Questions to tighten alignment in this scenario-
- What do you mean by "I can't auth to domain joined devices with my hybrid identity"?
- is it only Entra joined?
- What kind of trust you have between EntraID and AD?
Entra Join auth to Domain
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(316.8, 10%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EZR%3C/text%3E%3C/svg%3E)
Zane Rodman
86
Reputation points
I've got a scenario I've not seen before. Essential I windows autopilot an entra join windows device 24h2 and all is good. When I login for the first time after user esp, I can't auth to domain joined devices with my hybrid identity.
Prt all looks good and no windows hello for business.
Klist is empty.
Logging off and back on fixes the issue, so it is the first login that is problematic.
I'm unsure what steps at this stage can be done aside from Wireshark or checking audit logs. I'm keen to resolve as I'd like to incorporate further workflows that tie to on prem (SMB, etc).
Thoughts anyone? I'm going to spend more time looking into it although considering whfb, although this id like to fully understand first.
Windows for business | Windows Client for IT Pros | Directory services | Active Directory
1 answer
Sort by: Most helpful
-
Mukesh Agarwal 65 Reputation points2025-07-28T08:47:54.19+00:00 -
Zane Rodman 86 Reputation points
2025-07-28T23:20:17.48+00:00 Devices: Entra Hybrid
Trust: PRT
OS: W11 24H2
Issue: After OOBE and first sign in, auth to Hybrid resources (i.e., printer.contoso.com:445) requires username and password.
Workaround: Lock and unlock (entering password) resolves
-
Mukesh Agarwal 65 Reputation points
2025-11-13T10:03:06.98+00:00 Lost the track of this, hopefully this is resolved by now.
Sign in to comment -