User Profile
Andrew1
Copper Contributor
Joined 8 years ago
User Widgets
Recent Discussions
Azure AD Windows Profile is Bypassing MFA
We've had MFA configured for a couple of years now, and are just starting to configure devices so they log into an Azure AD profile on a device with Intune. With this configuration more or less out of the box, after logging into Windows, the user is automatically logged into Office.com in Edge and Office products (except Outlook). In effect, it's bypassing MFA. Is it possible to configure Windows so it requires people to authenticate with the app or text when logging into Windows, or otherwise is it possible to remove the SSO experience from Edge? We cannot allow users to get to certain SharePoint sites without 2 factors from a new windows session if we want to stay in compliance with our client's security requirements.SolvedDisable Windows Hello AND Remove Existing PIN
Previously, after setting up Windows for an Azure AD user, it would give me a prompt saying that my organization requires a PIN for Windows Hello. I would hit next, then close the dialog asking for the PIN, and it would say there was an error or something, I'd hit OK and I'd be in Windows with no further Windows Hello harassment until I restarted. Once I got the device enrolled in Intune, it would apply the policy I have a policy that disables Windows Hello. However, a recent update to Windows seems to have made it impossible to bypass setting up a PIN. Because I can't enroll the device in Intune during the Windows Setup, the disable policy doesn't apply until after the PIN is established on the account. Once the PIN is set up on a Windows Account, it is not removed when Windows Hello is disabled via Intune/GPO, and it is seemingly impossible to remove manually. The only lead I've been able to find is to delete this folder: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\NGC\. However, Windows simply is not letting that happen, even after taking full ownership of the folder as a local admin. My only workaround is to first setup the device authenticating with my own account which will have the PIN. Then enroll in Intune with the user's account to their policies applied and Hello disabled. Then create the local admin account. Then add the users account. Then log into the local admin account and delete my account. Finally, log into the users account to create shortcuts and do QA. We use Bitlocker with a PIN that effectively does the same thing as Windows Hello with a PIN, except it also encrypts the disk. So I really don't see what it brings to the table besides a redundant password for users to memorize and extra help desk work when they forget it? How do I get devices configured without adding a bunch of work to get around Windows Hello?Defender ATP + Windows Information Protect + Sensitivity labels - Prevent intrasystem leaks?
I need to control the flow of information based on its sensitivity label. Defender ATP + Microsoft Information Protection looks like the perfect tool, but all of the documentation I can find is oriented toward only two classifications: Work information and Personal information. I can't find anything that describes the fidelity allowed when utilizing sensitivity labels. For example, if one SharePoint site is HR (sensitivity: HR/PII), and one is a Project XRay (sensitivity: General Business), I need to restrict both of those from going out to uncontrolled non-work environments, that looks easy. However, is it possible to also restrict HR/PII labeled information from accidently being leaked to the XRay site and every other site except ones that are approved to store that type of information?Sensitivity Label Endpoint data loss prevention does nothing
I'm trying to set up sensitivity labels and Windows Information Protection to prevent employees from accidentally or purposefully leaking sensitive documents to non-corporate environments. Everything with WIP works great, it's configured via Intune, and sensitivity labels appear to be working. However, I'm not sure what the point is of the sensitivity label option for "Endpoint data loss prevention". If I apply a SUPER SECRET sensitivity label to a Word document with the option enabled, users are still able to simply right click and change file ownership to Personal, and then they can email it from their personal gmail account or whatever. So it's not enforcing endpoint DLP at all. The "https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels" link on the settings page says "If endpoint data loss prevention is enabled, the device enforces work protection for any file with the label", but it's not a very detailed section. How can I stop users from changing ownership of files, and is it possible to restrict that ability based on the sensitivity label?3.5KViews0likes1CommentRe: Azure AD Windows Profile is Bypassing MFA
That makes sense, as long as I can document it and defend it we should be good, so thanks for explaining. I disable Windows Hello to ensure the password complexity and password change requirements are met, but I assume BitLocker w/ TPM has the same effect as making it the 'something you have', or is there something fundamentally different about Hello?4.9KViews0likes3Comments
Recent Blog Articles
No content to show