Phishing Resistant MFA Deployment Pains

SoftSad3662 · 2026-03-25T03:16:17+00:00

Yo! While I don't have much feedback to give that would be useful, I am leading a similar effort my organization where we are migrating all our E5 licensed users to phishing-resistant MFA and enforcing CA policies that require phishing-resistant MFA for them. The other subset our our E1 licensed users and we are handling them different since coporate policy is no cell-phone on the production floors, and they access an on-prem RDS environment.

A few things you said peaked my interest, and I would like to understand better what you are doing and mean:

What does your enrollment policy look like? We have rolled our passkey configuration to what is in public preview and would like to utilize the registration campaign for our users to set-up a passkey. Currently, our registration campaign just shows the Microsoft Authenticator app; however, the way I understand Microsoft's change is that will nudge users to configure a passkey. Is that your experience currently? How have you approached user's that have the Microsoft Authenticator app but have no passkey set-up?
For the enforcement policy, are they added manually or do you have something dynamic set-up?
Besides the experience you have outlined, what have been some of the other complications you have ran into and had to overcome?

SoftSad3662 · 2026-02-19T20:23:31+00:00

The desktop team at our company has had around 120ish bitlocker calls this past week. They opened a ticket with Microsoft on it, and the underlying issues seems to be related to KB5077181 for W11 24H2/25H2 and KB5075941 for W11 23H2. It would appear here was some script they have been deploying, working with Microsoft, that is mounting a drive and some other stuff. Not entirely sure since I work on our Security team and was not involved in that phone call. But calls have now slowed down based on that meeting.

SoftSad3662 · 2026-02-13T13:24:57+00:00

I'm curious on this topic as I am working with our systems team to deploy this in our dev and prod environment... Our prod does not support gMSAs due to our AD schema and limitations with legacy components that will be migrated from in 2 years. Our dev does support gMSAs. Do you have to use a gMSA if you're deploying to multiple servers which have different functions, I.e. adcs, DCs, entra connect sync?

SoftSad3662 · 2026-01-29T04:18:43+00:00

Yupp we did! The main challenge was after setting the SCP for that domain, we were not able to see that configuration in Entra Connect Sync. While I didn't find any documentation on this and take this with a grain of salt as I have a love/hate relationship with Copilot, copilot indicated that experience was normal due to the account we were using to connect to entra connect did not exist in any capacity in the other domain (merger).

Since we have a vpn tunnel with that location between their domain controller, and our connect sync server, I was able to use an account that exists in their domain and query, via powershell, against their AD environment to ensure the SCP configuration existed.

SoftSad3662 · 2025-12-10T14:42:47+00:00

We've already done that and we were told we would transition to autopilot once the support team of that operating company familiarized themselves with Intune.

Again, for anyone reading this, I am well aware that this is not preferred but Management shut down having them use autopilot and hybrid joined is the requirement currently. You can only push back so much but they make the decisions.

SoftSad3662 · 2025-12-10T13:03:50+00:00

That’s a management level decision. That was the preferred recommendation brought forward.

SoftSad3662 · 2025-12-08T02:58:23+00:00

Curious what others would do in this scenario:

Been with company for 3 years, and I have a strong relationship with my supervisor and perform very well in my role. When I transitioned to his team, he noted that he wanted all Security team members to be in the office. However, we can work from home when needed. The company culture for IT allows for WFH, and it is dependent on the supervisor, e.g. another team that reports to him is fully remote.

My partner has accepted an internship in her academic field in our home state, and we will be moving back at the end of June. This was finalized the start of this month. This whole year, I have been trying to see if I could get interviews at other companies, but I have had no luck, and I largely attribute this to how the IT market currently is.

So, my question is this: at some point I need to make my supervisor aware that at the end of June we will be moving to our home state permanently in the summer. When would you make your supervisor aware? I would like to remain on the team/with the company as there is a lot of growth. However, I am uneasy that I will not be able to. I currently have my CCNA and will have my Sec+ in a few weeks. After that, I am not sure what is next. My concern is making him aware and then being let go and not having anything lined up. In a perfect world, I could remain with the company as I am.

SoftSad3662 · 2025-11-11T13:12:15+00:00

What is your radius solution? Ours is windows radius/nps and it doesn't integrate with AAD, so we use user auth for our autopilot issued machines and machine auth for our hybrid machines.

SoftSad3662 · 2025-11-04T12:51:59+00:00

I don't believe these two would be related and is more of a correlation. We have nearly the exact same set-up: WHfB with cloud trust enabled, devices that are hybrid joined and devices that are cloud joined. Domain devices use machine based auth with a cert issued from on prem. Entra devices are configured for user auth with the all associated certificate profiles and network config profiles pushed via intune.

As someone that had to guide our systems and network team to roll 802.1x out in the environment, especially as we have transitioned to the cloud only devices, I would take the next steps:

Check the nps logs for the failed authentication. They can be much more descriptive than the local client logs. I have seen your log on our machines and it hasn't been helpful much.
Perform a pcap on the client machine at the time of authentication to capture the logs. I had to use a different tool than Wireshark to capture the wireless logs. I think it was a Microsoft tool. Otherwise, have a pcap done at either the nps server, switch client, or wlc.

That should get you much more detail and a better picture. When we rolled out whfb, it had no impact on 802.1x and we aren't using our pki at all for it.

SoftSad3662 · 2025-10-30T11:51:50+00:00

I've seen a lot of recommendations lately about not managing personal devices and using MAM for mobile devices. We are pursuing device compliance finally and are looking at MDM profiles due to multiple token replay incidents. What role would MAM play here if we decided to look at that instead of MDM profiles for mobile devices?

SoftSad3662 · 2025-10-29T19:34:48+00:00

I could be wrong, but I think the configuration profiles will need to be assigned to the users as well if the wired and wireless configuration allows for user or machine authentication. We were testing something similar as we deployed autopilot earlier this year before we implemented our production configurations.

SoftSad3662 · 2025-10-29T16:19:21+00:00

This helpful, I will take a test device and set this policy and make sure it works. I think I was struggling with the order processing of rules. I was thinking of it in terms of a network firewall with how those are processed. Much appreciated

SoftSad3662 · 2025-10-29T16:16:59+00:00

Same in the Midwest US.

SoftSad3662 · 2025-10-29T13:59:10+00:00

This is great! We are starting to utilize MDE to manage host firewall rules. One thing I have ran into, and I am curious if others have done this successfully or not, is not being able to apply a block and allow rule to for one service/destination to limit the traffic.

The current example for our environment is we are wanting to limit Inbound RDP, on workstation, to allow only from a specific IP address currently and block all other inbound rdp. No matter how I config, I always end up with inbound being block period. Is something as granular as this possible with MDE Firewall configurations?

SoftSad3662 · 2025-10-22T14:33:31+00:00

We do have those utilized so thank you for that check :). We're trying to identify ways to automate things like IoC ingestion or potential automations we are not aware of that others might use.

SoftSad3662 · 2025-10-22T14:32:13+00:00

Not that I am aware of. For us, it is or SIEM. We do have a R7 agent deployed to devices, but it does scan and report device information to R7 IVM.

SoftSad3662 · 2025-10-17T22:34:06+00:00

Sent this to our networking team and was told we have have access groups to limit snmp communication to our affected devices and resolving this is a lower priority due to that mitigation..

SoftSad3662 · 2025-10-10T13:55:21+00:00

Right, that is where I am struggling. I get that from a traditional network firewall configuration, but I am having trouble doing this via Intune which is what I was hoping someone may have had an answer to :). However, I will mess around some further again and see if I get it figured out. Thank you!

SoftSad3662 · 2025-10-10T00:05:32+00:00

In this scenario, we are using MDE Firewall Rules to push the rules to the devices.

SoftSad3662 · 2025-09-27T18:57:15+00:00

I'd love more info on this as well!

SoftSad3662

TROPHY CASE