I ran into an issue with an endpoint where after resetting the device (using an InTune Wipe) it wasn’t able to connect to Azure AD related resources.
The root cause turned out to be Credential Manager — any time I get Azure AD broker issues, I check these things
- TPM is active and happy (tpm.msc)
- Credential Manager can open
- Azure AD Broker logs
Resolving the Credential Manager issue
To resolve the error below, I had to reference an old Windows 8.1 article which suggested putting a temporary key into the Registry to revert it back to the backup master key.
The registry key was HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb . Create a new entry with the name ProtectionPolicy and set it to 1.
After opening Credential Manager once, I could remove this key again.
Credential Manager "An error occurred while performing this action." Error code: 0x8009034 The requested operation cannot be completed. The computer must be trusted for delegation and the current user account must be configured to allow delegation.
The source of this issue was a Microsoft Knowledgebase issue.
Side effects
The following areas of Windows & Office were also failing due to the Credential Manager issue:
Azure AD Authentication failing
The Azure VPN Client was hanging on the Connecting... status after picking an account from the Windows Account Manager.
Outlook not opening
Received the following message when trying to open Outlook:
Cannot start Microsoft Outlook. Cannot open the Outlook window. The set of folders cannot be opened. The file C:\Users\<user>\AppData\Local\Microsoft\Outlook\<userfile>.ost cannot be accessed. You must connect to Microsoft Exchange at least once before you can use your Outlook data file (.ost).
Error logs in Azure AD Broker (AAD BrokerPlugin)
I saw two main errors in the Microsoft-Windows-AAD/Operational log:
Error: 0x8AA50014 Error happened while writing the file.
and Encryption failed (HRESULT: 0x80090034)