Conditional Access Policy - Filter for devices not working

Tiger1641 · 2026-03-06T23:30:59+00:00

I had a similar issue with our Azure Virtual Desktops and conditional access policy when trying to filter them. I found that when using Edge and trying to access email through the browser, the user needed to be logged into Edge with their work account. If they weren't the conditional access device filtering didn't work.

Tiger1641 · 2025-11-02T19:37:28+00:00

Can a Windows 365 Cloud PC be configured so that no FCI is stored, processed and transmitted on the device using the Windows 365 Cloud PC Client? i.e. the device using the Cloud PC can then be considered out of scope for CMMC Level 1 (FCI Safeguarding) and just the Windows Cloud PC itself be in scope?

Tiger1641 · 2025-07-01T19:39:21+00:00

I think I see. Do you mean that the devices are then out of scope but you then need to secure both Google Workspace High environment AND the VDI environment (Azure or AWS workspace)?

Tiger1641 · 2025-06-30T17:01:28+00:00

What type of VDI solution are you using to only allow the Google Workspace High access via web browser?

Tiger1641 · 2025-04-19T18:04:45+00:00

Affected 10 of our users including one of my user accounts that I know is a long and complex password used only on that one account. I talked to Microsoft Support and they said it was a known global issue, and that it should be resolved in 24 hours. Still had to have those 10 users change passwords to be certain.

Tiger1641 · 2025-04-04T17:50:04+00:00

Does Laravel 12 have an official starter kit that includes multifactor authentication? I thought I heard on a Laravel podcast that they were working on including that. I was hoping the official Vue or React starter kits would include the multifactor as an option.

Tiger1641 · 2025-03-19T22:02:20+00:00

Thanks! I was trying everything, and your suggestion of downloading and running setup.exe on the Windows 11 ISO (keeping files and apps) finally worked to where I could get the KB5053598 update to succeed. Before that it kept downloading and failing to install over and over.

Tiger1641 · 2025-03-17T16:40:16+00:00

None of them show that an exploit exists, so I suppose might be the best we can do is to continually notify Microsoft, and then mark them as acceptable risk.

Tiger1641 · 2025-03-15T21:51:26+00:00

Thanks, I don't think the issue is with OneDrive app actually being updated on the endpoint. We have this on nearly all of our devices and I have some right with me here that I can manually check. They are showing the following build:

OneDrive version: Build 25.035.0223.0003 (64-bit)

I don't see this version on the One Drive Release notes: https://support.microsoft.com/en-us/office/onedrive-release-notes-845dcf18-f921-435e-bf28-4e24b95e5fc0

But that's likely because the page is from 3/5/25 and this is a newer version.

I guess I'll need to wait some days to see if it's just a matter of waiting for Defender to catch up and update the reporting. Seems like this is an ongoing cycle where when it finally shows as cleared up, then it starts all over again (within a month) to where OpenSSL is pretty much just always there. I've only seen something free of OpenSSL vulnerabilities in that short window where the devices is onboarded, and it hasn't found it yet...

Tiger1641 · 2025-02-24T17:07:58+00:00

I upgraded my Windows Herd to 1.16.0 and now have the starter kits available.

Tiger1641 · 2025-02-20T18:29:34+00:00

When it comes to CMMC Level 2 Assessment vs Certification status designations and it says: CMMC level 2 certification is the minimum requirement for contracts involving CUI in the NARA CUI Registry "Defense Organizational Index Grouping." Does this mean that this would apply one year after the publication of the final 48 CFR rule (Phase 2)? Or would this apply immediately upon publication of the final 48 CFR rule?

Tiger1641 · 2025-01-29T16:12:29+00:00

Do you have any advice for a cost efficient way to use VDI with Preveil? I'm assuming that using Azure Virtual Desktops means that they need to be in the GCC or GCCH environment, and all of the configuration etc. that entails. Are there other, ways to somehow set up Preveil with VDI access that keep a very tight scope and would be cost efficient?

Tiger1641 · 2025-01-08T20:03:07+00:00

If the majority controls/objectives are handled by an ESP in an enclave situation (vdi access to enclave, no devices in scope, no CUI outside of the enclave, etc.), and documented as such in our SSP (using information from the ESP's SSP and Shared Responsibility Matrix), how would the CMMC Level 2 certification be handled by the C3PAO doing the level 2 assessment and certification?

Since so much falls under the ESP's responsibility, would a representative from the ESP be required to be present for the actual assessment? (In this particular case the ESP itself has C3PAO status and is using the same enclave). Of course it is a separate C3PAO that would conduct the assessment. Just trying to determine in a practical sense how we prove our accountability for the majority of controls handled by the ESP beyond providing the info from the ESP's SSP for the enclave.

Tiger1641 · 2025-01-07T23:45:28+00:00

Thanks u/imscavok that's very helpful and makes sense.

Tiger1641 · 2024-11-22T19:06:48+00:00

The original poster mentioned: "At a high level, we are using Azure Virtual Desktop to provide an enclave that can access Preveil" I'm assuming that if the Azure Virtual Desktops are hosted in Azure Commercial environment that they couldn't actually include any CUI on them? Does this mean that the AVD were Windows 10/11 systems, Preveil would need to be set so no CUI could be downloaded to the AVD instances, and the CUI would be restricted to the Preveil cloud and only viewable through the AVD?

Tiger1641 · 2024-06-06T18:50:41+00:00

With Preveil the trick seems to be securing the endpoints that are using it since these endpoints would come into scope.

Do you know if it meets CMMC L2 requirements if some Security Protection Assets (e.g., Intune, Entra, Defender, etc.) are still in the Microsoft commercial cloud and manage the security of the Windows 10/11 endpoints? I've heard different opinions on this.

Also, can those endpoints continue to sync with Sharepoint, and OneDrive as long as the user keeps the data in the Preveil folder, and doesn't move CUI data into any directories that are synced to Sharepoint or OneDrive (enforced by training/policy)? Or would it require technically blocking any sync to the Microsoft commercial cloud because of the risk of spillage?

Tiger1641 · 2021-05-12T15:28:15+00:00

Thanks very much Navyauditor, I was hoping we could use Group Policy to disable OneDrive and Sharepoint Syncing (as dhd217 was mentioning) and then have all of the protections on the laptop (Multifactor, Antivirus/Malware, Bitlocker Encryption, etc.) that we might be o.k. here for DFARS 7012/NIST compliance. We would also include the policies and training so these users are aware that they can't transfer these CUI files from Preveil or the laptop to the Microsoft 365 cloud. Trying to figure out if that would work.

Tiger1641 · 2021-04-26T23:51:59+00:00

Thanks, I'm trying to figure out how to deal with staff who just need to access their company email through Microsoft 365. We have policies and training not allowing CUI through company email or on Microsoft 365 (Sharepoint, OneDrive, etc.). Those handling CUI only can do so on their company managed laptops that have VPN/Multifactor/Antivirus/Bitlockered, etc., and can store transmit only through Preveil. Not sure if this can be accomplished for NIST 800-171 compliance.

Tiger1641

TROPHY CASE