This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(115.19999999999999, 40%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBN%3C/text%3E%3C/svg%3E)
Hi all, we recently deployed CBA for pretty much all Microsoft related services, including Intune device management. Obviously there are carveouts for specific cases that allow enrollment of the device, but beyond that, it seems like many windows devices are not able to maintain the connection to Intune due to CBA. The first symptom seen was that Outlook (signed in via some connection that Windows makes by being enrolled) throws up an error 2400 like the screenshot attached. On the Entra side, we see a Sign-in error code 500187, and the Conditional Access failure is as attached. During this time, the user is still able to use web-based Microsoft apps in the browser. On the device authenticating there are both a Device and a User certificate assigned to Client Authentication, and the Device certificate also does server authentication and secure email. Syncing Company Portal can fix the issue temporarily, but the problem often returns. At some point, the company portal sync solution will fail, at which point we'll revoke all sessions and then logging into Outlook anew fixes the issue. If you need more information, I will provide what I can
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 26%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EN%3C/text%3E%3C/svg%3E)
Hi @Brandon NoletThank you for posting this in Microsoft Q&A.
Based on the information you provided, it seems that the issue is related to the device's ability to maintain a connection to Intune due to CBA. The error message you mentioned, "Sign-in error code 500187", indicates that the Selected certificate does not meet the criteria. This error occurs if the certificate provided does not meet the conditions of the authentication strength policy.
One possible cause of the issue could be related to the certificates that are assigned to the device for client authentication. It's possible that the certificates are not valid or have expired.
To better understand the issue, could you please share a screenshot of the error messages and sign-in logs with us?
Thanks,
Navya
Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.
Navya, so we verified that all the certificates are correct in this case and it seems that this issue was resolved simply by switching from requiring specifically certificate-based authentication to phishing-resistant authentication with all other conditional access parameters being the same.
We're not sure why this fixed the issue but we've opened a ticket with Microsoft to investigate further. I'll try to remember to update this thread in case there was any information that can be gleaned from the case.
Hi @Brandon Nolet Thank you for sharing the update on this issue.