Windows 10: Windows Hello For Business Cloud Trust

I am running into 2 issues that would love some clarity on:- 1 computer I am unable to setup a pin on. Keep getting the error during step up auth after entering my credentials to receive the 2fa prompt it fails with "Unable to get a token using the Web Account Manager. Error Unknown HResult Error Code 0x801c044fHas anyone run into this before, registration on laptop appears to work with no issue.- How does Windows Hello for Business registration work for secondary users of a laptop?I was able to successfully register my primary user but the secondary user never get's prompted after login by th

:)

 

Deploy Windows Hello for Business Cloud Trust using Intune

Hi,

I am deploying WHfB Cloud Trust in Hybrid Azure AD. I followed the Microsoft Documentation: Windows Hello for Business Cloud Kerberos trust deployment

First I tried using GPO and it works well. I can see the event 358 saying WHfB cloud trust is enabled and the computer got the TGT ticket. Everything works fine.

But then I removed the GPO and tried using Intune. The users are prompted to create the PIN and they are able to log in but it fails randomly. I checked the event viewer and now in the event 358 it says that Cloud Trust is not enabled and the TGT ticket is "not tested"

Both the configuration profiles in Intune (enablement with OMA uri and PIN Reqs) are applied, the state is "Succeded" for the computers. Why is Cloud Trust not enabled? I guess everything is ok in AD and the computer as when I enable the GPO it works fine and I can see how the secret is stored and read in Azure AD. Thanks

Regards.

 

Deployed Windows hello for Business with cloud trust, Forti does not recognize the affected users's login

Hello guys!

I hope you're all doing great!

So, I have deployed Windows Hello for Business using Cloud Trust Authentication on a client's environment (I had previously Hybrid domain joined their users and devices and subsequently deployed co-management as they have config manager). We went through all the steps as per described by MS Docs and the deployment worked as expected: One would login to the device and then never had any other form of authentication requested again (Upon accessing to MS 365 apps).

So far so good, but little did I know the client has Forti Guard for proxied addresses. After some investigation on their side, they concluded that Forti guard cannot read the security event for Logon 4624, so when the user tries to access anything that isn't related to MS (They whitelisted all MS Services IP's) they would get a certificate error as Forti Guard does not have any registered user for that logon (The one performed through Windows hello for business).

Is there any chance that since the authentication is happening on the Cloud, on prem services is not seeing it? I reckon that having AD Connect synchronize both domains (cloud + on prem) should prevent this from happening but maybe there's something we are not seeing here.

Thank you very much in advance!

 

Vpn ( trusted Vpn)

Hi everyone.
I am not an expert about Vpn and that's why I would like to know if someone could list me a few trusted Vpns, I would really appreciate any suggestion/ advice.

Thanks.