Merge branch 'main' into patch-3

2025-06-18 11:53:37 +00:00 · 2022-09-12 08:22:05 -04:00
parent 61850f305a 54a89e7de9
commit 19e94c62c2
34 changed files with 101 additions and 208 deletions
--- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
+++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
@ -69,9 +69,7 @@ If the error occurs again, check the error code against the following table to s
 | 0x801C044D | Authorization token does not contain device ID.                    | Unjoin the device from Azure AD and rejoin. |
 |            | Unable to obtain user token.                                       | Sign out and then sign in again. Check network and credentials. |
 | 0x801C044E | Failed to receive user credentials input.                          | Sign out and then sign in again. |
-| 0xC00000BB | Your PIN or this option is temporarily unavailable.| The destination domain controller doesn't support the login method. Most often the KDC service doesn't have the proper certificate to support the login. Another common cause can be the client can not reach the CRL endpoints. Use a different login method.|
-
-
+| 0xC00000BB | Your PIN or this option is temporarily unavailable.                | The destination domain controller doesn't support the login method. Most often the KDC service doesn't have the proper certificate to support the login. Another common cause can be the client can not verify the KDC certificate CRL. Use a different login method.|

 ## Errors with unknown mitigation

@ -100,6 +98,7 @@ For errors listed in this table, contact Microsoft Support for assistance.
 | 0x801C03F1  | There is no UPN in the token. |
 | 0x801C044C  | There is no core window for the current thread. |
 | 0x801c004D  | DSREG_NO_DEFAULT_ACCOUNT: NGC provisioning is unable to find the default WAM account to use to request Azure Active Directory token for provisioning. Unable to enroll a device to use a PIN for login. |
+| 0xCAA30193  | HTTP 403 Request Forbidden: it means request left the device, however either Server, proxy or firewall generated this response. |

 ## Related topics

--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md
@ -63,6 +63,11 @@ The following scenarios aren't supported using Windows Hello for Business cloud
 - Using cloud trust for "Run as"
 - Signing in with cloud trust on a Hybrid Azure AD joined device without previously signing in with DC connectivity

+> [!NOTE]
+> The default security policy for AD does not grant permission to sign high privilege accounts on to on-premises resources with Cloud Trust or FIDO2 security keys.
+> 
+> To unblock the accounts, use Active Directory Users and Computers to modify the msDS-NeverRevealGroup property of the Azure AD Kerberos Computer object (CN=AzureADKerberos,OU=Domain Controllers,\<domain-DN\>).
+
 ## Deployment Instructions

 Deploying Windows Hello for Business cloud trust consists of two steps:
@ -256,4 +261,4 @@ Windows Hello for Business cloud trust cannot be used as a supplied credential w

 ### Do all my domain controllers need to be fully patched as per the prerequisites for me to use Windows Hello for Business cloud trust?

-No, only the number necessary to handle the load from all cloud trust devices.
+No, only the number necessary to handle the load from all cloud trust devices.