![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 36%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJH%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(243.2, 57.99999999999999%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAJ%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 51%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EZK%3C/text%3E%3C/svg%3E)
Fix: Force Full Sign-In Cycle Post-Provisioning
- Have the user sign out and sign in again
- A full interactive sign-out and sign-in (not just lock/unlock) triggers proper token initialization.
- This restores SSO across apps.
- Clear Web Account Manager (WAM) Cache
Sometimes stale WAM tokens block SSO:
cmdkey /list
cmdkey /delete:<AzureAD resource>
Then restart the device.
- Verify WHfB and SSO Readiness
Check these in dsregcmd /status:
- AzureAdJoined: YES
- AzureAdPrt: YES
- SSO State: AzureADJoined + WHfB + PRT
If SSO State is missing WHfB or PRT, the sign-in cycle is incomplete.
- Optional: Disable WHfB during pre-provisioning
If this issue is widespread, consider disabling WHfB setup during pre-provisioning and letting users enroll post-login. This avoids token misalignment.