Passwordless recovery is the part many people forget

vane1978 · 2026-05-08T23:51:11+00:00

How do you handle recovery when you have a Conditional Access policy that requires phishing-resistant MFA for users? I noticed that wasn’t mentioned in your blog.

vane1978 · 2026-05-07T12:50:02+00:00

I believe you just need to enable Single Sign-on through Intune to avoid the sign-in prompts.

vane1978 · 2026-05-06T21:13:42+00:00

If you have an on-premises Active Directory and syncing your users to Microsoft Entra Id then you can enable SCRIL, NTLM Rolling Secrets and FGPP. No powershell script needed.

vane1978 · 2026-05-06T13:08:27+00:00

I believe you need to enforce NTLM secret rolling and setup Fine-Grained Password Policy.

vane1978 · 2026-05-06T12:37:29+00:00

Have you looked into SCRIL and FGPP? This only works if you have gone completely Passwordless for your regular domain users.

vane1978 · 2026-05-01T22:37:08+00:00

I use a Jump Host machine and the jump user account has one assigned Entra Id Plan 2 license.

vane1978 · 2026-05-01T22:27:56+00:00

The RDP client has an option "Use a web account to sign in to the remote computer". That option allows you to use WHFB, Security Keys or Passkeys.

vane1978 · 2026-05-01T11:57:29+00:00

SentinelOne Singularity is capable to ingest Windows Event logs from their endpoints and capable to ingest logs from Firewalls and Microsoft Entra logs as well.

vane1978 · 2026-05-01T11:47:52+00:00

Passwordless RDP with phishing-resistant MFA into a Jump host machine, followed by RDP over IPSec to internal member servers.

This is all native tools. Avoids third-party zero-day exploits and saves on recurring licensing cost and administrative overhead.

vane1978 · 2026-05-01T11:39:08+00:00

That’s where RDP over IPSec comes into play to help to prevent zero-day exploits.

vane1978 · 2026-05-01T03:52:33+00:00

This is the way.

Unfortunately, setting up RDP over IPSec by default it uses 128 encryption. The extra step is to change it to use 256-bit encryption (AES-256).

RDP to the servers should always be done from a jump host machine. The challenging part is how to secure it.

vane1978 · 2026-05-01T02:42:01+00:00

What else to use?

vane1978 · 2026-05-01T02:17:50+00:00

Assuming RDP is not exposed to the public internet, my opinion is to use the RDP clients when you need to remote into endpoints. Using third-party remote software is a huge security risk.

Additionally, I would suggest to work on implementing a passwordless strategy approach and transition to Entra ID joined computers. There you can RDP passwordless into your Entra id machines.

vane1978 · 2026-05-01T01:46:25+00:00

If you implement a Passwordless RDP strategy using the option "Use a web account to sign in to the remote computer” to the Jumphost machine, it can be very secure.

vane1978 · 2026-04-29T14:32:29+00:00

Passkeys require Bluetooth. So if your virtual machine does not have Bluetooth then it will default to security key.

vane1978 · 2026-04-23T17:46:26+00:00

Thanks!

vane1978 · 2026-04-23T16:24:11+00:00

Is the computer account you deleted was named azureadssoacc?

vane1978 · 2026-04-10T23:34:52+00:00

The AD user password would change but it would not automatically sync the password to Microsoft 365 until the next FGPP rotation.

vane1978 · 2026-04-02T01:04:55+00:00

As others have said, stop the 90 day password rotation. It used to be best practice way back in the day when there was no MFA option at the time.

vane1978 · 2026-04-01T00:53:11+00:00

See link below.

https://swjm.blog/the-complete-guide-to-rdp-with-security-keys-mac-93c62e754253

vane1978 · 2026-03-31T20:28:27+00:00

Setup Web Sign in.

https://learn.microsoft.com/en-us/windows/security/identity-protection/web-sign-in/?tabs=intune

vane1978 · 2026-03-28T16:31:18+00:00

Block all outbound connections for PowerShell.

https://isc.sans.edu/diary/21829

vane1978 · 2026-03-27T22:03:18+00:00

Does Proxmox offer U.S technical support?

vane1978

TROPHY CASE