AD FS on-premises device registration blocks Windows Phone 8.1 users in Intune


When users try to sign in to the Company Portal app for Windows Phone 8.1, the attempt my fail. This problem occurs if the users' IT pro has enabled AD FS on-premises device registration. This sign-in failure is recorded as a user cancellation error in the Company Portal log.


The Windows Phone 8.1 Company Portal app uses an OS component that's named the Web Authentication Broker (WAB). This component handles delegated Web login attempts. When AD FS on-premises device registration is enabled, it modifies the AD FS global authentication policy to optionally support device authentication. This, in turn, causes authentication attempts to request client certificates. Because the WAB does not support client certificate authentication, the Web login redirects to the AD FS server, and the WAB cancels the login attempt with a “user canceled” error.


To unblock Intune access for Windows Phone 8.1 users, the IT pro must assign a False value to the DeviceAuthenticationEnabled setting in the AD FS global authentication policy. If your enterprise requires this setting to be enabled, direct your users to the web-based Company Portal experience at

文章識別碼:3086134 - 最後檢閱時間:2015年8月19日 - 修訂: 1