Hello,
The Primary Refresh Token (PRT) is a JSON Web Token (JWT) used by Windows 10 and later devices for single sign-on (SSO) to Microsoft Entra ID resources and applications. The PRT is created when a user signs in on their device and is then used to request access tokens for various resources.
The default validity period of a PRT token is 14 days. After this period, the PRT needs to be refreshed to maintain continuous access to resources.
The PRT is designed to be updated regularly as long as the device is connected to the internet. This typically happens every 4 hours through a background network authentication process.
If a device is not used for an extended period (e.g., an employee is on leave or the device is a shared PC that isn't used regularly), the PRT token will not be updated. When the user returns, they might find the PRT has expired if the device has been offline for more than 14 days.
Steps to Renew PRT Manually
- Connect to the Internet: Ensure the device is connected to the internet.
- Sign In with Password: To manually trigger the renewal of the PRT, the user needs to sign in to Windows using their password, not the Windows Hello for Business method (PIN or biometrics).
- Lock and Unlock the Device: Lock the device (Windows + L) and then unlock it to force a network authentication that attempts to renew the PRT.
- Check PRT Status:
• Open Command Prompt as an administrator.
• Run the command:
dsregcmd /status
• Look for the AzureAdPrt section. The AzureAdPrtUpdateTime field should indicate the last time the PRT was updated.
Impact on Authentication
With cloud Kerberos trust, the PRT is crucial for SSO. If the PRT is expired or invalid, the user may be prompted for additional authentication.
Important Considerations
• Network Connectivity: Ensure reliable internet access during the manual renewal process.
• Device Policies: Ensure there are no group policies or configurations that prevent background PRT renewal.
Best regards
Yanhong
=====================================
If the answer is helpful, please click "Accept answer" and upvote it.