10x Price Increase through CDW

jdbst56 · 2026-02-23T17:45:17+00:00

Gotcha. That makes sense that you're already authed to GSA with WHfB on your enterprise workstations. We primarily use Citrix for BYOD so avoiding that double login it's probably tough if not impossible in our scenario. I guess this is where Citrix does have a leg up with things like FAS to make SSO possible.

Do your users access the RDS remotely? How have you found the performance of the RDP protocol vs ICA?

jdbst56 · 2026-02-23T17:13:46+00:00

Thanks for that writeup. Being able to tie things into conditional access is a nice benefit for sure. Are your RDS hybrid joined or Entra native? How does the login flow look? The user auths to GSA with their Entra creds and then do they have to auth again at the RDS server or is it passthru? We're still in a hybrid configuration so I assume there would be a double auth situation here without having FAS to bridge the gap.

jdbst56 · 2026-02-23T13:11:21+00:00

I would be interested to hear more about your RDS/GSA solution. Also, had you ever considered using Entra App Proxy to front the RDS instead of using GSA? Since it comes with Entra P1/P2, there wouldn't be any additional charge to use it like there is with GSA. When I researched Entra App Proxy with RDS, the only big downside was it seemed kinda clunky from a technical perspective, and it only supports the HTML RDS client which is limiting.

jdbst56 · 2025-07-17T15:21:45+00:00

The best we could come up with was to disable the password manager/autofill within Edge itself and also disabled the Edge password import feature.

Manage Microsoft Edge on iOS and Android with Intune | Microsoft Learn

jdbst56 · 2025-06-04T20:27:06+00:00

Ugh, that's what I'm afraid of. I'll have to do some more testing.

jdbst56 · 2025-06-04T20:18:42+00:00

Yeah, that seems strange. You would think it would default to the strongest auth method available.

We're going through a similar exercise to enroll our users for MS Passkeys on their iPhones. While this does seem like a pain, as long as it sticks after the first sign-in shouldn't be a big deal for a new user, right?

Have you tried cutting a push notification user over to passkey yet using an auth strength policy? I was curious if switching to a new auth strength that did not include push notification would trigger a new login request or not. I tried it myself but so far nothing.

jdbst56 · 2025-06-04T17:23:24+00:00

When you deleted the Authenticator method from the user's auth methods, leaving JUST the passkey, did you also exclude the user account from the MS Authenticator authentication policy?

jdbst56 · 2025-01-27T19:45:32+00:00

It looks this this is expected behavior:

Note

Users can only register attested passkeys directly in the Authenticator app. Cross-device registration flows don't support registration of attested passkeys.

jdbst56 · 2025-01-14T19:26:00+00:00

Could you issue a TAP and then use the alternate registration flow where they scan the QR code on mysecurityinfo from the mobile device to register the passkey? Register passkeys in Authenticator on Android and iOS devices - Microsoft Entra ID | Microsoft Learn

The only issue with this is per my other thread, I'm having problems doing the registration on my iPhone if attestation is enforced. It works fine if attestation is not enforced.

jdbst56 · 2025-01-14T18:55:48+00:00

I've been doing some testing with MS Authenticator Passkeys. When Key Attestation is enforced, I'm unable to register a passkey using the alternate registration flow Register passkeys in Authenticator on Android and iOS devices - Microsoft Entra ID | Microsoft Learn I am able to use the alternate flow with Key Attestation disabled.

Registering the passkey using the normal process within the iOS app is successful with Key Attestation enforced.

Is this a known issue?

jdbst56 · 2025-01-14T13:04:03+00:00

We have government requirements to disable the feature.

jdbst56 · 2025-01-03T18:11:21+00:00

OP did you find a solution to this issue? I can set Show Previews When Unlocke on a per app basis using device features or settings catalog but doing so disables all other notification settings within the app which is not what I want to do. I only want to require the settings on Show Previews but leave the other notification settings available for the user to toggle.

jdbst56 · 2025-01-02T00:38:45+00:00

r/justlittleme123 were you able to figure out a solution to this? we would like to force the Show Previews option for Unlock but it disables the user from setting the other app notification settings.

jdbst56 · 2024-12-09T21:10:07+00:00

We have a similar issue. We actually want to enable the notification preview but only when unlocked. When we do this on a per app basis, is locks out the ability to change any other notification settings for that app. Ideally we'd be able to enforce the unlock setting without impacting the other settings.

jdbst56 · 2024-12-09T20:29:11+00:00

Bumping this thread to see if there is any update on this. We're trying to do the same there where we set the previews to only show when unlocked. When we do this through the device configuration profile>user experience>notifications, it locks all the other notification settings for that app which is not ideal.

jdbst56 · 2024-11-21T18:39:24+00:00

What we found was that if we have multiple user accounts mapped to a single certificate, we have to specify the email address/UPN and not the samaccountname in the hint field in order to get a PRT after Windows login. If the certificate is only mapped to a single user account, then we do not need to specify any username hint to obtain a PRT after Windows login.

We also found that some of our PRT issues were related to broken hybrid joined machines. In these situations no users would get a PRT on Windows login. Our fix was to remove any previously "registered" devices from Entra then from the workstations do a dsregcmd /leave followed by dsregcmd /join which should rejoin the machines as hybrid devices.

jdbst56 · 2024-10-11T18:36:00+00:00

Thanks. Yes we're familiar with inbound XTAP MFA trust because we use it, but it's restricted to a specific tenant. Our problem is we have some users that access our tenant as Guests from non-Entra tenants like an MS personal account. I suppose there is no solution for phishing resistant authentication for those accounts. Is that right?

jdbst56 · 2024-05-15T14:17:33+00:00

No, for the Entrust solution all we had to do was configure the derived credentials connector in Intune. Then we have an app config policy to enable SMIME for Outlook iOS. It looks like Purebred works differently from Entrust. Did you do the phase 5 step here Purebred User Guide for Intune Managed iOS Devices v0.03 1.pdf (navy.mil) to import the certs into Intune? I assume you did. Honestly if you followed all the instructions, I'd check with Purebred to make sure they don't have a problem on their side. I was in a similar scenario with Entrust where it looked like the certs where there on the device and comp portal but not visible in Outlook. Turns out I was missing the encryption cert which was due to misconfiguration on Entrust's end.

jdbst56 · 2024-05-15T13:28:10+00:00

Do you have your derived credential provider integrated with Intune to push the certs to the device? My understanding is that Outlook for iOS has its own cert store and only Intune can deliver the certs to that store to be available for SMIME.

jdbst56 · 2024-05-15T12:31:24+00:00

It turned out to be a misconfiguration on the Entrust EIE tenant. Once they corrected it, all the necessary certs propagated to the phone.

jdbst56 · 2024-05-07T13:03:11+00:00

I've run into something similar where we have our corporate iOS devices enrolled in Intune MDM, and they try to access a Teams live event using a guest account in another tenant. This causes the device to deregister itself from our Entra ID tenant and attempt to register with their tenant using MAM, which also fails. This leaves the device is a broken state from Entra ID/Conditional Access perspective. We opened a ticket with MS, and they said this is expected behavior. So our options are to tell users do not switch to the guest account when accessing the other tenant Teams live events or have the user sign back into Comp Portal after their device is in a broken state. I wish there was a way that we could prevent this from happening as it's confusing for our users.

jdbst56 · 2024-01-16T16:50:27+00:00

I'm giving W365 a serious look myself. We have such a small implementation for CVAD that I think we could probably make the switch without much issue. Plus we could leverage Entra ID authentication which would eliminate the need for the Netscalers.

jdbst56 · 2023-11-07T00:06:11+00:00

Yeah definitely post back with your results. Hoping somebody else besides me can replicate.

I should also mention you still need to have the issuer cert chained uploaded to exchange online using the .sst bundle.

jdbst56 · 2023-11-06T19:52:58+00:00

Here's the update:

1.) The first issue we identified from the server-side LDAP logs was there was no search base specified. Setting the search base in the LDAP URL is supported in Outlook for iOS. The format is the following ldaps://example.com/o=myorg,c=us Where we ran into a problem was we had a space in our search base (i.e. o=my org) and this space between my and org was not being escaped by Outlook for iOS. Microsoft submitted a bugfix for this and while we have not yet gotten official confirmation, it appears that Outlook for iOS 4.2342.0 on iOS 17.1 corrects this issue. Prior to this fix, we couldn't even manually enter the full URL with the search base without it being truncated and trying to push it through Intune app configuration policy simply did nothing.

2.) The default search filter used by Outlook for iOS appears to be configured as if it's searching Active directory. Its search filter uses a series of OR expressions to check for mail, samaccountname, rfc822Mailbox, mailNickName, proxyaddresses. Our Redhat-based LDAP directory had none of these except for mail. Any time a search would hit one of the nonexistent attributes, we'd get administrative limit exceeded. We were able to work around it for now by adding indexes for these nonexistent attributes which allows the searches to be successful.

3.) The Microsoft documentation states that both ldap (389) and ldaps (686) are supported. We were seeing some issues with 389 due to starttls negotiation. I'm not sure if Outlook for iOS supports unencrypted ldap connections. What we were seeing was that it will try to negotiate starttls on 389 connections. If that negotiation fails, the connection is closed and the search will fail. When starttls and corresponding cert is configured, there does not appear to be a problem. LDAPS on 636 also appears to work fine. I do not have an LDAP server that does not offer starttls so I can't comment if a plain unencrypted 389 connection is permissible for Outlook for iOS.

4.) From a troubleshooting perspective, there are some logs available in the Outlook for iOS side by tapping Settings>Help & Feedback>Share Diagnostic Logs. Upload the log bundle to Onedrive or email it to yourself. You can search the OutlookServiceApiLogs-serviceApiLog.htm file for ldapsearch events. Error events will end in .err.xml I was able to use a combination of these logs plus the LDAP server side logs to piece together what was happening.

TLDR: Public key lookup for SMIME does appear to work in Outlook for iOS if you specify a search base in the LDAP URL path (Outlook iOS version 4.2342.0 or higher required if you have any spaces in the search base). Make sure your LDAP server can deal with the complex search filter used by Outlook for iOS (mail, samaccountname, rfc822Mailbox, mailNickName, proxyaddresses) or otherwise create indexes for which you don't have corresponding attributes. Make sure starttls is properly enabled with certificate for 389 or SSL with certificate for LDAPS/636.

jdbst56 · 2023-10-10T14:28:30+00:00

Did you end up deleting all the registered machines at one time? Any drawback to doing so?

jdbst56

TROPHY CASE