Event banner
Event details
Here's a fun one - that is SUPER common in our business:
- Configure M365/Entra for phishing resistant MFA (=WHfB + FIDO2)
- Take an existing device and JOIN Entra through settings - accounts - access work etc.
- Sign in to Entra using FIDO2 key (WHfB hasn't been configured at this point). Success.
- Switch to new Entra / work account by signing in to it.
- Windows completely (!) skips the ESP and goes straight to desktop, which is not ready yet. Also, WHfB never deploys, despite it being a mandatory policy.
When we repeat the same process using a password and MFA, everything works as expected.
Why does the ESP not run in this scenario?
How can we ensure ESP runs as expected for the perfect desktop experience - using NOTHING but FIDO2 keys to onboard?
Hung_Dang
Microsoft
MicrosoftIn the ESP profile, make sure the "Only show page to devices provisioned by out-of-boxy experience (OOBE)" setting is set to No, since you're doing a Workplace Join and not an Entra join/MDM enrollment in OOBE. Setting it to Yes should make the ESP display only when Entra join/MDM enrollment occurs during OOBE. Hope this helps.