diff --git a/.gitlab/merge_request_templates/Default.md b/.gitlab/merge_request_templates/Default.md
new file mode 100644
index 00000000..5c074dee
--- /dev/null
+++ b/.gitlab/merge_request_templates/Default.md
@@ -0,0 +1,16 @@
+<!--
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+-->
+
+# Summary
+
+- *describe the reason for/content of the MR*
+
+# Commits
+
+%{all_commits}
+
+# Authors
+
+%{co_authored_by}
diff --git a/docs/development.md b/docs/development.md
index a851fcd2..dcb9b8d8 100644
--- a/docs/development.md
+++ b/docs/development.md
@@ -84,12 +84,12 @@ with the many available examples in the yaml files.
 Example:
 ```
   synapse:
-    # providerCategory: 'Supplier'
-    # providerResponsible: 'Element'
-    # upstreamRegistry: 'https://registry-1.docker.io'
-    # upstreamRepository: 'matrixdotorg/synapse'
+    # providerCategory: "Supplier"
+    # providerResponsible: "Element"
+    # upstreamRegistry: "https://registry-1.docker.io"
+    # upstreamRepository: "matrixdotorg/synapse"
     # upstreamMirrorTagFilterRegEx: '^v(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ['1', '91', '2']
+    # upstreamMirrorStartFrom: ["1", "91", "2"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/element/images-mirror/synapse"
     tag: "v1.91.2@sha256:1d19508db417bb2b911c8e086bd3dc3b719ee75c6f6194d58af59b4c32b11322"
@@ -99,9 +99,9 @@ Example:
 
 Uses a regular expression to match the values of the following attributes:
 
-- `# upstreamRegistry`: : required - Attribute's value must be prefixed with `https://` for Renovate.
-- `# upstreamrepository`: required
-- `tag`: required
+- `# upstreamRegistry` *required*: Attribute's value must be prefixed with `https://` for Renovate.
+- `# upstreamrepository` *required*
+- `tag` *required*
 
 Checks for newer versions of the given artefact and creates a MR containing the newest version's tag (and digest).
 
@@ -118,7 +118,7 @@ configured to pull artefacts that do not originate from Open CoDE into projects
 The mirror script takes the information on what artefacts to mirror from the annotation inside the two yaml files:
 - `# upstreamRegistry` *required*: To identify the source registry
 - `# upstreamRepository` *required*: To identify the source repository
-- `# upstreamMirrorTagFilterRegEx` *required*: If this annotation is set it activates the mirror for the component. Only tags are being mirrored that match the given regular expression.
+- `# upstreamMirrorTagFilterRegEx` *required*: If this annotation is set it activates the mirror for the component. Only tags are being mirrored that match the given regular expression. **Note:** You have to use single quotes for this attribute's value in case you use backslash leading regex notation like `\d`.
 - `# upstreamMirrorStartFrom` *optional*: Array of numeric values in case you want to mirror only artefacts beginning with a specific version. You must use capturing groups
   in `# upstreamMirrorTagFilterRegEx` to identify the single numeric elements of the version within the tag and use per capturing group (left to right) one numeric array
   element here to define the version the mirror should start with.
diff --git a/helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl
index a6dfdce3..5d604ebc 100644
--- a/helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl
@@ -28,6 +28,8 @@ config:
     intraCluster:
       enabled: true
       internalBaseUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080"
+  twoFactorSettings:
+    additionalGroups: {{ .Values.authentication.twoFactor.groups }}
   custom:
     clientScopes:
       - name: "read_contacts"
diff --git a/helmfile/environments/default/charts.yaml b/helmfile/environments/default/charts.yaml
index b9e1a4dd..a572aae6 100644
--- a/helmfile/environments/default/charts.yaml
+++ b/helmfile/environments/default/charts.yaml
@@ -240,7 +240,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-keycloak-bootstrap"
     name: "opendesk-keycloak-bootstrap"
-    version: "1.0.7"
+    version: "1.1.0"
     verify: true
   openproject:
     # providerCategory: "Supplier"
diff --git a/helmfile/environments/default/functional.yaml b/helmfile/environments/default/functional.yaml
new file mode 100644
index 00000000..42f23df9
--- /dev/null
+++ b/helmfile/environments/default/functional.yaml
@@ -0,0 +1,9 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+---
+authentication:
+  twoFactor:
+    # Define a list of groups to enable 2FA for. Removing a group from the list will not disable 2FA for the removed group.
+    groups:
+      - "Domain Admins"
+...
diff --git a/helmfile/environments/default/images.yaml b/helmfile/environments/default/images.yaml
index eb371652..0c0f931d 100644
--- a/helmfile/environments/default/images.yaml
+++ b/helmfile/environments/default/images.yaml
@@ -253,7 +253,7 @@ images:
     # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-keycloak-bootstrap"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-keycloak-bootstrap"
-    tag: "1.0.4@sha256:28eebb647180aef95d816a7d788891fa780f552f699c38cedddecbcef7a0bd1d"
+    tag: "1.0.5@sha256:76ccd9a74ae2c2dabb6beaa0192c15b9c06763abbd632cd0f8db68e5d8d5883c"
   openproject:
     # providerCategory: "Supplier"
     # providerResponsible: "OpenProject"