Event details
192 Comments
- Our organization is trying out the passwordless capability as part of the Authentication Policy CSP, but we are struggling with the some of the functionality as currently designed and documented: https://learn.microsoft.com/en-us/windows/security/identity-protection/passwordless-experience/#in-session-authentication-experiences To keep this short: What is the reasoning behind forcing in-session authentication to the built-in local Administrator account and not allowing the opportunity to provide another account with local administrator access to authenticate? LAPS is great and it works but is hard to track down to who actually performed that action, aka retrieved the LAPS password from Entra, and EPM requires additional configuration, doesn't currently check all of the boxes, and most importantly, comes at an additional cost.
Thanks for participating in today's session of AMA: Windows management with Intune! For reference, the panel covered this topic at around 36:45.
- Thank you, Charlize. Still hoping the team can provide some insight on the in-session authentication when turning on the passwordless experience with the Authentication Policy CSP 🙂
What improvements will Copilot for Intune offer in terms of overall reporting, compliance and proactive remediation subjects?
- KevinMineweaser_MSFT
Microsoft
Hi,
Thank you for your questions. Today, we're asking that you watch these spaces for disclosure what's coming http://aka.ms/IntuneInDev and http://aka.ms/M365Roadmap
Hope this helps,
-Kevin
- Is there a plan to add an executable to make integration to Intune easier? Currently with the current procedures: GPO, work, /school login. It would simplify the experience to have an MSI to install Intune.
- He's asking for an Intune enrollment executable to install the Intune extension. Similar to installing the CM client to "enroll" a device into ConfigMgr.
- Joe_Lurie
Frank_keough Intune is agentless, so there is no exe or msi to install, just enrollment into the service.
- Is there any plans to change this? with remote users it would be nice to have an MSI that does the setup and join, then can disappear. Other MDM do not seem to have an issue with an executable for install
I would like some advice as the best way to deploy the Configuration Manager client to hybrid joined Autopiloted machines. We are currently using the msi bootstrap method but it's not particularly reliable. For context, I'm using ConfigMgr to schedule out of hours deployments at a UK based university.
JaminAlmondHello Gareth, I recommend that you follow the guidance provided in the documentation article linked below. It contains detailed instructions and information that should be helpful for your needs. https://learn.microsoft.com/en-us/mem/configmgr/comanage/autopilot-enrollment#process
- Education customer- we want to deploy EID-Joined, Intune managed devices for shared teaching spaces with a high turnover of users. We are finding issues with some Intune policies not re-applying for every user who signs in. For example we remove the Shutdown/Restart/Sleep options from the start menu- when the first user signs in, the policy seems to work. For subsequent users it doesn't work, then intermittently it will work for another user. The policies where this happens are all marked as 'User-scoped'. We assign these to device groups, but this is supposed to be a supported scenario - whereby they are applied to all users. In reality they don't seem to be applied immediately upon login, which makes them pretty useless in this scenario. Is there anything we can do/should be doing?
- one more if I may, I see remote Antivirus scans, remote wipe, etc. I do not see remote backup. Is this not a feature, such as have the user plug in a USB external drive and click backup to remotely back them up or backup to an azure storage blob perhaps, before doing all kinds of maintenance or wiping/fresh starting a device? Perhaps powershell to the rescue but where to start on that?
- JaminAlmondHello Richard, I would recommend using OneDrive for Business to back up any user files before proceeding with the operating system reload. This approach will ensure that all important data is securely saved and easily accessible after the system is reloaded. https://learn.microsoft.com/en-us/sharepoint/redirect-known-folders
- not always possible due to restrictions on what can be stored there and what users have locally size wise, bandwidth wise etc. Allowing them to attach an external USB and have it encrypted and then performing the backup prior to a wipe etc. Perhaps allowing the intune admin to configure a company storage account in azure and the default storage goes there might help? onedrive might not be the best place for legacy app files, database files, code files, etc. Not all end users live 100% in office.
- How are folks managing with Intune the remote workers and their devices when a remote worker is not a local admin yet needs to add a device at home such as a local printer/scanner etc for their job? That would require elevation, and as a local user, they do not have rights to do so? Is IT having to constantly add devices to remote worker systems in support calls (sounds inefficient) or are people leaving users as admins?
Thanks for participating in today's session of AMA: Windows management with Intune! For reference, the panel covered this topic at around 2:30.
- Sadly the discussion seemed to miss the mark. Either I did a horrible job writing the question or the participants have never had to work with remote or travelling users who occasionally need to print something for themselves, a customer, a fellow employee, a prospective client, etc. None of the proposed solutions seemed to address the scenario as asked.
- Go with Papercut to avoid work information being printed when not wanted, and your users using unmonitored equipment. It allows the user to add a local printer (if you deem it) without admin rights. Also doesn't allow drivers to be installed on the EP which can be a vulnerability. It is relatively cheap and Microsoft will never compete or offer a service intelligent like that.
- yeah not printing enough to warrant extra costs. I am thinking of scenarios where you have a person who works at home or in multiple places on the road etc. and they have a document/powerpoint/spreadsheet etc and it is easier for them to do what they want to do with it printed ( yeah young folks people do print occasionally lol) but they are at home and have a MFP at home and just want to print. They should be able to however the nature of adding a printer to the system generally requires elevation. This kinda puts a hamsting on them plus making them wait on an IT team just to add their home printer is unreasonable as is charging more to get something like cloud printing or to get added "suite" options, seems unreasonable to me as well. Intune already is an added cost in many licenses.
- Have yet to be able to find a successful process/script/etc for removing local admin privileges from aad joined or hybrid devices for the corporate users. Examples: Bob is a new employee, we ship him a laptop new in the box. No autopilot, just a new one off the shelf with Win 11 pro. Bob has the necessary 365 licenses, he goes thru the OOBE with his 365 credentials, It makes him an administrator, seems to be no easy way to remove that from him. Dave, on the other hand, Dave has been around a bit, his laptop is 2 years old, we are only starting to roll out intune, Dave logs into his laptop with a local account, it was upgraded from win10 to win 11 pro but he uses a local account, then accesses work/school via the usual apps and browsers, but, Dave is the only administrator account and his system is AAD Registered. How do we easily make Dave a local user and not an admin anymore? There is a catch, Neither Dave nor Bob are in the office, they work from home (remote employees).
- Joe_Lurie Yes, after participating here I found some ways to do it yet it adds more problems than it solves for remote users or travelling users. They cannot do simple things like add a local printer. Apparently, no one prints to paper anymore or companies spend silly amounts of money on universal printing or 3rd party solutions for users who occasionally need a couple of pages printed or to use a scanner/MFP device at home, at the hotel, conference etc... Makes no sense. Yes installing drivers etc should require elevation etc no issue with that however, I should not have to make them open tickets with IT all the time to do what users perceive as simple 2 minute operations. The cost of them being idle and IT having to get involved is not worth the trouble. added security of having admin removed from them is wonderful but practical implementation of it seems a ways off for us sadly.
- We have just started moving away from an On-Prem Server to a AAD Joined (not using Hybrid). One of the features I miss already is the ability to lock out an account from signing in to their laptop. Blocking Sign In to their AAD/email account and Revoking Access to their signed in sessions doesn't prevent the user from signing in to Windows. On top of that, changing the users password for their AAD/email account doesn't stop them using their old password to sign in UNTIL the new password is used. It also doesn't prompt for a password change on signing in to windows after setting their account to "change on next sign in". Am I missing something? can we disable the caching of credentials? Thank you!
- You may be able to use the web sign in credential provider. This will block the users from using their password to login to Windows and will allow MFA using either WHfB, FIDO2, or MS MFA app to login using the new passwordless experience. https://learn.microsoft.com/en-us/windows/security/identity-protection/web-sign-in/?tabs=intune https://learn.microsoft.com/en-us/windows/security/identity-protection/passwordless-experience/ Otherwise, if they're autopiloted you can block access and that will prevent them from logging in. Hope that helps! ☺️
- Thanks. I will have a play around with web sign in on a test laptop. might be what i need.
- Heather_Poulsen
Community Manager
A friendly note from your Community Managers:
Post your questions in advance (no time like the present!) for this Ask Microsoft Anything (AMA) session? Have more than one question? Posting each one as a new comment makes it easier for our panel of experts to see and answer!- I've been using another RMM offering to manage AD joined devices and using Intune for newly purchased devices. One of the features I heavily depend on from this other RMM package is unattended remote access to client machines when they are not using them. Are there plans to enhance Remote Help and enable unattended access features? I would like to avoid paying for third-party licenses when it seems Intune is so close to providing the same functionality with Intune Remote Help. Thank you!!
