Forum Discussion

chrisslroth's avatar
chrisslroth
Brass Contributor
Jul 25, 2024

Autopilot Resett and MFA for Device Registration

MFA is enforced over CA-Policy for Device Registration. When we apply an autopilot-resett via Intune admin center, the assigned user must login again and perform MFA after autopilot Provisioning. Ot...
Autopilot
ESP
Intune
Rudy_Ooms_MVP's avatar
Rudy_Ooms_MVP
MVP
Jul 25, 2024

chrisslroth 

 

Just wondering but are you using WIndows hello/requiring Windows hello as that holds the mfa claim.. and with it your users wont be prompted for it

  • chrisslroth's avatar
    chrisslroth
    Brass Contributor
    Jul 25, 2024
    I see in eventlog:
    Event ID 212: MDM Session: Failed to get AAD Token for sync session User Token: (Unknown Win32 Error code: 0xcaa10001) Device token (unsupported feature)
  • chrisslroth's avatar
    chrisslroth
    Brass Contributor
    Jul 25, 2024
    Windows Hello is disabled on tenant-level but activated with config profile. Also Windows hello post login Provisioning is disabled. We want that user can register for windows hello but don't need to.
    Windows Hello is not required for mfa

Resources