Check for policy that enforces phishing resistant auth on Entra Joined/Hybrid joined devices

[merill]

This test will help block WHfB downgrade attacks.

CA Policy:
https://x.com/merill/status/1830798748676694461

Issue:
https://www.darkreading.com/endpoint-security/goodbye-attackers-can-bypass-windows-hello-strong-authentication

[f-bader]

Sadly this policy won't work against downgrade attacks. But we already have a check for required device compliance which will work

https://x.com/fabian_bader/status/1830832908866585082?t=ENqs7dOxquxgcKM30Qye1w&s=19