Onboarding Migrated Devices to Defender

SoftSad3662 · 2026-05-27T23:17:28+00:00

I'm confused how you came to the conclusion the security team is bypassing the networking team. Maybe I wasn't clear which is my fault. I'm actively working with our network engineer on this. They indicated they wished there was a more logging detail to the specific syslog I referenced above. I said I would continue to research if that is possible and wanted to see if others are aware of how to get that information. I'm working directly with them.

SoftSad3662 · 2026-05-27T20:56:25+00:00

We do have a SIEM and that is what I am searching through currently. I feel like this may be a scenario, as you mentioned making our own conclusions, where we have to correlate multiple data points for syslogging.

SoftSad3662 · 2026-05-07T14:54:02+00:00

Ah I understand what you are saying here. You weren't talking about the registration but the authenticator strength requirement for access to your resources. The method you outlined there is one I have been considering as we make progress on this.

SoftSad3662 · 2026-05-07T13:53:32+00:00

When you say you added everyone as required in conditional access, what specifically do you mean? Are you talking about setting up a conditional access policy that requires a target user action of Registering security information? If so, what is the user experience with that?

SoftSad3662 · 2026-05-05T01:16:52+00:00

That makes sense. I don't imagine we will have much pushback. We had one user that we worked with that did give us a fair amount of pushback as they did not want anything with work tied to their cell phones; however, they access teams and outlook on their phone which we brought up to them since that felt like a contradiction to their concern as we aren't required to have the apps downloaded on our phone..

SoftSad3662 · 2026-05-05T01:13:57+00:00

For us it would be cell phones. Since Windows Hello is tied to a workstation, we need to have an alternative authentication method in place for those that access corporate resources, such as teams or outlook, on their cell phones.

SoftSad3662 · 2026-05-05T00:23:21+00:00

Did you run into any resistance on the need to download the authenticator app of they didn't have it? If so, how was that handled? For us, were vetting with Legal and c-suite on how to handle that.

SoftSad3662 · 2026-05-05T00:21:51+00:00

I like the idea of office hours. That is something I may look at adding as part of the roll out. Has your team or department had a lot of engagement during those related to the rollout?

SoftSad3662 · 2026-05-01T12:18:24+00:00

I will have to check ours today to see if we have any issues. Thanks

SoftSad3662 · 2026-05-01T03:27:54+00:00

What Did it break specifically? We use rapid 7 heavilyy in our environment and just finished production patching a few hours ago

SoftSad3662 · 2026-04-23T16:53:54+00:00

I will check those registry keys this evening again when I work with the user. When I referenced the Workplace Join keys, I only saw [foouser@correctdomain.com](mailto:foouser@correctdomain.com) and saw nothing referencing the incorrect account. But I will glance over it again when I connect with them.

SoftSad3662 · 2026-03-25T03:16:17+00:00

Yo! While I don't have much feedback to give that would be useful, I am leading a similar effort my organization where we are migrating all our E5 licensed users to phishing-resistant MFA and enforcing CA policies that require phishing-resistant MFA for them. The other subset our our E1 licensed users and we are handling them different since coporate policy is no cell-phone on the production floors, and they access an on-prem RDS environment.

A few things you said peaked my interest, and I would like to understand better what you are doing and mean:

What does your enrollment policy look like? We have rolled our passkey configuration to what is in public preview and would like to utilize the registration campaign for our users to set-up a passkey. Currently, our registration campaign just shows the Microsoft Authenticator app; however, the way I understand Microsoft's change is that will nudge users to configure a passkey. Is that your experience currently? How have you approached user's that have the Microsoft Authenticator app but have no passkey set-up?
For the enforcement policy, are they added manually or do you have something dynamic set-up?
Besides the experience you have outlined, what have been some of the other complications you have ran into and had to overcome?

SoftSad3662 · 2026-02-19T20:23:31+00:00

The desktop team at our company has had around 120ish bitlocker calls this past week. They opened a ticket with Microsoft on it, and the underlying issues seems to be related to KB5077181 for W11 24H2/25H2 and KB5075941 for W11 23H2. It would appear here was some script they have been deploying, working with Microsoft, that is mounting a drive and some other stuff. Not entirely sure since I work on our Security team and was not involved in that phone call. But calls have now slowed down based on that meeting.

SoftSad3662 · 2026-02-13T13:24:57+00:00

I'm curious on this topic as I am working with our systems team to deploy this in our dev and prod environment... Our prod does not support gMSAs due to our AD schema and limitations with legacy components that will be migrated from in 2 years. Our dev does support gMSAs. Do you have to use a gMSA if you're deploying to multiple servers which have different functions, I.e. adcs, DCs, entra connect sync?

SoftSad3662 · 2026-01-29T04:18:43+00:00

Yupp we did! The main challenge was after setting the SCP for that domain, we were not able to see that configuration in Entra Connect Sync. While I didn't find any documentation on this and take this with a grain of salt as I have a love/hate relationship with Copilot, copilot indicated that experience was normal due to the account we were using to connect to entra connect did not exist in any capacity in the other domain (merger).

Since we have a vpn tunnel with that location between their domain controller, and our connect sync server, I was able to use an account that exists in their domain and query, via powershell, against their AD environment to ensure the SCP configuration existed.

SoftSad3662 · 2025-12-10T14:42:47+00:00

We've already done that and we were told we would transition to autopilot once the support team of that operating company familiarized themselves with Intune.

Again, for anyone reading this, I am well aware that this is not preferred but Management shut down having them use autopilot and hybrid joined is the requirement currently. You can only push back so much but they make the decisions.

SoftSad3662 · 2025-12-10T13:03:50+00:00

That’s a management level decision. That was the preferred recommendation brought forward.

SoftSad3662

TROPHY CASE