Set User Default Credential Provider for Lock Screen
I'm using Windows 10 Enterprise 22 H2 with Intune and MECM (Co-Managed). We enforce that our users enrol for Windows Hello for business. They can use PIN or Biometric. This all works fine but when the user session locks (idle time etc.) it defaults to username/password credential provider even if the user signed into the desktop console session with a PIN. I'm aware there is a system wide policy to set the default credential provider here https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-credentialproviders#defaultcredentialprovider but I am wondering if there is a method to do this per user or have the lock screen default to the credential used for the user sigin in?
Azure AD Joined Hello for Business and NPS Radius Authentication
Hi guys, I am starting to roll out the Windows VPN client using L2TP to our computers which are a mixture of Hybrid Joined and Azure AD joined. All computers in the business have got Windows Hello for Business and this works well. The issue I am having is for the Azure AD joined machines only signing in with biometrics. They are unable to connect to the VPN with successfully when they use the '-UseWinlogonCredential' switch. This is not an issue with Hybrid Joined machines signing in with biometrics. I am struggling to find a solution to this problem, so for the interim those machines are simply prompting the user for their username and password which gets accepted. I suspect it's a certificate issue for Azure AD joined machines only but not too sure how to configure the NPS to allow these through. Any advice is greatly appreciated!
Enforce Windows Hello
Hi, We have an environment full of Azure AD joined Windows 10 devices. We want to enforce MFA (Hello). If we set a Windows Hello Intune policy then a user can skip therefore it is not enforced. We have tested the MFA registration policy, my understanding is that after 14 days of skipping it should lock the user out of any MS cloud service... but it doesn't, it doesn't seem to do a lot. Also - even once Hello is registered a user still has the option of logging into the desktop using username and password and therefore bypassing the MFA.... Has anyone got anything similar working? Thanks
