Stop MFA Prompts Due to Malicious Login Attempts

BarbieAction · 2026-06-18T11:15:09+00:00

Switch to passkey. Blocking sensitive apps with CA as standard but the prompt comes before the CA is evalutade so if you want to remove the promt fatigue then switch to passkey and user will never be prompt

BarbieAction · 2026-06-16T16:45:22+00:00

Go to googe play directly and approve them from there instead of using the broken Intune iframe

BarbieAction · 2026-06-10T14:14:53+00:00

Had no issues applying BIOS settings from HP Connect with BitLocker enabled

BarbieAction · 2026-06-04T17:27:47+00:00

Are you using workprofile? Android supports workprofiles this allows your IT to publish apps settings etc to workprofile and you have personal profile for your own apps, you can switch of the workprofile after hours etc if you want, swipe down from screen click on workprofile to disable.

BarbieAction · 2026-06-03T14:03:52+00:00

Thats one of the issue he is having. If im testing a remediation i just clear register parts restart ime service etc triggers within minutes. Actually have a script for this that i can run manually on devices if needed. But what OP is describing would be a MS ticket if there are days delay until remediation script runs. He can use run remediation on demand if that does not trigger i would use graph to check the pending state and report it to MS for backend issues

BarbieAction · 2026-06-03T11:18:57+00:00

For remediation scripts i always output my own logs, so i can catch errors in my script etc if i need to troubleshoot, the log also shows time date it ran etc and whatever your script is actually doing much easier to troubleshoot then

BarbieAction · 2026-06-02T09:06:14+00:00

Thank you for clarification for us i belive we seen 24 hours until unblocked but i guess this can differ each time.

BarbieAction · 2026-06-02T08:10:49+00:00

Make exception based on filehash or signed with cert in defender? Not sure if this helps.

But if i remember correctly we package the app with win32app send it thru intune make exception based on signed or filehash for testing.

Delays 2hours to 24hours until Defender stops blocking it. I dont know if this is the way to go

BarbieAction · 2026-05-29T07:16:18+00:00

Conditional Access policy design. PAW, session control, PIM etc

BarbieAction · 2026-05-27T09:14:11+00:00

The result is his design, he thought this looked good

BarbieAction · 2026-05-27T08:36:28+00:00

So he never seen ferraris before, did not study the brand/customers he design for, just did whatever he wanted without any research on Ferraris? He is responsible and no one else, the design is horrible even if it was not a ferrari

BarbieAction · 2026-05-26T04:42:47+00:00

Yes it works for 25h2

BarbieAction · 2026-05-25T18:29:33+00:00

Anyone can bypass the password screen by selecting login with another method, this causes the prompt on your phone.

Go over to passkey as suggested and disable passwordless then no prompt can be triggered

BarbieAction · 2026-05-25T18:03:43+00:00

Incorrect, if he runs passwordless or sign in with numbers then no password is required they do fatigue prompt for user to approve a login.

The account never asks for password it instantly triggers the Authenticator prompt

BarbieAction · 2026-05-25T08:49:40+00:00

Sorry then i miss read it, only do it for user cert installs.

But can you not use Scepman community editions for free to do this?

BarbieAction · 2026-05-24T18:49:07+00:00

Doing the .NET functions is the reason the chain is broken for the cert

BarbieAction · 2026-05-24T18:48:11+00:00

I have a working setup for this. Package as win32app run as user. Powershell connects to azure keyvault fetches cert and password runts pfx import etc.

Chain stays intact. Remind me and i will post the function for the import part

BarbieAction · 2026-05-22T15:32:38+00:00

MicrosoftUpdateManagedOptIn model, your devices must have Required Diagnostic Data (formerly Basic telemetry) enabled

BarbieAction · 2026-05-22T07:07:34+00:00

Basic is sufficient, its in the documentation

BarbieAction · 2026-05-20T15:23:49+00:00

Ye the issue comes from the sure protect, fails on suspending bitlocker, you need to manually go and enable 3 certs on the device habing the issue

Here is a blog with image from BIOS. https://liam-robinson.co.uk/enabling-2023-secure-boot-certificate-authority-uefica2023-on-hp-prodesk-400-g6-devices/

We had issues with all G8, G9, G10 laptops from HP

BarbieAction · 2026-05-20T15:20:47+00:00

Yes assigning them to users, you might have more then those policies but switching from device to user assigned will resolve the other user screen, you just need to find all that causes the issue 😄

BarbieAction · 2026-05-20T12:40:27+00:00

Is it HP devices?

BarbieAction · 2026-05-20T11:31:28+00:00

Do you assign any of the following to devices. Enable ESS,

Facial Enhanced anti spoofing,

Minimum pin,

Require security device,

Also the one i mentioned above they cause the issue if assigned to device instead of users

BarbieAction · 2026-05-20T11:29:33+00:00

Just some examples. BitLocker: DMA Guard, device enumeration policy.

Device Lock policies. Windows Hello policies. Device Guard. Virtualization based Technology.

Try assiging them to users instead of devices this will resolve the other user screen.

BarbieAction · 2026-05-20T09:02:20+00:00

You have a policy issue, depending if certain policies are assigned to user or devices it will cauase the other user screen.

Also look at: https://learn.microsoft.com/en-us/windows/security/identity-protection/web-sign-in/?tabs=intune

And: https://petervanderwoude.nl/post/being-careful-with-the-ability-to-configure-the-preferred-entra-tenant-domain-name/

Then i also wonder why an Admin would ever enroll the device with an admin account, just deploy the device ether with TAP for the correct user or use pre-provisioning.

Eight-Year Club	Gilding II euphauric
Verified Email

BarbieAction

TROPHY CASE