I know Mr. Chapin is selling his MSP services in all his videos, but these videos are so much more than that. Each one of his videos-and I've watched several-is a mini masterclass in MS technologies. IMHO, he's in the same echelon as Johan Arwidmark or John Savill. He's that good.
Windows Hello on the local client is in effect using "Cached credentials" ?. We had to disable it within our Azure hybrid estate as it was causing so many issues with access to mapped network drives. Since cached login info was being used. If the user opted to use a pwd at Login there was no issue. So we disabled it for now. Any other sys admins seen the same type of problem ?.
I have a feeling that some important aspects were left out intentionally or unintentionally. What happens when you change a computer or forgot a computer at home and want to use your coworkers computer? Does windows hello work out of the box or you need a password that you don’t know?
When you change a computer you'd enroll that computer under your Entra ID account in Windows Hello for Business and create a new passkey for that device. If you want to provide support for users that forgot their computers at home, then you'd have a spare that you can let them log into with their password, or login to a co-worker's company computer. Passwords will still always work. Enrolling a computer in Windows Hello for Business is not mandatory. If they forgot their password, you'd have self-service password reset (SSPR) configured in Entra ID. Or, you can allow them to chew up your time with a tedious manual admin password reset. Windows Hello for Business is part of Entra ID and does not work out of the box and it needs to be configured. And, an IT manager has to be open to learn new modern security skills. This requires taking training courses, practicing on a demo M365 tenant to get hand-on experience outside of your production tenant, and ideally certifying on this technology. By doing this, an IT manager will learn how these systems are meant to be configured and how to make them work smoothly and securely. Is the process of re-skilling easy? No. Is it rewarding? For sure. It's also more interesting IT work. There will always be these "what if this or that" scenarios that come up. Once you know the tech well, the answers will come to you quickly and confidently. If you don't have the opportunity to reskill, then find a Microsoft cloud partner. It doesn't have to be Xerillion, but find one that can help you get ramped up quickly.
So, I am not sure I agree with everything, however, in principle I think there is a fair amount of fact here. One question. Passkey access to 365 Accounts is a thing now, and I have enabled it and I can login from my personal computer, but I came to work, tried to login, and it is asking me to insert my security key. Is Passkey limited to people with a single computer they use? This feels like a frustrating limitation. Or have I misunderstood things?
Passkeys don't move with your Entra ID account from computer to computer. Each computer will have it's own unique passkey generated when you enroll the device into Windows Hello for Business.
@@Xerillion well, the passkey is stored in authenticator on my phone. I was expecting to be offered a QR code. Seems to happen some computers and not others.
How do you handle it when you need your password if you dont know it? For exampel when you get a new phone or computer. I really like passwordless but when users use biometric they forget their passwords and it creates support tickets. Any solution for this?
Hi! When going to full passwordless sign-in with a properly configured M365 tenant, password changes should be very rare. I bet I have done it once in the past 3 years and it was a very odd situation where I was on a cruise ship wifi and trying to login to my laptop for the first time in 6 months. As an IT manager you can get out of the business of doing tedious user password resets. This is what SSPR (self service password reset) with Entra ID (Azure AD) is for. We configure this as part of our standard M365 tenant setup. And in our practice, getting as many tedious things off the plate of IT managers is an ongoing refinement process. And as I mention in the video, it's really tough on internal IT managers to learn on these new systems, understand what is important, what isn't, while maintaining the existing system. Anyway, SSPR enablement/configuration, and politely pushing back on users (within reason) when they ask you to manually reset is the way to go. IT admin manual password resets should be very very rare.
@@Xerillion Hi and thanks for reply. SSRP is of course something to teach users better. A problem that I notice is also that when users have PIN codes, they think that the PIN code is their password and do not understand the difference, and that also creates problems when they really need their password. For example, when they have to enroll a phone or computer. Is there a way to enroll new devices without a password? Maybe to approve it on their current device?
@@oskarsvedman1363 That's good point: A PIN superficially resembles a password and is therefore confusing to folks. I like Wayne's analogy of the ATM 2FA process (a card+PIN) because it is such a familiar one. Although with direct deposit+Apple Pay, that analogy is losing relevancy.
What about the companies that print very realistic 3d face masks that can bypass the Windows hello and IPhone locks? Companies print these masks simply from a photo.
I am so glad you put this video out. I have missed your content! Great video!
Excellent video, I hope all the IT Pros see this (and take your advice)! Thanks
Hi Wayne, I've been thinking about this a lot within my own mind. This video has confirmed all my thoughts.
Brilliant video (+like)
I know Mr. Chapin is selling his MSP services in all his videos, but these videos are so much more than that. Each one of his videos-and I've watched several-is a mini masterclass in MS technologies. IMHO, he's in the same echelon as Johan Arwidmark or John Savill. He's that good.
Wow, @ggates5859, thank you so much for those words. I really mean it. You made my day!
Excellent explanation and video
Windows Hello on the local client is in effect using "Cached credentials" ?. We had to disable it within our Azure hybrid estate as it was causing so many issues with access to mapped network drives. Since cached login info was being used. If the user opted to use a pwd at Login there was no issue. So we disabled it for now. Any other sys admins seen the same type of problem ?.
I have a feeling that some important aspects were left out intentionally or unintentionally. What happens when you change a computer or forgot a computer at home and want to use your coworkers computer? Does windows hello work out of the box or you need a password that you don’t know?
When you change a computer you'd enroll that computer under your Entra ID account in Windows Hello for Business and create a new passkey for that device. If you want to provide support for users that forgot their computers at home, then you'd have a spare that you can let them log into with their password, or login to a co-worker's company computer. Passwords will still always work. Enrolling a computer in Windows Hello for Business is not mandatory. If they forgot their password, you'd have self-service password reset (SSPR) configured in Entra ID. Or, you can allow them to chew up your time with a tedious manual admin password reset. Windows Hello for Business is part of Entra ID and does not work out of the box and it needs to be configured. And, an IT manager has to be open to learn new modern security skills. This requires taking training courses, practicing on a demo M365 tenant to get hand-on experience outside of your production tenant, and ideally certifying on this technology. By doing this, an IT manager will learn how these systems are meant to be configured and how to make them work smoothly and securely. Is the process of re-skilling easy? No. Is it rewarding? For sure. It's also more interesting IT work. There will always be these "what if this or that" scenarios that come up. Once you know the tech well, the answers will come to you quickly and confidently. If you don't have the opportunity to reskill, then find a Microsoft cloud partner. It doesn't have to be Xerillion, but find one that can help you get ramped up quickly.
So, I am not sure I agree with everything, however, in principle I think there is a fair amount of fact here. One question. Passkey access to 365 Accounts is a thing now, and I have enabled it and I can login from my personal computer, but I came to work, tried to login, and it is asking me to insert my security key. Is Passkey limited to people with a single computer they use? This feels like a frustrating limitation. Or have I misunderstood things?
Passkeys don't move with your Entra ID account from computer to computer. Each computer will have it's own unique passkey generated when you enroll the device into Windows Hello for Business.
@@Xerillion well, the passkey is stored in authenticator on my phone. I was expecting to be offered a QR code. Seems to happen some computers and not others.
@14:16 - Why can't they do this for secure email ?
What happened when office 365 ask you to change the password every 90days
That’s you hybrid policy at work. This is not a Microsoft best practice
Always sounds good, but because no one knows that they have been compromised until they discover they have been compromised.
What stinks is that Entra ID signin logs show WHfB logins as single factor authentication 😢
what about organizations that have iOS, Android, Mac, and PC?
Passwordless there as well. I have an iPhone. I don't enter a password to login to it, or my M365 mobile apps that run on it.
@14:16 - Can that token be used on another device?
No. Another device would need to establish it's own session/token.
How do you handle it when you need your password if you dont know it? For exampel when you get a new phone or computer. I really like passwordless but when users use biometric they forget their passwords and it creates support tickets. Any solution for this?
Hi! When going to full passwordless sign-in with a properly configured M365 tenant, password changes should be very rare. I bet I have done it once in the past 3 years and it was a very odd situation where I was on a cruise ship wifi and trying to login to my laptop for the first time in 6 months. As an IT manager you can get out of the business of doing tedious user password resets. This is what SSPR (self service password reset) with Entra ID (Azure AD) is for. We configure this as part of our standard M365 tenant setup. And in our practice, getting as many tedious things off the plate of IT managers is an ongoing refinement process. And as I mention in the video, it's really tough on internal IT managers to learn on these new systems, understand what is important, what isn't, while maintaining the existing system. Anyway, SSPR enablement/configuration, and politely pushing back on users (within reason) when they ask you to manually reset is the way to go. IT admin manual password resets should be very very rare.
@@Xerillion Hi and thanks for reply.
SSRP is of course something to teach users better. A problem that I notice is also that when users have PIN codes, they think that the PIN code is their password and do not understand the difference, and that also creates problems when they really need their password. For example, when they have to enroll a phone or computer. Is there a way to enroll new devices without a password? Maybe to approve it on their current device?
@@oskarsvedman1363 That's good point: A PIN superficially resembles a password and is therefore confusing to folks. I like Wayne's analogy of the ATM 2FA process (a card+PIN) because it is such a familiar one. Although with direct deposit+Apple Pay, that analogy is losing relevancy.
What about the companies that print very realistic 3d face masks that can bypass the Windows hello and IPhone locks? Companies print these masks simply from a photo.
I see. you explained that it will only work on the machine where Windows hello is enrolled
I know to much to say what I want here.
Biometric security is not secure if it is in the public. The only way biometric is secure is a closed system.