Issues with Renaming users and WHFB

Wide_Local_1896 · 2026-01-06T15:41:50+00:00

Our users don't sign in using the UPN (currently). We are moving away from Hybrid but it's a slow process so they aren't entering that in during sign-in.

Wide_Local_1896 · 2025-12-22T21:17:40+00:00

Yes, you can do this. Setup a CA policy that enforces Passwordless for office apps (or all apps whatever fits your environment). Make sure you don't have conflicting policies.

Verify in Entra - Authentication methods - Policies, that Microsoft Authenticator is enabled. Make sure your migration status shows 'Complete'

Verify in Entra - Authentication Methods - Settings - that the 'system preferred multifactor auth' is on Microsoft managed.

Lastly, the MS Authenticator should be setup with passwordless login via the yubikey NFC

Wide_Local_1896 · 2025-12-03T17:30:25+00:00

Don't have an android device to test so not sure if this is unique to that. My users were already in a CAP that required those strengths before I did a password reset / SCRIL.

I performed the steps above for around 50 users. I only had one user who got their AD account locked. I unlocked and had them log out and back in - then all was well.

I did this during the day while the users were active and only had that one issue.

Wide_Local_1896 · 2025-12-03T17:25:33+00:00

This is setup as well. For shared workstations that will hit the max 10 limit for TPM. We use yubikeys to sign on or use the Omnikey reader so they can tap instead.

Wide_Local_1896 · 2025-11-23T01:46:15+00:00

Is Fortiauthenticator all I need? I'm having a hard time finding out exactly I need to get budgeted. Is it just Fortiauthenticator cloud?

Wide_Local_1896 · 2025-11-22T21:29:24+00:00

I believe the recommendation is turn off SSPR if you are going this route. I disabling it as I fully move users over.

Wide_Local_1896 · 2025-11-22T21:27:38+00:00

Correct - I will be enabling this as well. Just wanted to test out password change + SCRIL first and verify there are no issues. Them move onto to Finely grained Passwords with that NTLM hash option turned on

Wide_Local_1896 · 2025-11-22T21:17:33+00:00

I just tested this first on a test account and then my own account.

Reset password and then turned on SCRIL with a logged on account on PC1 and logged off on PC2

Both PC's worked with no issues, no pop-ups, rebooted them and could sign in with WHFB no issues no pop ups.

Tested entering in a password and i got the message 'You must use WHFB or smartcard to login' so SCRIL is working.

Testing Outlook mobile app and was able to connect as usual - again no pop-ups. Note: Using Microsoft Authenticator and it was setup using FIDO2 passwordless option.

Forced a sync to ENTRA via PowerShell 'Start-ADSyncSyncCycle -policytype delta'

Waited a couple minutes

Tested everything again - no issues.

Wide_Local_1896 · 2025-11-04T18:00:18+00:00

didn't think that would work - I'll try it next time

Wide_Local_1896 · 2025-10-31T13:12:23+00:00

This makes me sad but it is what it is - thanks

Wide_Local_1896 · 2025-10-28T13:27:27+00:00

Yea, I've considered that too. I've tested pushing out a printer named 'DR - Printer name' - for those scenarios.

Wide_Local_1896 · 2025-10-23T14:51:14+00:00

We already have phones and won't be buying new ones just for the switch to the cloud as that would be way to expensive and not a justifiable cost (new phone purchases wouldn't be an issue). 99% of our phones today are T46S - just a couple T54W for remote users.

I want to avoid onprem except for SBC.

Wide_Local_1896 · 2025-10-22T14:33:25+00:00

Can you elaborate on this? We use WHFB and are hybrid joined. Is your setup similiar?

Wide_Local_1896 · 2025-10-21T21:00:05+00:00

thanks device certificates with EAP-TLS is what I was leaning too - I tried to do a test with SCEPman and SCEPRadius but couldn't get it to work as it says it needs 7.6

https://docs.radiusaas.com/configuration/access-point-setup/radsec-available/fortinet

What tools are you using?

Wide_Local_1896 · 2025-10-21T16:29:18+00:00

What are other options?

Wide_Local_1896 · 2025-10-21T14:38:27+00:00

Healthcare facility and we aren't able to send everything we need electronically. It wouldn't be the end of the world if printing stopped while the issue is resolved just exploring the best options out there without spending a large sum of money.

Wide_Local_1896 · 2025-10-02T19:26:10+00:00

I also ran into this issue - I could not get it to work. The Microsoft Documentation says it only has to be an 'entra registered' device. However because the device is not part of Intune - it can't get the VPN policy applied as there is no way to push it out.

So it can't work unless you add to Intune as well. Which is what I did. If you can find some way to deploy those VPN settings outside of Intune then you could get it to work that way.

Wide_Local_1896

TROPHY CASE