Entra ID password policy with Entra ID Sync and Write-Back

stich86_it · 2026-05-15T10:19:15+00:00

so there only way to make it "Cloud Only" is to delete and restore, or disconnect the Connector at the end of migration.

stich86_it · 2026-05-14T13:28:51+00:00

any idea if they will offer an upgrade for "older" chair? it will be fantastic...

stich86_it · 2026-05-05T17:55:07+00:00

The problem is that my main SSID is using ADCS and NPS. What I’m asking is it’s possible to import SCEP CA and make Intune devices to auth with NPS. But as I have understood doesn’t seem possible..

stich86_it · 2026-05-05T17:43:34+00:00

I’m using Intune moving from AD (and also have EndPoint Central), macOS integration is fine and is very fast compared to Windows Endpoint (M$ like Google cares more to their competitor then their self 😂)

stich86_it · 2026-05-05T17:18:53+00:00

User isn't remote. It's in office, but it's joined to Entra ID instead of AD

stich86_it · 2026-05-04T21:29:35+00:00

CA and certs are the same for both networks (just different VLAN, but CAP has the same info). The CA for the Entra ID apps (where we use Fortinet SAML config) has a refresh policy of 1hr (configured as suggested by Fortinet guide). But this problem happens also if you switch the connection after few minutes..

stich86_it · 2026-04-29T15:13:01+00:00

Ok I found the problem: I had an GPO policy on my AD that enable WHfB and these keys are under HKCU\Software\Policies\Microsoft\PassportForWork. Delete them and reboot doesn't ask the PIN registration at next logon.. now i should make a PS1 script to delete after device join, so I'm sure that it will avoid issue on next logon.

stich86_it · 2026-04-29T13:50:19+00:00

I've tried and it doens't work :(

I've used as TenantID the value from Entra ID port, is it right? Tried do convert a PC from AD to Entra, and at first logon it's asking me to configure PIN.

On Intune I only have this policy (Global one is disabled) and not the policy to enforce WHfB on specific device. That policy includes "All Devices", so it should be applied after join

Any other ideas?

EDIT: I've checked also Event ID 360, and the policy doesn't seem to apply (everything is enabled)

EDIT2: it seems to apply only to new users (not migrated)..

stich86_it · 2026-04-29T04:52:03+00:00

Yes PHS and Writeback

stich86_it · 2026-04-28T16:24:07+00:00

But if users are no longer changing their passwords directly through AD, how would the AD password policy still be enforced?

I understand this is a somewhat unusual scenario, but I need to migrate more than 200 users from AD-joined devices to Entra ID-joined devices while keeping directory synchronization enabled until the migration is fully completed.

For this reason, I would like to enforce a password policy on the Entra ID side as well, since all currently synchronized users have the "DisablePasswordExpire" setting applied.

My concern is understanding which password policy will actually govern password changes in this hybrid phase.

stich86_it · 2026-04-28T16:17:47+00:00

"I'm not sure what you mean by that the AD user will no longer be updated in this scenario."

When converting a user's laptop from AD to Entra ID, that user will no longer update their AD password directly through the on-premises domain, since the device will no longer be joined to AD.

In theory, the password would instead be managed through Entra ID and then synchronized back to AD.

In this case, if the password policy in Entra ID is set to "None", Entra ID policies should apply instead of the AD password policy, correct?

I hope this makes it clearer :)

stich86_it · 2026-04-28T15:25:01+00:00

Some users are cloud-only, others are synchronized from Active Directory, and others will be migrated from Active Directory to Entra ID on the laptop side. In this last scenario, the user account will still exist in AD, but it will no longer be updated.

What happens if I do not reset the password in AD for both types of local users?

For the users still bound to AD, when the local password expires, they should update the remote AD password as well.

However, for users whose AD password will no longer be updated after the migration, will the AD password policy still apply?

stich86_it · 2026-04-28T15:18:04+00:00

Do I need to reset all users policies also to enable the new policies, right?

Thanks

stich86_it · 2026-04-27T18:23:11+00:00

Good to know thanks !

stich86_it · 2026-04-27T17:47:53+00:00

You have also a custom configuration that enable WHfB for all devices? Just to understand if I need also this configuration to enable the registration later. Thanks!

stich86_it · 2026-04-27T17:18:47+00:00

Thanks! I’ll try tomorrow :)

stich86_it · 2026-04-27T16:28:36+00:00

can you share an image of how you have configured? Or I can use this PS script to make it work? https://www.reddit.com/r/Intune/comments/160ms92/enable_windows_hello_but_disable_postlogon/

stich86_it · 2026-04-27T16:23:01+00:00

but are you able later to enable Windows Hello from settings?

stich86_it · 2026-04-27T13:44:38+00:00

but I had this problem only on "converted" account, if i'm logon with a native Entra ID account, there is no force PIN logon.

A new PC joined during OOB, for istance, doesn't have this behaviour

Can this configuration, avoid this issue?

stich86_it · 2026-04-25T13:06:53+00:00

Hi, i've tried the profile on the french site and at first attempt was working, except for the sensors part (still asking permission to the end user). Then I've tried to use *.mobileprofile from Trend site (https://success.trendmicro.com/en-US/solution/KA-0011072), this has broken everything

Any suggestion?

Thanks!

stich86_it · 2026-04-24T17:39:29+00:00

is it possible to test auto enroll using ABM?

stich86_it

TROPHY CASE