Event banner

Windows Office Hours: January 16, 2025

Event Ended

Thursday, Jan 16, 2025, 08:00 AM PST

Online

Event details

Get answers to your questions about adopting Windows 11 and managing Windows devices across your organization. Find out how to proactively implement and monitor Zero Trust practices. Get tips on keep...

Pearl-Angeles

Updated Jan 08, 2025

Windows Office Hours - January 16 2025.ics43 KB

Office Hours

Dom_Cote

Brass Contributor

Jan 16, 2025

Here's a fun one - that is SUPER common in our business:

Configure M365/Entra for phishing resistant MFA (=WHfB + FIDO2)
Take an existing device and JOIN Entra through settings - accounts - access work etc.
Sign in to Entra using FIDO2 key (WHfB hasn't been configured at this point). Success.
Switch to new Entra / work account by signing in to it.
Windows completely (!) skips the ESP and goes straight to desktop, which is not ready yet. Also, WHfB never deploys, despite it being a mandatory policy.

When we repeat the same process using a password and MFA, everything works as expected.

Why does the ESP not run in this scenario?
How can we ensure ESP runs as expected for the perfect desktop experience - using NOTHING but FIDO2 keys to onboard?

Hung_Dang

Microsoft

Jan 16, 2025

In the ESP profile, make sure the "Only show page to devices provisioned by out-of-boxy experience (OOBE)" setting is set to No, since you're doing a Workplace Join and not an Entra join/MDM enrollment in OOBE. Setting it to Yes should make the ESP display only when Entra join/MDM enrollment occurs during OOBE. Hope this helps.

Dom_Cote
Brass Contributor
Jan 16, 2025
Yeah - that IS off. As I mentioned, it works as expected when the join/enrollment is done with a username/password combo. It's just FIDO2 / phishing resistant that won't start ESP.

Btw, if we go through OoBE using the same FIDO 2 key on the same device with the same account, ESP runs as expected. Awesome deployment experience btw. 😉

As we are an MSP for SMB, most of our customers bring existing devices when they sign up with us. To minimize disruption, we never wipe+load, we just onboard their devices to their (new) M365 tenant, so they can keep their old user profile "as is" and go back to it whenever they want. Works VERY well, btw.
So self-service onboarding existing Windows PCs is our most common scenario. Now that we switched to phishing resistant MFA, we need to ask them to sign in with a username/password combo just ONCE - when they sign in for the first time. That triggers ESP and deployment runs as expected.
(Side note, phishing resistant conditional access doesn't prevent username/password sign ins, it just ALSO asks for WHfB or FIDO2 on top.)

In case it helps and you're interested, I can provide the support ticket I opened a while ago about this.
The agent and their supervisor (both super helpful) said "it just doesn't work", after escalating this. (you'll need to DM me, the forum won't let me share the ticket ID here)

Date and Time

Jan 16, 20258:00 AM - 9:00 AM PST