Real patterns from real environments. Compliance gaps, enforcement blind spots, and the fixes that actually hold up at scale.
After a clean passwordless/FIDO2 rollout, users start losing M365 access days or weeks later — long after go-live | A password reset "fixes" it instantly… then it comes back for the next user. Everyone blames the security key
ReadThe most important lesson from the Stryker incident isn't encryption. It's what happens when identity and endpoint management infrastructure — Entra ID,
ReadThe Setup You found it. The Group Policy blocking the Microsoft Store. You removed it, ran gpupdate /force, and tried again. New Outlook downloaded — progress.
ReadFIDO2 hardware keys cannot satisfy RDP Network Level Authentication — a scoped auth strength or Windows Hello for Business is required for Windows logon scenarios | RADIUS-backed VPNs do not support FIDO2 natively; every generic MFA grant in your CA policies needs an audit after hardware key depl...
ReadAfter deploying FIDO2 hardware keys, FortiGate VPN users were prompted for their YubiKey instead of Authenticator — even though VPN was never scoped for FIDO2 | Root cause: a generic "Require MFA" grant in a CA policy selects the **strongest registered method** when multiple methods exist; once u...
ReadThe most common FIDO2 rollout mistake is flipping CA enforcement before users are enrolled — causing immediate lockouts | A staged wave approach (Wave 0 prerequisites → Wave 1 pilot → Wave 2 high-risk → Wave 3 general) eliminates that risk
ReadAiTM phishing bypasses MFA by stealing authenticated session cookies — after MFA completes successfully | Legitimate SharePoint Online links and Google redirect wrappers defeat standard email security scanning
ReadWe ran into a common headache with multi-domain VPN access: users couldn't consistently authenticate through FortiGate because group assignments weren't talking to both RADIUS servers. Here's how we fixed it.
ReadWe hit CERTSRV_E_UNSUPPORTED_CERT_TYPE errors during YubiKey bulk provisioning. The fix was simpler than expected—but the permission model nearly derailed us.
ReadWe spent weeks chasing LAPS as the culprit behind sysprep failures on Windows 11 AVD multi-session builds. It was BitLocker the whole time—specifically TPM-only mode on Trusted Launch VMs.
ReadWorking on something harder? Talk to Hal → — 20 minutes, no pitch.