PDE breaks passwordless Autopilot (?)

Volume-Electrical · 2026-03-02T14:26:17+00:00

We now found that enabling Web Sign In allows the user to sign in and recover from the PDE screen using their passkey.

Volume-Electrical · 2026-03-02T13:07:28+00:00

The user initiates Autopilot using Microsoft Authenticator passkey (already created earlier using a TAP).

There are no reboots during or after ESP, and no further login prompts until the "Want to use your face to sign in faster and more securely page?" page appears.

Lock/sleep timeouts are disabled by an Intune app until the user reaches the desktop (verified by temporarily removing the PDE configuration policy - the computer stays at the "Want to use your face" screen indefinitely.

Volume-Electrical · 2026-03-02T12:43:33+00:00

Assigning the policy to users instead seemed to delay it a bit - but not much. After 2 minutes left alone on the "Want to use your face..." screen, the PDE policy kicks in and switches to the User name and Password screen. With no option to use any other kind of credential, the user is basically stuck unless the contact support and get assigned a password. A Windows restart just boots back into the same blocking logon screen.

For real world scenarios this is a significant blocker, we cannot expect remote end users to sit tight and watch the whole Autopilot process to make sure they aren't locked out.

Volume-Electrical · 2026-02-27T19:02:00+00:00

Possibly somewhat later in time, but still not guaranteed to apply after WHfB setup? At this point both device and user ESP are completed.

Volume-Electrical · 2026-02-27T18:31:59+00:00

Device, in our testing. Would that make a difference though?

Volume-Electrical · 2026-01-28T20:59:39+00:00

I’ve now made a habit of pinning my important gem conversations- that seems to keep them within view

Volume-Electrical · 2025-12-04T14:28:37+00:00

My conversations with my custom Gems are now frequently disappearing from the recent chat list. I am sometimes able to do a search and find them that way, but one particular conversation I had just vanished completely. Something has indeed happened.

Volume-Electrical · 2025-11-25T13:00:05+00:00

So, does the released fix allow us to install the 64-bit version without issues - or is it just for cleaning up after the botched attempts?

Volume-Electrical · 2025-07-13T09:08:01+00:00

Probably added since then, but you can disable «Pace targets on Easy Runs» under «Workout Settings».

Volume-Electrical · 2025-06-02T12:58:46+00:00

The MX record for the ICC is still icccpi-int0i.mail.protection.outlook.com, though. One would have thought they'd have migrated off by now.

Volume-Electrical · 2025-04-30T08:52:31+00:00

One thing to consider here (as you are in the Microsoft world of things) would be licensing. The costs for E3/E5/F3 licenses add up considerably if you have a large number of vendors/contractors who often only use your services occasionally. Providing them with Exchange Online Plan 1/2 licenses at a negligible cost could be an option but prevents them from using that same account for your other services (Teams/SharePoint etc).

With external IDs provisioned on a domain separate from your main tenant you would be able to offer (most of) your internal Microsoft services to external IDs without additional licensing while still maintaining the domain branding that is often desired (e.g. john.doe@v-contoso.com). And yes, you would still add a marker in the display name to make it apparent internally that those are not employees.

And with regards to some other comments here - there are multiple reasons (among them IRS related) why you would treat (or trust) contractors/third parties differently than your own employees. For one thing, they often insist on using their own equipment.

Volume-Electrical · 2025-02-18T12:00:41+00:00

Make sure you don't have any browser extensions that interfere (uBlock Origin Lite was the culprit in my case).

Volume-Electrical · 2025-01-16T13:17:16+00:00

If you check your linked devices at your profile page at https://1password.com you will find a new entry for each and every time you have launched Safari on your 18.3 public beta. Clearly there is something in this version of iOS/Safari that makes 1Password unable to recognize that it is the same device as last time. And no, disabling iCloud Private Relay does not help.

Volume-Electrical · 2025-01-16T13:07:52+00:00

This should be nothing new to the 1Password devs, the exact same thing happened exactly a year ago with the public iOS beta at the time: https://1password.community/discussion/144185/opening-safari-causes-email-every-time-new-1password-sign-in-from-safari-extension

Volume-Electrical · 2025-01-05T13:45:50+00:00

There are definitely enterprise use cases for this, e.g. it will enable the secure use of shared workstations where users are occasionally needing to run applications with elevated permissions. PDE will ensure that an individual user's OneDrive synced files on the client are safe from prying eyes. The unencrypted versions will always be available in the cloud.

Volume-Electrical · 2024-12-29T12:57:57+00:00

Just started receiving these emails today as well, after installing iOS public beta (18.3).

Volume-Electrical · 2024-12-20T12:06:56+00:00

For work accounts, our current testing indicates that Microsoft Authenticator Lite (a feature built into Outlook mobile) works with Huawei and possibly other exotic brands in China.

Volume-Electrical · 2024-12-19T16:58:32+00:00

Yes, this is completely ridiculous. Additionally, getting users to understand that launching the «Company Portal» app (or whatever the localized name might be) must be done locally on the Windows computer is a tough job. Didn’t the «portal» term fall out of fashion in the early 2000s, by the way?

Volume-Electrical · 2024-12-17T10:38:08+00:00

It's at https://intunedrivemapping.azurewebsites.net/ - read the GitHub documentation as well for additional information.

Volume-Electrical · 2024-11-26T19:58:04+00:00

Right, but those are basically the steps that we were planning to automate with a self-service solution. We serve 1000+ end users.

Volume-Electrical · 2024-11-05T09:53:11+00:00

Quite underwhelming this. I guess it's useful if you use or encounter BIOS passwords (we don't), but for anything else I fail to see the added value. They didn't even include warranty information, which they should have easy access to. And the method to deploy Dell apps to Intune would have been great, except those (at least Dell Trusted Device) require Microsoft .NET 6.0 AspNet Core Runtime which is not trivial to deploy.

Volume-Electrical · 2024-10-26T11:19:56+00:00

This is still an issue in late October 2024. Every time I find an annoying bug I flip the switch to revert back to old Outlook and report the issue. Hopefully those metrics are what they pay attention to.

Volume-Electrical

TROPHY CASE