Tuesday, January 16, 2024
Saturday, January 13, 2024
Log in smoothly with Standard domain account and Local Admin account using Windows Hello
StandardIntroduction
Windows Hello is a feature that allows you to sign in to
your Windows 11 device using your face, iris, or fingerprint. It is a
convenient and secure way to unlock your device without typing a password.
However, if you have more than one account on your device, such as a domain
standard user account and a local admin account, you might want to use Windows
Hello for both accounts. This document will show you how to set up Windows
Hello for your local admin account and how to make it easier to run
applications as an administrator.
Steps to set up Windows Hello for your local admin account
- First, you need to sign in to your local admin account by switching the profile in the Windows login screen. You can do this by clicking on the user icon in the bottom left corner and selecting your local admin account.
- After you sign in to Windows with your local admin account, click the Start button and search for Settings.
- Then, go to Accounts and click on Sign-in options in the left pane.
- Under Windows Hello, you will see the options to set up your fingerprint recognition. Choose the option that suits your device and follow the instructions to scan your biometric data.
- Once you have set up Windows Hello, you can sign out of your local admin account and switch back to your domain standard user account.
Tip: Use a Different finger for each profile. Scan one finger for the domain account and another finger for the local account.
How to run applications as an administrator using Windows Hello
Some applications, such as Hyper-V Manager, require you to
run them as an administrator to access their full functionality. However, if
you are signed in with your domain standard user account, you will need to
enter your local admin account credentials every time you want to run them as
an administrator. This can be inconvenient and time-consuming, especially if
you have a long or complex password. To avoid this hassle, you can use Windows
Hello to sign in with your fingerprint instead of typing your password. Here is
how you can do that:
- Right-click on the application that you want to run as an administrator and select Open file location.
- Then, right-click on the application shortcut and select Properties.
- Then, select the Shortcut tab and click on Advanced.
- Tick the Run as administrator checkbox and click OK.
- Now, every time you click on the application shortcut, it will automatically open with a run as administrator prompt and ask you to scan your fingerprint. If you have enrolled a different finger for your local admin account and your domain standard user account, you can use the appropriate finger to sign in without any hassle.
Conclusion
By following these steps, you can set up Windows Hello for
your local admin account and use your fingerprint to sign in and run
applications as an administrator. This will make your Windows 11 experience
more convenient and secure. However, you should also remember to keep your
fingerprint scanner clean and dry, and to update your biometric data regularly
to avoid any errors or failures.
Thursday, November 30, 2023
Enable Microsoft Entra self-service password reset on the Windows sign-in screen
StandardTo configure self-service password reset on the sign-in screen using Intune, you need to create a device configuration policy in Microsoft Intune and enable the Allow Aad Password Reset setting. This setting allows users to reset their passwords directly from the Windows sign-in screen, improving the overall user experience on Windows devices. Here are the steps to create the policy:
- Sign in to the Microsoft Intune Admin portal .
- Select Devices > Windows > Configuration profiles > Create profile.
- In Create Profile, select Platform as Windows 10 and later and Profile type as Settings catalog. Click on Create button.
- On the Basics tab, enter a name and a description for the policy, then select Next.
- In Configuration settings, click Add settings to browse or search the catalog for the settings you want to configure.
- On the Settings Picker window, select Authentication to see all the settings in this category. Select Allow Aad Password Reset below. After adding your settings, close the settings picker.
- On the Configuration settings tab, select the Allow Aad Password Reset setting and choose Allow Then select Next.
- On the Assignments tab, choose the groups of devices that you want to apply this policy to. Then select Next.
- On the Review + create tab, review your settings and click on Create to create the policy.
Adding users to the local Remote Desktop Users Group
StandardThere are different ways to add users to the local remote desktop user group using Intune, depending on the type of device and the method of user identification. If the device is Azure AD joined,this methord will help you to add users to local groups.
- Sign in to the Microsoft Intune Admin portal .
- Select Endpoint security> Account protection > Create profile.
- In Create Profile, select Platform as Windows 10 and later and Profile type as Local user group membership. Click on Create button.
- On the Basics tab, enter a name and a description for the policy, then select Next.
- Then Select Local Group as remote desktop user and select the group
- On the Assignments tab, choose the groups of devices that you want to apply this policy to. Then select Next.
- On the Review + create tab, review your settings and click on Create to create the policy.
Thursday, November 9, 2023
Improve experience with Quick assist Non Administrator mode
StandardMany customers intend to use third-party remote assistance tools for their day-to-day support needs, while some opt for Teams as their remote support tool. In my experience, using the Quick Assist tool has proven to be much more beneficial, and I have personally experienced its advantages.
However, when Administrator mode is not available, I've observed a decrease in the quality of the experience. To address this issue, I've implemented some strategies to avoid suboptimal experiences.
Before that, I recommend using the shortcut for Quick Assist, which is Ctrl + Windows key + Q. It's much easier to guide end users by asking them to press these keys.
Option 01
Quick Assist is my preferred application for remotely resolving technical issues. It also allows me to elevate my privileges and run as an administrator for hardware and software installation and configuration. The following steps outline the process:
Launch the Command Prompt (CMD) on the end user's computer.
Enter the following command:
runas /user:domain\administrator cmd
Replace "domain" with your organization's domain.
Replace "administrator" with any valid administrator login.
If a domain is not available, use the following command in CMD:
runas /user:local_user cmd
Once you've successfully launched CMD in administrator mode, you can perform various tasks, such as:
Installing software using a command like
- x:\MicrosoftEdgeSetup.exe (for software installation, where x is any drive letter from your computer).
- appwiz.cpl for installing or uninstalling program.
- Services.msc (Run or Stop a service)
- devmgmt.msc (Device Manager, to install/uninstall or upgrade the device driver)
- diskmgmt.msc (Disk Management)
- compmgmt.msc (Computer Management)
- regedit (Registry Editor)
Option 02
When opening an elevated privilege application, a pause screen is typically displayed, and the end user is prompted to enter the Admin password. However, in cases where the user is not accustomed to such a procedure and you, as the administrator, want to ensure a secure experience, this can be challenging.- Login to Intune Admin Center - https://intune.microsoft.com/
- Go to Devices and select Configuration profiles
- Then Create a Policy
- Platform - Windows 10 and later
- Profile type - Settings Catalog
- Provide the name and click next
- In the Configuration Setting Tab, select +Add settings and search for "User Account Control"
- Then Select Local Policies Security Options
- after that select these two polices
- User Account Control Behavior Of The Elevation Prompt For Standard Users
- User Account Control Switch To The Secure Desktop When Prompting For Elevation
- User Account Control Switch To The Secure Desktop When Prompting For Elevation - Disabled
- User Account Control Behavior Of The Elevation Prompt For Standard Users - prompt for credentials
How to get app's GUID for Intune application deployment
Standard- Install the application on a PC.
- Open a Windows PowerShell: You can do this by searching for "PowerShell" in the Windows search bar
- Run the following command:
Get-CimInstance -ClassName Win32_Product | Sort-Object -Property Name | Format-Table IdentifyingNumber, Name, LocalPackage -AutoSize
Friday, October 20, 2023
The First Step to Passwordless with Temporary Access Pass
StandardPasswordless authentication options, like FIDO2 and passwordless phone sign-in via the Microsoft Authenticator app, provide users with a secure way to log in without using a traditional password. Users have two primary avenues to initiate these Passwordless methods:
- Leveraging existing Microsoft Entra multifactor authentication methods.
- Employing a Temporary Access Pass (TAP)
Enable Temporary Access Pass (TAP)
- Sign in to Entra ID Portal (Former known as Azure AD portal)
Friday, September 8, 2023
Token protection in Microsoft Entra Conditional Access
StandardToken safeguarding, also known as token binding within the industry, aims to diminish the vulnerability to attacks involving token theft. It achieves this by guaranteeing that a token remains functional exclusively on the designated device. In instances where a malicious actor manages to pilfer a token through tactics like hijacking or replay, they gain the ability to impersonate their target until the token's expiration or revocation. Although token theft is perceived as a relatively infrequent occurrence, its potential consequences can be substantial.
Token protection establishes a cryptographically robust connection between the token and the device (referred to as the client secret) for which it was issued. In the absence of the client secret, the tethered token becomes ineffectual.
Requirements
This preview supports the following configurations for access to resources with Token Protection conditional access policies applied:
- Windows 10 or newer devices that are Azure AD joined, hybrid Azure AD joined, or Azure AD registered.
- OneDrive sync client version 22.217 or later
- Teams native client version 1.6.00.1331 or later
- Power BI desktop version 2.117.841.0 (May 2023) or later
- Visual Studio 2022 or later when using the 'Windows authentication broker' Sign-in option
- Office Perpetual clients aren't supported
Known limitations
- External users (Azure AD B2B) aren't supported and shouldn't be included in your Conditional Access policy.
- The following applications don't support signing in using protected token flows and users are blocked when accessing Exchange and SharePoint:
- PowerShell modules accessing Exchange, SharePoint, or Microsoft Graph scopes that are served by Exchange or SharePoint
- PowerQuery extension for Excel
- Extensions to Visual Studio Code which access Exchange or SharePoint
- The new Teams 2.1 preview client gets blocked after sign out due to a bug. This bug should be fixed in a future service update.
- The following Windows client devices aren't supported:
- Windows Server
- Surface Hub
- Windows-based Microsoft Teams Rooms (MTR) systems
Licensing requirements
- Using this feature requires Azure AD Premium P2 licenses.
Create the Conditional Access Policy
Monday, September 4, 2023
Microsoft Entra Conditional Access with Strictly Enforce Location Policies
StandardA new feature in conditional access allows for the strict enforcement of location policies using continuous access evaluation (CAE). This enables the quick invalidation of tokens that violate your IP-based location policies. When a client's access to a resource is denied because CAE's strict location policies are activated, the client will experience a blockage.
Adding Sponsors for Guest user
StandardIntroducing the sponsor feature enables you to designate a responsible individual or group for each guest user. This functionality allows for the tracking of the inviting party and enhances accountability.
This article delivers an overview of the sponsor feature and offers guidance on its application within B2B scenarios.
The Sponsors field within the user object pertains to the individual or group responsible for extending the invitation to the guest user within the organization. This field serves as a means to identify the inviting party and enhance accountability. It's important to note that being a sponsor does not confer administrative privileges upon the sponsor user or group. Instead, it can be employed for approval processes in Entitlement Management.
When extending an invitation to a guest user, you automatically assume the role of the sponsor for that guest user, unless you explicitly designate another user as the sponsor during the invitation process. Your name will be automatically added to the Sponsors field within the user object. Additionally, it's possible to assign up to 5 sponsors to a single guest user.