Replies

We’d been using the SysInternals tool Autologon to configure this functionality for about a decade on Windows 7 and 10 PCs. Something definitely changed for 11 (along with our environment).

First some background:

I work for a manufacturing company where almost all knowledge workers are remote (with occasional needs at a traditional office space). We performed a user PC refresh about a year ago, and these were our first Windows 11 PCs. This 3 year hardware cycle is to be the transition from fully on-prem AD (previous cycle) to fully cloud Entra (next cycle). This involved hybrid-joining to Entra, Intune for policy management (no GP), and Autopilot for initial provisioning. Users were hybrid-joined to begin the previous device refresh cycle so this cycle was exclusively devices. The new device provisioning process wasn’t (and still isn’t) amazing, but we’re mostly at a steady state.

Later last year we began replacing the shared PCs at a warehouse and manufacturing site. We hoped to use Intune’s Kiosk mode/capabilities but it proved insufficient for our needs. These employees do not have any technology accounts (and we hope to keep it that way), and the Kiosk mode options were either way too restrictive or require way too much meticulous policy configuration and projected upkeep as the environment changes.

However, this seems to mean that for us, Microsoft accounts are a hard requirement- either already or they will be in a couple years when we deprecate Active Directory for edge PCs (we design for the future, so the result is effectively the same).

How can we make Autologon work on Intune-managed, hybrid-joined devices using hybrid user accounts?

Sorry for the late reply- just getting caught up on the newsletter!

RE: Mac Mini- I do not think it’s accurate to compare Mac RAM usage/requirements to x86. It has been repeatedly reported that 8GB RAM on an Apple silicon PC is goes further than on Windows and even previous Intel Macs. I read and watched many accounts of content creators upgrading from an Intel Mac with 32GB to an M1 Mac Mini or MacBook (non-pro) and not hitting memory limits while performing workloads that used 16GB+ prior.

I also think that the typical 5+ year upgrade cycle goes completely out the window with Apple silicon Macs. Why kit out a higher end, stupidly overpriced current gen Mac Mini when, for the same price, you can get a base model for $600 and replace it in 2 or 3 years? There’s always a decent chance that a new Apple generation product bumps its base specs up (like to 16/512). Apple’s memory and storage upgrades have always been stupidly overpriced. I’d bet money that Apple’s margin leader across its entire portfolio of income generation is how they lock people into spec upgrades.

There also should not be an assumption that, if a current base model Apple silicon PC meets your needs, a future one will not. And if that turns out to be true, you can always upgrade. And if you run out of storage, cloud is a great solution. Or, leverage one of the USB-C/TB ports for a 1TB SSD for $100 or less.

I’m behind in my newsletters. Please forgive the necro, but I felt i had to chime in regarding this article.

I completely agree that MS handles M365 MFA incredibly poorly in many ways. Maybe in every way. I strongly encourage 3rd party MFA providers like Duo or Okta. Tho these are elephants of their own, they offer incredible granularity in how and when MFA prompts are presented and received.

For example, AzureAD MFA does not allow disabling authentication methods for some users but not others. For example, it’s not currently possible to restrict phone-based auth methods (SMS/call) to an individual or group- it’s all or nothing. Since SMS is widely understood as no longer an acceptable form of MFA, this means turning it off has an impact on users that do not have smart phones. Who doesn’t have a smart phone in 2022, one might ask? While only a small % of our corporate staff don’t, that goes way up for our manufacturing and warehousing sites.

And the conditional access controls of AzureAD MFA are rather limited, too, but at least they exist.

Finally, to the point of my post-

MFA is no longer optional for businesses (i’d argue the same for personal, too). It should be considered absolutely mandatory for all businesses. Once user onboarding is behind you, well-crafted MFA policies will be invisible to most employees most of the time.

Is it simple to implement for smaller orgs? No, but the capability exists. And providing some personal user onboarding assistance may be required. Even basic MFA polices don’t have to be invasive- you can determine how frequently to be prompted and how long the authentication token lasts (similar to a cookie).

I believe Duo MFA is free for up to 10 users (with limitations). And Azure AD MFA and paid Duo and Okta subscriptions, you have conditional access policies to ease MFA for more predictable, generally safer login circumstances while scrutinizing logins considered riskier.

• Work from the same corporate site every day?
  • Prompted for MFA once a week (or 2, or 4!)
• Work from home every day?
  • Prompted once every 24 hours
• Work from random remote sites?
  • Are you in an area (country/state/region) where your org has a footprint? Prompted every 24 hours
  • Are you traveling abroad, say to a customer’s site, for which your org does not have a footprint? Prompted with every login.
• Have users without smart phones?
  • Enable phone call and email authentication methods
• Restrict logins to or from certain areas.
  • Only have on-site employees that never work off-site? Restrict logins to site IP addresses.
  • Worried about phishing attacks or other malicious login attempts from Russia, Iran, or China? Block entire countries or regions by geolocation.

And how does the prompt work? A simple “was this you? tap Yes to confirm” mobile notification. 1-2 taps max, most of the time. Barely an inconvenience. If an 80 year old CEO of a manufacturing company, openly hostile to technology, can do it without any issues or complaints, IMO so can everyone else.

Oh and by the way- good look renewing your cybersecurity insurance policy without MFA! Exactly 100% of underwriters require MFA . Not having it is called a non-starter!

Personally, i think it’s ethically wrong to provide IT services to an organization without requiring them to use MFA for at least their email platform, and wouldn’t accept a client that was so opposed to it. I know the author’s circumstance isn’t necessarily that straight-forward since it was an accident. You certainly want to plan this sort of thing and receive buy-in from the person signing your checks or invoices. I would, though, make it a condition for me to continue providing them with IT services.

Anyone know if “monthly (enterprise)” channel is impacted?

Many of the WU group policies are designed for the legacy update systems, WSUS and pre-Windows 8’s “Windows Update” aka “Microsoft Update”. Win10 uses a newer system- with the managed version, Windows Update for Business, really designed for use with MDM/EMM/RMM tools like Intune.

While the legacy policies were updated to work with WUfB, it’s been my experience that they often conflict or are ignored based on the policy and other conditions (at least in previous versions of Win10). If you’re a home user and want more control over your updates, just configure this policy with bogus addresses to completely stop updates from being installed:

Specify intranet Microsoft update service location
Disable the policy when ready to update.

Of course, this goes against MS’ philosophy of “updating by default”- requiring you to pro-actively perform updates. I completely agree with MS’ philosophy, but the implementation has been…less than great.DEFCON 4 is typically when I do this on my home PC, but I often only run them every few months or so (this PC serves a single purpose, doesn’t browse the web much, and is behind a NGFW).

Most of my company knows how to use Snipping Tool but we also install Lightshot as part of our base configuration. It’s a better tool most of the time. I do still use Snipping Tool, though, when I want to temporarily screenshot something without having to save it. All the 3rd party tools i’ve seen function like Lightshot does- Printscreen > make selection > do action aka save/copy/print, then the selection/tool disappears. I like that Snipping Tool stays up as a window so I can reference the content for a few minutes without saving and then close it when no longer needed.

I tried ShareX and Greenshot and didn’t like them as much as LS, which is super lightweight.

Mr. Natural wrote:

I think it was Noel or PKCano that has mentioned irfanview before. This is what I have always used and is my default picture app on all Windows 10 installs. A few extra steps to copy and paste but works fine.

FYI Irfanview is only free for personal or non-commercial use. I’ve been a long-time user (15 years?) and baked it into our Win7 images years back (when we still baked software into the images) before realizing the licensing. I’ve since replaced it with nomacs.