Thank you for your post and I apologize for the delayed response!
Error Message:
We can't sign you in with this credential because your domain isn't available. Make sure your device is connected to your org's network and try again. If you previously signed in on this device with another credential, you can sign in with that credential.
I understand that you're trying to implement Windows Hello for Business cloud Kerberos trust so your users can use WHFB to access local resources. However, when trying to login you're running into the error message above and when modifying the msDS-NeverRevealGroup
property you're still unable to login.
To gain a better understanding of your issue were you able to follow the Configure and provision Windows Hello for Business - cloud Kerberos trust documentation as well?
- If you followed the documentation and configured the cloud Kerberos trust policy, can you make sure that the
Use certificate for on-premises authentication
policy is disabled? If the Use certificate for on-premises authentication policy is enabled, certificate trust will take precedence over cloud Kerberos trust. Ensure that the machines that you want to enable cloud Kerberos trust, have this policy not configured or disabled.
I hope this helps!
Additional Link:
- Hybrid Azure AD w/ Windows Hello - Similar issue
- Configure single sign-on for Azure AD joined devices
- Do I need line of sight to a domain controller to use Windows Hello for Business cloud Kerberos trust?
If you're still having issues and want to work closer with our support team, please let me know and I can enable a one-time free technical support request for your subscription to get this issue resolved.
Thank you for your time and patience throughout this issue.