I'm looking to roll out SCRIL alongside the existing FIDO2 security key setup we have for WHFB users. These users are already bypassing passwords on their devices, so I want to make sure the transition goes smoothly. Here are my questions: 1. Is LAPS still functional with SCRIL for UAC prompts? 2. Should we change users' passwords before enabling SCRIL? If so, will they notice any differences during login when we do this? 3. Once fine-grained passwords are set up and SCRIL is active, will users experience any changes while logging in? Thanks for any insights!
1 Answer
SCRIL operates pretty silently in the background. You can still use LAPS for UAC prompts since it runs locally and isn’t impacted by the FIDO2 flow. It's best to change user passwords before enabling SCRIL, but users typically won’t notice any changes during their sign-in. Once fine-grained policies are in play, the only thing users will see is that their FIDO key takes precedence, but nothing else significant changes for them.
I'm following a similar path as the original poster. Do you know if changing passwords right before SCRIL activation will log users out of mobile apps, or require reauthentication on Windows machines? I thought a password change could lead to token expiration requiring reauthentication across devices. Would appreciate any clarity on this for both hybrid and Entra-native users. Thanks!