Why is cloud trust for onpremises auth policy set to No

Acedan 50 Reputation points
2023-05-20T14:35:48.5233333+00:00

I have enable Cloud Key Trust and set the configuration policy for on premise auth policy.

Looking at the User Device Registration logs, it appears that the policy is not applying and the browsing of OnPrem shares is not working.

Event Log 358

Windows Hello for Business provisioning will be launched.

Device is AAD joined ( AADJ or DJ++ ): Yes

User has logged on with AAD credentials: Yes

Windows Hello for Business policy is enabled: Yes

Windows Hello for Business post-logon provisioning is enabled: Yes

Local computer meets Windows hello for business hardware requirements: Yes

User is not connected to the machine via Remote Desktop: Yes

User certificate for on premise auth policy is enabled: No

Machine is governed by none policy.

Cloud trust for on premise auth policy is enabled: No

User account has Cloud TGT: Not Tested

1.) dregcmd - NGCSet = Yes

2.) Re-registered hello for business - certutil - DeleteHelloContainer

3.) Azure Ad Joined

User's image

Any advice on what I may be missing or troubleshooting steps?

Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,696 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,460 questions
{count} votes

Accepted answer
  1. Nagappan Veerappan 651 Reputation points Microsoft Employee
    2023-06-01T14:50:12.58+00:00
    • @Acedan - I am not sure, you have completed Step 1 below. Please check and let me know.

    Cloud trust enabled with two steps for on-prem access

    1. first at your AD -create Kerberos server keys to issue TGT from cloud and to be accepted at you AD. (don't test with user account AD protected group. Normal user in AD without any AD privilege groups works)
      https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises#install-the-azure-ad-kerberos-powershell-module
    2. Enable policy for end clients (GPO for HAADJ or Intune policy for AADJ/HAADJ) to trigger Cloud trust.

    PS: Users are already in "Key trust" would automatically migrate to "Cloud trust" once enabled. if you have had certificate trust , you need to delete and re-provision for cloud trust

    1 person found this answer helpful.

2 additional answers

Sort by: Most helpful
  1. Patchfox 3,811 Reputation points
    2023-05-20T15:08:46.2533333+00:00

    Hi Acedan, I want to help you with these questions.

    Did you already check out this video?

    https://www.youtube.com/watch?v=66I2P6XjTyY&ab_channel=CloudManagement.Community

    I might guess that you solve your problem with it.
    Check all the steps with your config.
    Maybe you forgot something little in the AD part.
    Also, verify that the tenant ID and the rest of the OMI URI is correct.


    If the reply was helpful, please don’t forget to upvote or accept it as an answer, thank you.

    0 comments No comments

  2. Acedan 50 Reputation points
    2023-05-31T12:29:01.1133333+00:00

    Thanks for checking in Givary.

    I confirmed that the convenience PIN policy is Not Configured.

    Domain Contollers are mix of 2016 and 2019 with latest patches

    I see the same issue with another machine with the same configuration.

    This is a POC and hasn't worked ... yet.

    Issue still persists.

    More than happy to work with the support team.