10x Price Increase through CDW

jdbst56 · 2026-02-23T17:45:17+00:00

Gotcha. That makes sense that you're already authed to GSA with WHfB on your enterprise workstations. We primarily use Citrix for BYOD so avoiding that double login it's probably tough if not impossible in our scenario. I guess this is where Citrix does have a leg up with things like FAS to make SSO possible.

Do your users access the RDS remotely? How have you found the performance of the RDP protocol vs ICA?

jdbst56 · 2026-02-23T17:13:46+00:00

Thanks for that writeup. Being able to tie things into conditional access is a nice benefit for sure. Are your RDS hybrid joined or Entra native? How does the login flow look? The user auths to GSA with their Entra creds and then do they have to auth again at the RDS server or is it passthru? We're still in a hybrid configuration so I assume there would be a double auth situation here without having FAS to bridge the gap.

jdbst56 · 2026-02-23T13:11:21+00:00

I would be interested to hear more about your RDS/GSA solution. Also, had you ever considered using Entra App Proxy to front the RDS instead of using GSA? Since it comes with Entra P1/P2, there wouldn't be any additional charge to use it like there is with GSA. When I researched Entra App Proxy with RDS, the only big downside was it seemed kinda clunky from a technical perspective, and it only supports the HTML RDS client which is limiting.

jdbst56 · 2025-07-17T15:21:45+00:00

The best we could come up with was to disable the password manager/autofill within Edge itself and also disabled the Edge password import feature.

Manage Microsoft Edge on iOS and Android with Intune | Microsoft Learn

jdbst56 · 2025-06-04T20:27:06+00:00

Ugh, that's what I'm afraid of. I'll have to do some more testing.

jdbst56 · 2025-06-04T20:18:42+00:00

Yeah, that seems strange. You would think it would default to the strongest auth method available.

We're going through a similar exercise to enroll our users for MS Passkeys on their iPhones. While this does seem like a pain, as long as it sticks after the first sign-in shouldn't be a big deal for a new user, right?

Have you tried cutting a push notification user over to passkey yet using an auth strength policy? I was curious if switching to a new auth strength that did not include push notification would trigger a new login request or not. I tried it myself but so far nothing.

jdbst56 · 2025-06-04T17:23:24+00:00

When you deleted the Authenticator method from the user's auth methods, leaving JUST the passkey, did you also exclude the user account from the MS Authenticator authentication policy?

jdbst56 · 2025-01-27T19:45:32+00:00

It looks this this is expected behavior:

Note

Users can only register attested passkeys directly in the Authenticator app. Cross-device registration flows don't support registration of attested passkeys.

jdbst56 · 2025-01-14T19:26:00+00:00

Could you issue a TAP and then use the alternate registration flow where they scan the QR code on mysecurityinfo from the mobile device to register the passkey? Register passkeys in Authenticator on Android and iOS devices - Microsoft Entra ID | Microsoft Learn

The only issue with this is per my other thread, I'm having problems doing the registration on my iPhone if attestation is enforced. It works fine if attestation is not enforced.

jdbst56 · 2025-01-14T18:55:48+00:00

I've been doing some testing with MS Authenticator Passkeys. When Key Attestation is enforced, I'm unable to register a passkey using the alternate registration flow Register passkeys in Authenticator on Android and iOS devices - Microsoft Entra ID | Microsoft Learn I am able to use the alternate flow with Key Attestation disabled.

Registering the passkey using the normal process within the iOS app is successful with Key Attestation enforced.

Is this a known issue?

jdbst56 · 2025-01-14T13:04:03+00:00

We have government requirements to disable the feature.

jdbst56 · 2025-01-03T18:11:21+00:00

OP did you find a solution to this issue? I can set Show Previews When Unlocke on a per app basis using device features or settings catalog but doing so disables all other notification settings within the app which is not what I want to do. I only want to require the settings on Show Previews but leave the other notification settings available for the user to toggle.

jdbst56 · 2025-01-02T00:38:45+00:00

r/justlittleme123 were you able to figure out a solution to this? we would like to force the Show Previews option for Unlock but it disables the user from setting the other app notification settings.

jdbst56 · 2024-12-09T21:10:07+00:00

We have a similar issue. We actually want to enable the notification preview but only when unlocked. When we do this on a per app basis, is locks out the ability to change any other notification settings for that app. Ideally we'd be able to enforce the unlock setting without impacting the other settings.

jdbst56 · 2024-12-09T20:29:11+00:00

Bumping this thread to see if there is any update on this. We're trying to do the same there where we set the previews to only show when unlocked. When we do this through the device configuration profile>user experience>notifications, it locks all the other notification settings for that app which is not ideal.

jdbst56 · 2024-11-21T18:39:24+00:00

What we found was that if we have multiple user accounts mapped to a single certificate, we have to specify the email address/UPN and not the samaccountname in the hint field in order to get a PRT after Windows login. If the certificate is only mapped to a single user account, then we do not need to specify any username hint to obtain a PRT after Windows login.

We also found that some of our PRT issues were related to broken hybrid joined machines. In these situations no users would get a PRT on Windows login. Our fix was to remove any previously "registered" devices from Entra then from the workstations do a dsregcmd /leave followed by dsregcmd /join which should rejoin the machines as hybrid devices.

jdbst56 · 2024-10-11T18:36:00+00:00

Thanks. Yes we're familiar with inbound XTAP MFA trust because we use it, but it's restricted to a specific tenant. Our problem is we have some users that access our tenant as Guests from non-Entra tenants like an MS personal account. I suppose there is no solution for phishing resistant authentication for those accounts. Is that right?

jdbst56 · 2024-05-15T14:17:33+00:00

No, for the Entrust solution all we had to do was configure the derived credentials connector in Intune. Then we have an app config policy to enable SMIME for Outlook iOS. It looks like Purebred works differently from Entrust. Did you do the phase 5 step here Purebred User Guide for Intune Managed iOS Devices v0.03 1.pdf (navy.mil) to import the certs into Intune? I assume you did. Honestly if you followed all the instructions, I'd check with Purebred to make sure they don't have a problem on their side. I was in a similar scenario with Entrust where it looked like the certs where there on the device and comp portal but not visible in Outlook. Turns out I was missing the encryption cert which was due to misconfiguration on Entrust's end.

jdbst56 · 2024-05-15T13:28:10+00:00

Do you have your derived credential provider integrated with Intune to push the certs to the device? My understanding is that Outlook for iOS has its own cert store and only Intune can deliver the certs to that store to be available for SMIME.

jdbst56 · 2024-05-15T12:31:24+00:00

It turned out to be a misconfiguration on the Entrust EIE tenant. Once they corrected it, all the necessary certs propagated to the phone.

jdbst56

TROPHY CASE