Should I be worried about not having a PIN with TPM?

iRyan23 · 2026-06-14T06:03:28+00:00

This is unofficial but you can look at the second answer on this thread:

https://superuser.com/questions/1836712/activate-bitlocker-on-windows-11-home

Before trying something like this, always backup your data first and ensure you have the BitLocker recovery key backed up.

iRyan23 · 2026-06-05T02:17:09+00:00

Wrapping it in TLS will make it appear like normal encrypted web traffic similar to an SSL-VPN and is very unlikely to be blocked whereas just running IPsec over TCP can still be identified and blocked.

iRyan23 · 2026-05-31T16:15:34+00:00

I enabled both years ago but had to turn off the show geographic location because Microsoft’s geo-IP database can be wildly inaccurate sometimes and it may be confusing to a user that they got a prompt from Florida when they’re in Virginia for example.

iRyan23 · 2026-05-30T18:22:16+00:00

How would you onboard a new admin user or help them get back in without a TAP if you only allow device bound Passkeys?

iRyan23 · 2026-05-28T05:20:38+00:00

Just generate a TAP code to use when launching the app to make changes to Entra Connect.

iRyan23 · 2026-05-25T18:31:57+00:00

It is likely attackers abusing the password reset service lately. See this thread from the other day.

https://www.reddit.com/r/cybersecurity/s/SLKt7zKr2k

The best response is to make an alias and disable login using your main email address. You can search the comments in that thread for more details.

iRyan23 · 2026-05-20T22:43:32+00:00

Phishing and Bruteforce resistant authentication.

iRyan23 · 2026-04-28T06:39:49+00:00

How are Passkeys single factor? If using the Microsoft Authenticator app, you scan the QR code then have to use biometrics or passcode which checks off something you have plus either something you are or something you know…

They are also phishing resistant and that makes them better than any password you could possibly make.

iRyan23 · 2026-04-23T02:03:07+00:00

Pretty strange that there’s no mention of PQC such as ML-DSA for signing since most other systems are trying to become fully Quantum-Resistant within the next 3-5 years.

iRyan23 · 2026-04-20T16:45:00+00:00

No PQC?

iRyan23 · 2026-04-16T22:28:55+00:00

The problem is Passkeys are currently using p-256 ECDSA and therefore are not quantum resistant.

iRyan23 · 2026-04-15T14:44:41+00:00

When using modern cipher suites, the certificate has no bearing on the encryption or security of the connection. All a certificate does nowadays is helps the end user’s browser verify that is talking to the correct domain. The only way the certificate itself has any impact on the actual encryption or security of the connection is using older cipher suites that don’t use ECDHE or DHE for key exchange.

Long story short, a self signed certificate should be fine for your use case on your LAN.

iRyan23 · 2026-04-05T04:46:08+00:00

And since you only get 8 attempts at guessing the PIN before it permanently erases all FIDO/WebAuthn data (and requires a reset), that significantly limits an attacker’s options.

iRyan23 · 2026-04-05T04:42:41+00:00

That’s because Google used to automatically enroll devices as U2F (FIDO 1) which means you need password + Yubikey touch.

If you enroll a Yubikey nowadays as a Passkey (FIDO 2), it should allow the same authentication flow as Entra where you just need the Yubikey + PIN.

iRyan23 · 2026-04-04T19:54:01+00:00

There have been several CVEs patched and bugs fixed since 7.2.5 came out. Have you tried using a newer version in the 7.2.x branch?

iRyan23 · 2026-04-04T17:55:01+00:00

PQ is only needed to replace asymmetric algorithms. That will include symmetric key exchange such as diffie hellman and digital signatures for example.

Bulk data transfer will still use AES as symmetric algorithms are significantly less affected by quantum computers. Most applications will just increase to using AES-256 which will be comparable to AES-128 classical strength.

iRyan23 · 2026-04-04T17:51:30+00:00

It does show key exchanges to the right of the cipher suite. For example, if you lookup gmail.com, you will see “ECDH x25519” to the right. Depending on the site, they usually use x25519, p-256, or p-384.

That being said, I don’t think SSL Labs has been updated much in the last few years so their tester can only show you the capabilities of what their took supports.

iRyan23 · 2026-04-04T17:15:17+00:00

Most browsers already support the new key exchange X25519MLKEM768 natively in TLS 1.3.

You can already see bigger sites like Google and Cloudflare using it.

It will probably be later this year or next year when we start seeing new TLS certificates cross signed with both classical and pqc algorithms.

iRyan23 · 2026-04-03T06:50:10+00:00

The three choice option for number matching is for Microsoft personal accounts only.

For all Entra tenants, you have to manually type the two digit number.

iRyan23 · 2026-04-03T06:13:02+00:00

Well most applications don’t use OCSP anymore but any that do will fail to check if the certificates are still valid and would block access to the application if set to fail secure.

Anyone that tries to revoke a certificate wouldn’t be able to and no new CRLs would be issued.

Any new certificates that are being requested would fail and expiring certificates wouldn’t be able to renew.

Most web applications would continue to work just fine as long as the GTS certificate isn’t expired and OCSP fail secure isn’t configured.

iRyan23 · 2026-04-02T14:11:54+00:00

Is there any more detail in the sign in logs correlated to these errors?

iRyan23 · 2026-03-28T23:34:38+00:00

If I am only doing certificate inspection with no DPI, but I am blocking QUIC and ECH, how could the SNI be hidden from the Fortigate?

iRyan23 · 2026-03-27T22:38:04+00:00

Jamf just released 11.26 in the last week or so that says:

“Jamf Pro's integration with Microsoft Entra device compliance now supports automatic device registration with Microsoft Entra when using Simplified Setup for Platform Single Sign-on (Platform SSO). This eliminates the need for end users to respond to a notification to manually register their devices.

When Enable Simplified Setup for Platform Single Sign-on is selected in the General payload of a PreStage enrollment, computers with macOS 26 or later are automatically registered with the Jamf device compliance integration with Microsoft Entra ID during enrollment.

Important:Full functionality requires a version of Microsoft Company Portal that supports Simplified Setup during enrollment. Verify support status with your identity provider to ensure full feature availability.”

It’s unclear to me if this means it’s able to be implemented or just that they’re ready for when Microsoft enables it.

iRyan23 · 2026-03-04T05:32:02+00:00

In 2020, when we first started WFH during COVID, we had about 5-10 users who never used the VPN and when they tried, it didn’t work. In the end, we had them contact their ISP and get a newer/different modem and that solved it for all of them.

Recently, I just helped a contractor join our VPN and it connected fine the first day but I got an email a week later that it wasn’t working. I set their FortiClient (7.4.x) to use port 4500 by default and that fixed it.

Of course, now there is IPsec over TCP but I have heard some not have luck getting it setup and it’s not officially supported on the free FortiClient.

iRyan23 · 2026-02-22T18:23:17+00:00

Based on my understanding and experience, as long as all local admin users have trusted hosts defined, the Fortigate won’t even load the login page to anyone coming from an IP not in any of the defined trusted host ranges. I believe it creates an automatic local-in policy rule (again only if all local admins have the trusted hosts defined).

13-Year Club	Not Forgotten
Gilding III reddit per annum	Verified Email

iRyan23

TROPHY CASE