Tuesday, January 16, 2024

Saturday, January 13, 2024

Log in smoothly with Standard domain account and Local Admin account using Windows Hello

Standard


Introduction

Windows Hello is a feature that allows you to sign in to your Windows 11 device using your face, iris, or fingerprint. It is a convenient and secure way to unlock your device without typing a password. However, if you have more than one account on your device, such as a domain standard user account and a local admin account, you might want to use Windows Hello for both accounts. This document will show you how to set up Windows Hello for your local admin account and how to make it easier to run applications as an administrator.

Steps to set up Windows Hello for your local admin account

  • First, you need to sign in to your local admin account by switching the profile in the Windows login screen. You can do this by clicking on the user icon in the bottom left corner and selecting your local admin account.
  • After you sign in to Windows with your local admin account, click the Start button and search for Settings.
  • Then, go to Accounts and click on Sign-in options in the left pane.
  • Under Windows Hello, you will see the options to set up your fingerprint recognition. Choose the option that suits your device and follow the instructions to scan your biometric data.

  • Once you have set up Windows Hello, you can sign out of your local admin account and switch back to your domain standard user account.

Tip: Use a Different finger for each profile. Scan one finger for the domain account and another finger for the local account. 

How to run applications as an administrator using Windows Hello

Some applications, such as Hyper-V Manager, require you to run them as an administrator to access their full functionality. However, if you are signed in with your domain standard user account, you will need to enter your local admin account credentials every time you want to run them as an administrator. This can be inconvenient and time-consuming, especially if you have a long or complex password. To avoid this hassle, you can use Windows Hello to sign in with your fingerprint instead of typing your password. Here is how you can do that:

  • Right-click on the application that you want to run as an administrator and select Open file location.
  • Then, right-click on the application shortcut and select Properties.
  • Then, select the Shortcut tab and click on Advanced.
  • Tick the Run as administrator checkbox and click OK.


  • Now, every time you click on the application shortcut, it will automatically open with a run as administrator prompt and ask you to scan your fingerprint. If you have enrolled a different finger for your local admin account and your domain standard user account, you can use the appropriate finger to sign in without any hassle.

Conclusion

By following these steps, you can set up Windows Hello for your local admin account and use your fingerprint to sign in and run applications as an administrator. This will make your Windows 11 experience more convenient and secure. However, you should also remember to keep your fingerprint scanner clean and dry, and to update your biometric data regularly to avoid any errors or failures.

Thursday, November 30, 2023

Enable Microsoft Entra self-service password reset on the Windows sign-in screen

Standard

 To configure self-service password reset on the sign-in screen using Intune, you need to create a device configuration policy in Microsoft Intune and enable the Allow Aad Password Reset setting. This setting allows users to reset their passwords directly from the Windows sign-in screen, improving the overall user experience on Windows devices. Here are the steps to create the policy:

  • Sign in to the Microsoft Intune Admin portal .
  • Select Devices > Windows > Configuration profiles > Create profile.
  • In Create Profile, select Platform as Windows 10 and later and Profile type as Settings catalog. Click on Create button.
  • On the Basics tab, enter a name and a description for the policy, then select Next.
  • In Configuration settings, click Add settings to browse or search the catalog for the settings you want to configure.
  • On the Settings Picker window, select Authentication to see all the settings in this category. Select Allow Aad Password Reset below. After adding your settings, close the settings picker.
  • On the Configuration settings tab, select the Allow Aad Password Reset setting and choose Allow Then select Next.
  • On the Assignments tab, choose the groups of devices that you want to apply this policy to. Then select Next.
  • On the Review + create tab, review your settings and click on Create to create the policy.

Adding users to the local Remote Desktop Users Group

Standard

 There are different ways to add users to the local remote desktop user group using Intune, depending on the type of device and the method of user identification. If the device is Azure AD joined,this methord will help you to add users to local groups.

  • Sign in to the Microsoft Intune Admin portal .
  • Select Endpoint security> Account protection > Create profile.
  • In Create Profile, select Platform as Windows 10 and later and Profile type as Local user group membership. Click on Create button.

  • On the Basics tab, enter a name and a description for the policy, then select Next.

  • Then Select Local Group as remote desktop user and select the group 

  • On the Assignments tab, choose the groups of devices that you want to apply this policy to. Then select Next.
  • On the Review + create tab, review your settings and click on Create to create the policy.




Thursday, November 9, 2023

Improve experience with Quick assist Non Administrator mode

Standard

Many customers intend to use third-party remote assistance tools for their day-to-day support needs, while some opt for Teams as their remote support tool. In my experience, using the Quick Assist tool has proven to be much more beneficial, and I have personally experienced its advantages.


However, when Administrator mode is not available, I've observed a decrease in the quality of the experience. To address this issue, I've implemented some strategies to avoid suboptimal experiences.

Before that, I recommend using the shortcut for Quick Assist, which is Ctrl + Windows key + Q. It's much easier to guide end users by asking them to press these keys.


Option 01

Quick Assist is my preferred application for remotely resolving technical issues. It also allows me to elevate my privileges and run as an administrator for hardware and software installation and configuration. The following steps outline the process:

Launch the Command Prompt (CMD) on the end user's computer.

Enter the following command:

runas /user:domain\administrator cmd

Replace "domain" with your organization's domain.

Replace "administrator" with any valid administrator login.

If a domain is not available, use the following command in CMD:

runas /user:local_user cmd

Enter the administrator password when prompted.

Once you've successfully launched CMD in administrator mode, you can perform various tasks, such as:

Installing software using a command like 

  • x:\MicrosoftEdgeSetup.exe (for software installation, where x is any drive letter from your computer).
  • appwiz.cpl for installing or uninstalling program.
  • Services.msc (Run or Stop a service)
  • devmgmt.msc (Device Manager, to install/uninstall or upgrade the device driver)
  • diskmgmt.msc (Disk Management) 
  • compmgmt.msc (Computer Management)
  • regedit (Registry Editor)

Option 02

When opening an elevated privilege application, a pause screen is typically displayed, and the end user is prompted to enter the Admin password. However, in cases where the user is not accustomed to such a procedure and you, as the administrator, want to ensure a secure experience, this can be challenging.


 This is how I've developed a workaround to address this issue.

  1. Login to Intune Admin Center - https://intune.microsoft.com/
  2. Go to Devices and select Configuration profiles
  3. Then Create a Policy 
    • Platform - Windows 10 and later
    • Profile type - Settings Catalog
  4. Provide the name and click next
  5. In the Configuration Setting Tab, select +Add settings and search for "User Account Control"
  6. Then Select Local Policies Security Options
  7. after that select these two polices 
    • User Account Control Behavior Of The Elevation Prompt For Standard Users
    • User Account Control Switch To The Secure Desktop When Prompting For Elevation


8. Set below policy as below 
    • User Account Control Switch To The Secure Desktop When Prompting For Elevation - Disabled
    • User Account Control Behavior Of The Elevation Prompt For Standard Users - prompt for credentials


9. Then Select Next and in the Assignment page add the group. after than click next and create the policy. 

After option 02; Quick assist remote experience

A password prompt appears on the remote system, allowing the admin to type




How to get app's GUID for Intune application deployment

Standard

I was wondering how to find the GUID for an application so that I can create an uninstall command for an application that is not available for uninstallation through  on the internet.

To extract the GUID for an application, you can follow these steps:

  1. Install the application on a PC.
  2. Open a Windows PowerShell: You can do this by searching for "PowerShell" in the Windows search bar
  3. Run the following command:
Get-CimInstance -ClassName Win32_Product | Sort-Object -Property Name | Format-Table IdentifyingNumber, Name, LocalPackage -AutoSize




This command will list all installed programs along with their identifying numbers (GUIDs). Look for the application you want to uninstall, and note down its identifying number (GUID).
Now you have the GUID for the application, which you can use to create an uninstall command.

Example: msiexec /x "{5B0C7A0B-0B5A-4552-8E06-0CC630F2C50A}" /qn

Friday, October 20, 2023

The First Step to Passwordless with Temporary Access Pass

Standard

 Passwordless authentication options, like FIDO2 and passwordless phone sign-in via the Microsoft Authenticator app, provide users with a secure way to log in without using a traditional password. Users have two primary avenues to initiate these Passwordless methods:

  • Leveraging existing Microsoft Entra multifactor authentication methods.
  • Employing a Temporary Access Pass (TAP)
A Temporary Access Pass is a time-bound passcode that allows users to sign in with this temporary code to onboard to passwordless authentication methods, such as phone sign-in with an authentication app or FIDO2 with Windows Hello for Business.

Enable Temporary Access Pass (TAP)

  1. Sign in to Entra ID Portal (Former known as Azure AD portal) 

    6. Then Enable and select Configure

Create a Temporary Access Pass for User

1. Navigate to user account on the Entra Portal - Identity > Users

3. select Authentication methods

Share the Details with User. 


Sign-in experience on the End-user



From here, you can add your authentication method, such as FIDO2.

Admin Portal experience 


In the Admin center, we can see the details of the created Temporary Access Pass, and if it has expired, we can also see that.

Friday, September 8, 2023

Token protection in Microsoft Entra Conditional Access

Standard

 Token safeguarding, also known as token binding within the industry, aims to diminish the vulnerability to attacks involving token theft. It achieves this by guaranteeing that a token remains functional exclusively on the designated device. In instances where a malicious actor manages to pilfer a token through tactics like hijacking or replay, they gain the ability to impersonate their target until the token's expiration or revocation. Although token theft is perceived as a relatively infrequent occurrence, its potential consequences can be substantial.

Token protection establishes a cryptographically robust connection between the token and the device (referred to as the client secret) for which it was issued. In the absence of the client secret, the tethered token becomes ineffectual.

Requirements

This preview supports the following configurations for access to resources with Token Protection conditional access policies applied:

  • Windows 10 or newer devices that are Azure AD joined, hybrid Azure AD joined, or Azure AD registered.
  • OneDrive sync client version 22.217 or later
  • Teams native client version 1.6.00.1331 or later
  • Power BI desktop version 2.117.841.0 (May 2023) or later
  • Visual Studio 2022 or later when using the 'Windows authentication broker' Sign-in option
  • Office Perpetual clients aren't supported

Known limitations

  • External users (Azure AD B2B) aren't supported and shouldn't be included in your Conditional Access policy.
  • The following applications don't support signing in using protected token flows and users are blocked when accessing Exchange and SharePoint:
  • PowerShell modules accessing Exchange, SharePoint, or Microsoft Graph scopes that are served by Exchange or SharePoint
  • PowerQuery extension for Excel
  • Extensions to Visual Studio Code which access Exchange or SharePoint
  • The new Teams 2.1 preview client gets blocked after sign out due to a bug. This bug should be fixed in a future service update.
  • The following Windows client devices aren't supported:
  • Windows Server
  • Surface Hub
  • Windows-based Microsoft Teams Rooms (MTR) systems

Licensing requirements

  • Using this feature requires Azure AD Premium P2 licenses.

Create the Conditional Access Policy 

Login the Microsoft Entra Conditional Access policy 







Token Theft Simulation

Numerous methods are at your disposal for testing this scenario, and I will be utilizing the tokentactics tool.


after downloading extract the File and run below commend in powershell.

#set the location - i have save it on the C drive
Set-Location C:\TokenPhish

#Set execytion to unrestricted
Set-ExecutionPolicy Unrestricted

#import the Token Tactics Modules 
Import-Module .\TokenTactics.psd1

#initiate the Tocken phising
Get-AzureToken -Client Outlook



Share this URL with and the code and ask to sign it. 




Select the user

Sign it is blocked


Check from the sign in logs 


Monday, September 4, 2023

Microsoft Entra Conditional Access with Strictly Enforce Location Policies

Standard

A new feature in conditional access allows for the strict enforcement of location policies using continuous access evaluation (CAE). This enables the quick invalidation of tokens that violate your IP-based location policies. When a client's access to a resource is denied because CAE's strict location policies are activated, the client will experience a blockage.



Adding Sponsors for Guest user

Standard

Introducing the sponsor feature enables you to designate a responsible individual or group for each guest user. This functionality allows for the tracking of the inviting party and enhances accountability.

This article delivers an overview of the sponsor feature and offers guidance on its application within B2B scenarios.

The Sponsors field within the user object pertains to the individual or group responsible for extending the invitation to the guest user within the organization. This field serves as a means to identify the inviting party and enhance accountability. It's important to note that being a sponsor does not confer administrative privileges upon the sponsor user or group. Instead, it can be employed for approval processes in Entitlement Management.

When extending an invitation to a guest user, you automatically assume the role of the sponsor for that guest user, unless you explicitly designate another user as the sponsor during the invitation process. Your name will be automatically added to the Sponsors field within the user object. Additionally, it's possible to assign up to 5 sponsors to a single guest user.