Thanks for the content as always guys - great stuff. The tip about using password to login to revert the authentication from next gen is gold - just used that today to test access to a legacy application - nice one !
Slight correction on the Windows Hello for Business support on RDP sessions there; it's not supported for key trust deployments, but IS for certificate trust deployments. Which can be quite nice as you can sign-in to RDP sessions just by sitting in front of your camera etc, so might be a reason to go for certificate trust if you're a big RDS house. See the ! Note section at docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-planning-guide#trust-types
Biometric authentication is great because it's secure and it's easy, but the problem we have is after six months of never having to use their password it's gone and forgotten, if the password is still needed for first time logins it does still need to be remembered. Perhaps the ability to force a password based login once a month? On a slightly lighter note I had a user complaining her fingerprint reader wouldn't work on Thursday evenings. "Only Thursdays?" "Yes, the kids are out at football so I have a lovely long soak in the bath then try to catch up on some emails" Hum ! "Try reading a book in the bath". Enjoy the break if you're getting one and stay safe!
first off...great channel. Learned a lot. I don't think you've touched on the subject on enforcing Hello for business when enrolling a device. How can biometric be enforced (it can be skipped when enrolling as I see it now), and not something that is optional for a user to setup after interactive logon has occured? I would think orgs would know how to set up 2FA in an easy way, with more than the PIN, as it can be lost..like a password, as can the device.
I just want to say I agree with you on the hybrid option. its the worst of both worlds and similar to crawling then wheelchair then walking.. should be avoided at all costs
Hi. Thanks for another great discussion about Intune. I want to suggest some topic to clarify better in Modern Management how we can use Configuration Profile | Shared Devices in contrast to Hybrid Join . We have the use case such Customer Support Center, with shared computers (because shifts), we're using Hybrid Join to benefit tradicional way to have some users sharing same device. Can the Configuration Profile - Shared Devices be an alternative for same use case? This will set "affinity" ? What do you think? Thank you guys!
One remark, maybe this is only a "shortcut" in the way you think, but client never send private key. It's against security logic. Client use the private key, to sign "something" and send to the recipient. Recipient have the public key and he use it to check, if "something" was properly sign with the private key. Private key stays private only, if you're the only one who can use it - have it.
Not sure what I said but you are probably right. Here’s a very details document on how Auth works with Windows Hello for Business. docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication
Thanks guys for sharing the post. What happen if you have AD password policy set to expire 90 days and you have enabled WHFB. Once password expired, will user still gets prompt to reset the password ? Also does outlook (office 365) prompts for password after password expiry ? On shared devices, does it have limitation number of users can set up WHFB ? also if you could please share article on how to implement MFA when user connecting to untrusted WiFi (I.e cafe) and device does not have biometrics capability and you want MFA after entering PIN. Thanks
Just getting into the first ten minutes...you explained on the exchange with AAD with the keys. Obviously this would need an internet connection to reach out. Does the "token" expire? What happens if I leave the computer offline for x days? Does that "token" or authentication aspect "expire"?
Correct if the device is not able to refresh the token with the Identity provider (IDp) for a period of time (i don't recall the exact number) the token will be expired and wont allow use. When you look at using things like conditional access you control this to a larger degree esp on iOS and Android where the content can be removed from the device without communication to the IDp.
This IS the recap video. What kind of content are you looking for? We try to provide in-depth content with discussion about the concepts. This one specifically has no demo content which makes it great for background listening.
How about you wait until they have the time marks in the description as they do with all the videos they graciously provide us and skip whatever you want.
You guys are awesome! Thank you for making learning enjoyable.
Thanks for the content as always guys - great stuff. The tip about using password to login to revert the authentication from next gen is gold - just used that today to test access to a legacy application - nice one !
Slight correction on the Windows Hello for Business support on RDP sessions there; it's not supported for key trust deployments, but IS for certificate trust deployments. Which can be quite nice as you can sign-in to RDP sessions just by sitting in front of your camera etc, so might be a reason to go for certificate trust if you're a big RDS house. See the ! Note section at docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-planning-guide#trust-types
Great info thanks!!
You guys are awesome!
Aha !
All this speaks to me as I've been through all those details myself :))))
Biometric authentication is great because it's secure and it's easy, but the problem we have is after six months of never having to use their password it's gone and forgotten, if the password is still needed for first time logins it does still need to be remembered. Perhaps the ability to force a password based login once a month? On a slightly lighter note I had a user complaining her fingerprint reader wouldn't work on Thursday evenings. "Only Thursdays?" "Yes, the kids are out at football so I have a lovely long soak in the bath then try to catch up on some emails" Hum ! "Try reading a book in the bath". Enjoy the break if you're getting one and stay safe!
first off...great channel. Learned a lot. I don't think you've touched on the subject on enforcing Hello for business when enrolling a device. How can biometric be enforced (it can be skipped when enrolling as I see it now), and not something that is optional for a user to setup after interactive logon has occured? I would think orgs would know how to set up 2FA in an easy way, with more than the PIN, as it can be lost..like a password, as can the device.
I just want to say I agree with you on the hybrid option. its the worst of both worlds and similar to crawling then wheelchair then walking.. should be avoided at all costs
Hi. Thanks for another great discussion about Intune.
I want to suggest some topic to clarify better in Modern Management how we can use Configuration Profile | Shared Devices in contrast to Hybrid Join .
We have the use case such Customer Support Center, with shared computers (because shifts), we're using Hybrid Join to benefit tradicional way to have some users sharing same device. Can the Configuration Profile - Shared Devices be an alternative for same use case? This will set "affinity" ?
What do you think?
Thank you guys!
One remark, maybe this is only a "shortcut" in the way you think, but client never send private key. It's against security logic. Client use the private key, to sign "something" and send to the recipient. Recipient have the public key and he use it to check, if "something" was properly sign with the private key. Private key stays private only, if you're the only one who can use it - have it.
Not sure what I said but you are probably right.
Here’s a very details document on how Auth works with Windows Hello for Business.
docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication
Thanks guys for sharing the post. What happen if you have AD password policy set to expire 90 days and you have enabled WHFB. Once password expired, will user still gets prompt to reset the password ? Also does outlook (office 365) prompts for password after password expiry ?
On shared devices, does it have limitation number of users can set up WHFB ?
also if you could please share article on how to implement MFA when user connecting to untrusted WiFi (I.e cafe) and device does not have biometrics capability and you want MFA after entering PIN.
Thanks
If my DC's are 2016 and function level is 2016, would AADJ devices be able to access on-prem printers?
Awesome but Im on a deadline so find 42 minutes for Windows Hello too long. Maybe will come back when I have more time
Try this one instead
S04E03 - Configuring Hybrid Cloud Trust - (I.T)
ua-cam.com/video/q0Y4g0dcOY4/v-deo.html
Just getting into the first ten minutes...you explained on the exchange with AAD with the keys. Obviously this would need an internet connection to reach out. Does the "token" expire? What happens if I leave the computer offline for x days? Does that "token" or authentication aspect "expire"?
Correct if the device is not able to refresh the token with the Identity provider (IDp) for a period of time (i don't recall the exact number) the token will be expired and wont allow use. When you look at using things like conditional access you control this to a larger degree esp on iOS and Android where the content can be removed from the device without communication to the IDp.
Adam looks so over excited ;D
I was. :-)
Please keep your videos short! Instead of telling 45 min, please keep it
Short or make a short video with an recap.
This IS the recap video. What kind of content are you looking for? We try to provide in-depth content with discussion about the concepts. This one specifically has no demo content which makes it great for background listening.
How about you wait until they have the time marks in the description as they do with all the videos they graciously provide us and skip whatever you want.