Azure AD, Windows Printer Shares and Authentication: Can't browse to printer when signed in with Windows Hello PIN

Question

Environment:
Client: Intune managed, Azure AD Joined workstations using Windows Hello to sign in.
Server: AD domain Joined Windows 2016 server hosting printer queue share, e.g. \server\printer
The ADDS domain is synced to Azure AD via ADConnect

We have a print queue share on a Windows 2016 server that is joined to Azure AD.
We have a script that:

• Sets point and print allow for that servers DNS name, based on these settings: https://powers-hell.com/2020/04/25/installing-printers-with-intune-powershell/
• Adds the printer using "cscript /noLogo C:\windows\System32\Printing_Admin_Scripts\en-US\prnmngr.vbs -ac -p $printerPath"
• (We also tried using "Add-printer -connectionname \server.domain.com\share" with the same result)

The result is strange:

If a user has signed in to the workstation with either PIN or Face Unlock, then the attempt to connect to the print queue fails with 1265 The system cannot contact a domain controller to service the authentication request. Please try again later. Using explorer to browse to \servername and then right-click the printer share and choose connect, we get a PIN prompt that is unsuccessful even if the correct PIN is entered.

If a user has instead signed in to the workstation using their password, the connection goes through perfectly and the printer is added successfully by the script.

We are unsure what to look at next regarding how the PIN logged in machine authenticates against the share on the domain joined machine.

Answer 1

Hello,

Most likely there is some issue with the credential token for those users

1] Reboot the system with no network connectivity
2] Remove the user from the protected user group
3] Using Security policy snap-in
Go to Security Settings >> Local Policies >> Security Options.
On the right-pane, locate the policy Interactive logon: Number of previous logons to cache (in case domain controller is not available) and double-click it to change its value. Change the value if “Do not cache logons” to 0.
4] Verify or change the DNS server address
6 ] Remove corrupted profile from registry editor (check in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList if there a .BAK profile and delete it)
7] At login screen re-enter the the NETBIOS domain login as DOMAIN\Username, instead of just username.

-------------------------------------------------------------------------------------------------------------------------------

--If the reply is helpful, please Upvote and Accept as answer--