoft Office desktop app and almost randomly on another.

We communicated with Microsoft to help us getting rid of the following fields in Entra ID, but it can only be done for the whole tenant so we need to wait until the transition is over :

On-premises sync enabled
On-premises last sync date time
On-premises distinguished name
On-premises immutable ID
On-premises provisioning errors
On-premises SAM account name
On-premises security identifier
On-premises user principal name
On-premises domain name

I'm probably missing some information so ask away if you have any questions.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,239 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,742 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Crystal-MSFT 46,266 Reputation points Microsoft Vendor
    2024-07-25T01:52:27.0333333+00:00

    @Mike Gaum, Thanks for posting in Q&A. For the users converting I am not familiar, but from Intune side, if it is enrolled before I think the device is Microsoft Entra Hybrid joined. To change to Microsoft Entra join, I think we need to unenroll the device and enroll again with other enrollment method like Windows Autopilot Microsoft Entra join, Automatic enrollment+ Microsoft Entra join method

    https://learn.microsoft.com/en-us/mem/intune/fundamentals/deployment-guide-enrollment-windows

    Hope the above information can give you some help.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.