Windows Autopilot MFA changes to enrollment flow

Published Sep 22 2021 08:45 AM 13.4K Views

At Microsoft, we want to ensure that we are providing our customers with features that improve productivity and securely protect organizations. To improve the baseline security for Azure Active Directory (Azure AD), we recently changed the Azure AD behavior for multi-factor authentication (MFA) that is completed during device registration. With this change, we no longer honor MFA that was completed during device registration after the user logs in to their device; instead we will require the user to complete MFA once more before accessing an MFA-protected resource in Azure AD. This change will not impact existing Azure AD-registered devices until their sessions have expired or become invalid. When attempting to retrieve access to a protected resource after a session has expired, the user will be prompted for MFA if there is a security policy that requires it.

 

This baseline security change can slightly modify the experience in the Autopilot enrollment flow in specific scenarios where you use MFA, have multiple applications that require reboot during the enrollment process, and have Conditional Access policies enabled.

 

What was the Azure AD change?

To provide greater security around MFA requirements, a change was made to the Azure AD authentication behavior during device registration. Previously, if a user completed MFA as part of their device registration, the MFA claim was carried over to the user state after registration was complete. Going forward, the MFA claim is not preserved after registration and users will be prompted to redo MFA for any apps that require MFA by policy.

 

How does this impact the Windows Autopilot customer experience?

If you set the “Require Multi-Factor Authentication to register or join devices with Azure AD” option to “Yes”, Azure AD prompts users to complete MFA before joining or registering a device.

 

Previously, this initial MFA completion was sufficient for all subsequent scenarios where MFA was required. However, with the above change, users will experience additional MFA prompts during the Autopilot provisioning process if there are Conditional Access policies (that require MFA) for apps installed during the Enrollment Status Page (ESP), or if an installation or update requires a device reboot.

 

In this scenario, the Windows Autopilot provisioning process will timeout if the user does not respond to the additional MFA prompts.

 

What action should I take?

There is no action needed beyond being aware of additional authentication prompts and potential timeouts during ESP app installations.

 

We will update this post if we find additional Windows Autopilot scenarios affected by this change. If you have questions or comments for the Intune team, reply to this post or reach out to @IntuneSuppTeam on Twitter.

3 Comments
Senior Member

@Intune Support Team, was there any announcement for this change beforehand? We run into the mentioned behavior approx. 1 week ago and didn't find any explanation for it and spend a lot of time for troubleshooting :sad: Maybe we overlooked something.

New Contributor

This change effects non-autopilot deployments as well, correct?

 

Users will need to wait for their device account to sync before they can authenticate to any other services?

Regular Visitor

Is there any way to add exceptions in the MFA conditional access policy to limit this to a single MFA prompt, or will doing so bypass MFA for the entirety of the enrollment process?

%3CLINGO-SUB%20id%3D%22lingo-sub-2778277%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Autopilot%20MFA%20changes%20to%20enrollment%20flow%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2778277%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F226779%22%20target%3D%22_blank%22%3E%40Intune%20Support%20Team%3C%2FA%3E%2C%20was%20there%20any%20announcement%20for%20this%20change%20beforehand%3F%20We%20run%20into%20the%20mentioned%20behavior%20approx.%201%20week%20ago%20and%20didn't%20find%20any%20explanation%20for%20it%20and%20spend%20a%20lot%20of%20time%20for%20troubleshooting%20%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fhtml%2F%409839A717402516D64549B98324F4F0C1%2Fimages%2Femoticons%2Fsad_40x40_1.gif%22%20alt%3D%22%3Asad%3A%22%20title%3D%22%3Asad%3A%22%20%2F%3E%20Maybe%20we%20overlooked%20something.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2779529%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Autopilot%20MFA%20changes%20to%20enrollment%20flow%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2779529%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20change%20effects%20non-autopilot%20deployments%20as%20well%2C%20correct%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUsers%20will%20need%20to%20wait%20for%20their%20device%20account%20to%20sync%20before%20they%20can%20authenticate%20to%20any%20other%20services%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2774687%22%20slang%3D%22en-US%22%3EWindows%20Autopilot%20MFA%20changes%20to%20enrollment%20flow%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2774687%22%20slang%3D%22en-US%22%3E%3CP%3EAt%20Microsoft%2C%20we%20want%20to%20ensure%20that%20we%20are%20providing%20our%20customers%20with%20features%20that%20improve%20productivity%20and%20securely%20protect%20organizations.%20To%20improve%20the%20baseline%20security%20for%20Azure%20Active%20Directory%20(Azure%20AD)%2C%20we%20recently%20changed%20the%20Azure%20AD%20behavior%20for%20multi-factor%20authentication%20(MFA)%20that%20is%20completed%20during%20device%20registration.%20With%20this%20change%2C%20we%20no%20longer%20honor%20MFA%20that%20was%20completed%20during%20device%20registration%20after%20the%20user%20logs%20in%20to%20their%20device%3B%20instead%20we%20will%20require%20the%20user%20to%20complete%20MFA%20once%20more%20before%20accessing%20an%20MFA-protected%20resource%20in%20Azure%20AD.%20This%20change%20will%20not%20impact%20existing%20Azure%20AD-registered%20devices%20until%20their%20sessions%20have%20expired%20or%20become%20invalid.%20When%20attempting%20to%20retrieve%20access%20to%20a%20protected%20resource%20after%20a%20session%20has%20expired%2C%20the%20user%20will%20be%20prompted%20for%20MFA%20if%20there%20is%20a%20security%20policy%20that%20requires%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20baseline%20security%20change%20can%20slightly%20modify%20the%20experience%20in%20the%20Autopilot%20enrollment%20flow%20in%20specific%20scenarios%20where%20you%20use%20MFA%2C%20have%20multiple%20applications%20that%20require%20reboot%20during%20the%20enrollment%20process%2C%20and%20have%20Conditional%20Access%20policies%20enabled.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3EWhat%20was%20the%20Azure%20AD%20change%3F%3CP%3ETo%20provide%20greater%20security%20around%20MFA%20requirements%2C%20a%20change%20was%20made%20to%20the%20Azure%20AD%20authentication%20behavior%20during%20device%20registration.%20Previously%2C%20if%20a%20user%20completed%20MFA%20as%20part%20of%20their%20device%20registration%2C%20the%20MFA%20claim%20was%20carried%20over%20to%20the%20user%20state%20after%20registration%20was%20complete.%20Going%20forward%2C%20the%20MFA%20claim%20is%20not%20preserved%20after%20registration%20and%20users%20will%20be%20prompted%20to%20redo%20MFA%20for%20any%20apps%20that%20require%20MFA%20by%20policy.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3EHow%20does%20this%20impact%20the%20Windows%20Autopilot%20customer%20experience%3F%3CP%3EIf%20you%20set%20the%20%E2%80%9CRequire%20Multi-Factor%20Authentication%20to%20register%20or%20join%20devices%20with%20Azure%20AD%E2%80%9D%20option%20to%20%E2%80%9CYes%E2%80%9D%2C%20Azure%20AD%20prompts%20users%20to%20complete%20MFA%20before%20joining%20or%20registering%20a%20device.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPreviously%2C%20this%20initial%20MFA%20completion%20was%20sufficient%20for%20all%20subsequent%20scenarios%20where%20MFA%20was%20required.%20However%2C%20with%20the%20above%20change%2C%20users%20will%20experience%20additional%20MFA%20prompts%20during%20the%20Autopilot%20provisioning%20process%20if%20there%20are%20Conditional%20Access%20policies%20(that%20require%20MFA)%20for%20apps%20installed%20during%20the%20Enrollment%20Status%20Page%20(ESP)%2C%20or%20if%20an%20installation%20or%20update%20requires%20a%20device%20reboot.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20this%20scenario%2C%20the%20Windows%20Autopilot%20provisioning%20process%20will%20timeout%20if%20the%20user%20does%20not%20respond%20to%20the%20additional%20MFA%20prompts.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20action%20should%20I%20take%3F%3C%2FP%3E%3CP%3EThere%20is%20no%20action%20needed%20beyond%20being%20aware%20of%20additional%20authentication%20prompts%20and%20potential%20timeouts%20during%20ESP%20app%20installations.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20will%20update%20this%20post%26nbsp%3Bif%26nbsp%3Bwe%20find%26nbsp%3Badditional%26nbsp%3BWindows%20Autopilot%26nbsp%3Bscenarios%26nbsp%3Baffected%20by%20this%20change.%26nbsp%3BIf%20you%20have%20questions%20or%20comments%20for%20the%20Intune%20team%2C%20reply%20to%20this%20post%20or%20reach%20out%20to%E2%80%AF%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FIntuneSuppTeam%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3E%40IntuneSuppTeam%3C%2FA%3E%E2%80%AFon%20Twitter.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2774687%22%20slang%3D%22en-US%22%3E%3CP%3ERead%20this%20post%20to%20learn%20more%20about%20changes%20to%20the%20Windows%20Autopilot%20MFA%20enrollment%20flow.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2774687%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%20Customer%20Success%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Endpoint%20Manager%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20Autopilot%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2847088%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Autopilot%20MFA%20changes%20to%20enrollment%20flow%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2847088%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20there%20any%20way%20to%20add%20exceptions%20in%20the%20MFA%20conditional%20access%20policy%20to%20limit%20this%20to%20a%20single%20MFA%20prompt%2C%20or%20will%20doing%20so%20bypass%20MFA%20for%20the%20entirety%20of%20the%20enrollment%20process%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Version history
Last update:
‎Sep 22 2021 08:43 AM
Updated by: