User Profile
RussMeyer-Epik
Copper Contributor
Joined Feb 06, 2023
User Widgets
Recent Discussions
Force additional MFA for PIN WH4B
so got a request from one of my clients and if you think about it, its on the verge of being valid but an edge case... Lets say you implement WH4B and leverage PIN, how do you prevent someone shoulder surfing and leveraging the PIN on that device if they take it? Or restrict pin patterns? (the patterns I am looking into) I know Fido2 is the best way along with biometrics...but they were wondering if there was a way to reprompt MS Auth App for a code after login/reboot... I couldnt find anything on this but I did find forcing a mfa device revalidation via graph api Any able to accomplish this with the entra joined device?Re: Azure Arc Patching
thank you for the response Azure Arc Logs - all look good and appear to good installs Will look into analytics going forward for when we flip to prod Manual Verification of the OS build seems to be the current method to validate if it's been patched Not using Azure Automation, its strictly Azure Arc, however, will see if it built any behind the scenes...I am trying to get a post to Teams when they patch as a notification, but the payload is causing issues Azure Arc validated without issue130Views0likes0CommentsAzure Arc Patching
Working on getting boxes onboarded with Azure Arc since we are mostly cloud based, but still have a few boxes left on prem. In my lab I am able to enroll and setup patching via Azure without much issue. Via the console it reports stuff running, etc however when checking on the box I dont see the patches via update history or wmic qfe list. But when I check the rev, I see the OS is current (I installed from an ISO that was 12 months old) Seems like the data is out of sync or just missing locally. Other than Azure Arc's log, is there anyway to validate its working correctly? sorry, just paranoid and want to make sure its solid...242Views0likes2CommentsMacOS Defender and Full Disk Access
Working on deploying Defender on MacOS via intune...most of it is solid, however I noticed "Microsoft Defender Endpoint Security Extension" doesnt have full disk access and needs it...the native "Microsoft Defender" has it ok...its deployed as the option for Defender under MacOS and not a LOB...anyone else run into this?Re: Platform SSO for macOS not working
PatrickF11 - it was on the Extension Identifier...one thing I see missing is the Token to User mapping, granted that is only needed for Apple Business integration so that it builds the local account on OOBE...since my enrollment was not include Apple Business, the company portal was a direct install vice intune (working on getting apple business online for future devices)6KViews0likes0CommentsRe: Platform SSO for macOS not working
ok, so that is what I get for copy/paste...trailing spaces, ugh!!!! got the prompt now and its enrolled...but now to the nuances...while the password syncs and appears ok, getting some prompts for pin/keys...doesnt appear the token is fully there, similar to hello for business...but once past its pretty solid for MS 365 access and SSO apps6.1KViews0likes1CommentRe: Platform SSO for macOS not working
Configure an app extension that enables single sign-on (SSO) for devices. Screen Locked Behavior Do Not Handle Registration Token {{DEVICEREGISTRATION}} Platform SSO Authentication Method Password Token To User Mapping Account Name preferred_username Full Name name Use Shared Device Keys Enabled Team Identifier UBF8T346G9 Extension Identifier com.microsoft.CompanyPortalMac.ssoextension Type Redirect URLs https://login.microsoftonline.comhttps://login.microsoft.comhttps://sts.windows.net6KViews0likes2CommentsRe: Platform SSO for macOS not working
Kishoth, I just dont get the popup to finish registration...from what I read that is the only way to kick it off...the rest of intune and profile is good...in the intune config profile I have set to password...give me a bit and I can upload the config profile...but since Apple Business Manager is not in the loop, this is manual enrollment via company portal6.3KViews0likes3CommentsRe: Platform SSO for macOS not working
having the same issue, granted its not going through apple business manager...sonoma 14.5 and fully enrolled, just no alert to finish it...company portal is now "register your mac using your work or school account", but again no alert...one part not done per the doc is the apple business manager9.1KViews0likes7CommentsRe: AzureAD Joined Device and onprem w/ PIN
so actually, got it to work...AzureADKerbos object via powershell, then a custom item via intune... https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision now on to the next fun...getting the same azure joined device/user to access a server that is joined to azure ad ds...cant do azure dc kerberos there2.8KViews0likes0CommentsAzureAD Joined Device and onprem w/ PIN
I am working on a scenario where we want to move to Azure ADDS, we still have some need for LDAP/S, Unix, etc but want on prem to go away. Endpoints are already azure AD Joined to the 365 Tenant. Tenant is insync with onprem w/ Azure AD Connect w/ password hash as well... here is where it gets fun...endpoint with password login has no problem accessing onprem file server, but as you know Azure Join Devices force pin enrollment and default to it. When user logs in with PIN, I get cred prompt...eventually this box will goto azure, but I suspect this will occur when it gets out there also... I have attempted AzureAdKerberosServer, oneway trust with AADDS/Local and domain certificate avenue, no love...has anyone gone down this rabbit hole?
Recent Blog Articles
No content to show