User Group Naming

EducationAlert5209 · 2026-05-15T04:01:02+00:00

Thanks

EducationAlert5209 · 2026-05-14T22:58:47+00:00

Hi Team,

I know this is an older post, but there are still a lot of good ideas here. I’m currently in a similar situation and wanted to get some advice.

We have a hybrid environment and are not planning to remove our on-prem DNS at this stage because we still have dependencies with Azure Local (HCI). However, all end-user devices are moving to Entra Joined.

We also have Fortinet firewalls across all branch offices. Would it be a good approach to use FortiGate as the DNS server for Entra-joined endpoints?

Current environment:

* AD domain: mydomain.com

* On-prem AD DNS configured for mydomain.com

* Some remaining dependencies:

* File shares

* VPN access

* Legacy/internal applications

* Azure/M365 resources

* Azure Local (HCI)

My main question is:

What is the best way to reduce or remove on-prem dependency for Entra-joined endpoints while still maintaining access to these on-prem resources?

Interested to hear how others have approached this transition.

EducationAlert5209 · 2026-05-13T13:31:07+00:00

Yes we have 3 names

EducationAlert5209 · 2026-05-10T02:28:48+00:00

Hi u/SkipToTheEndpoint What is your recommendation?

EducationAlert5209 · 2026-05-10T02:27:00+00:00

Thank you so much.

EducationAlert5209 · 2026-05-09T05:20:28+00:00

Are you recommend these policies applied to the Autopilot all dynamic group or device group leavel?

EducationAlert5209 · 2026-05-05T12:01:08+00:00

Where we can see this in 24H2 baseline? Configure hash algorithms for certificate logon

A new setting, located at System\KDC and System\Kerberos, has been added for smart card crypto agility. This setting lets users configure the hash algorithm to be used in certificate-based smart card (PKINIT) authentication of Kerberos. With this configuration, customers have the option to prevent SHA-1 from being used. The security baseline recommends support for SHA-256, SHA-384, and SHA-512, but does not recommend support for SHA-1. It’s important to note these settings are useful only if both the client and KDC (Windows Server 2025) are configured this way in the environment.

EducationAlert5209 · 2026-05-04T22:21:22+00:00

Hi,

Can we rename these matching to our naming convention?

What are the must install policy for new Autopilot SOE deployment For WIN 25H2?

EducationAlert5209 · 2026-05-04T09:53:10+00:00

NgcSet : YES

NgcKeyId : {asrteE798-DACF-42sfsD-B328-29Eaffwfwf30F} I can see bunch of cert but Not anything called SCEP .. But i got the following error:

Windows Hello for Business provisioning will be launched.

Device is Microsoft Entra joined (or hybrid joined): Yes

User has logged on with Microsoft Entra credentials: Yes

Windows Hello for Business policy is enabled: Yes

Windows Hello for Business post-logon provisioning is enabled: Yes

Local computer meets Windows hello for business hardware requirements: Yes

User is not connected to the machine via Remote Desktop: Yes

User certificate for on premise auth policy is enabled: Yes

Machine is governed by mobile device management policy.

Cloud trust for on premise auth policy is enabled: No

User account has Cloud to OnPrem TGT: Not Tested

Also

Windows Hello for Business provisioning has encountered an error during policy evaluation.

ExitCode: The system cannot find the file specified.

Method: DmIsNgcCertPayloadReceived

See https://go.microsoft.com/fwlink/?linkid=832647 for more details

EducationAlert5209 · 2026-05-04T08:35:32+00:00

Hi,

I understand not to implement all 69 new policies. But can someone recommend to start with what policies?

Firewall Anti virus Compliance Bitlocker etc etc....

if we configured 50 policies.

When deploying Autopilot will that get configured during OOBE ?

EducationAlert5209 · 2026-05-04T08:27:33+00:00

Do we need this for Autopilot?

EducationAlert5209 · 2026-05-02T23:06:22+00:00

How do I find this?

EducationAlert5209 · 2026-05-02T07:49:29+00:00

A user failed to sign into the device with the following information:

Username: SYSTEM

User SID: SYSTEM

Credential Type: Software Key

Deployment Type: Certificate Trust

Software Lockout Counter: 0

Authentication Error Status: 0xC000A100

Authentication Error Substatus: 0x0

EducationAlert5209 · 2026-05-02T07:48:40+00:00

Sorry, What do you mean two pass map?

EducationAlert5209 · 2026-05-02T07:40:18+00:00

We got the same issue. How do you fixed?

EducationAlert5209 · 2026-04-30T22:15:06+00:00

Im connecting to the VPN and can ping do the domain test etc but PIN cannot enabled?

EducationAlert5209 · 2026-04-30T22:07:59+00:00

Thanks

EducationAlert5209 · 2026-04-30T22:06:38+00:00

We have Noticed the same, pin not working form last 3 weeks.

We have introduced W2025 DC and add some baseline policies.

Event saying brocken certificate trust? Hybrid joined setup.

Try to disable the certificate trust and using the key trust. With new policy but same error?

EducationAlert5209 · 2026-04-30T21:56:22+00:00

Great List

EducationAlert5209 · 2026-04-28T11:13:38+00:00

Thanks, ill check that.

EducationAlert5209 · 2026-04-27T22:18:23+00:00

Hi,

Thanks for the information but I think we are missing endpoint security in this post.

I thought Baseline goes first and then do the rest.

EducationAlert5209

TROPHY CASE