But what about anyone else that might need to login? If you require a 1:1 user to computer arrangement, congrats, nobody else can log into that device. On an autopilot device this isn't an issue for the first user because you can use a TAP and force a new user to setup WHfB. You can no longer sign in if you don't have WHfB already configured. It works but it leaves you with a rather serious issue. It turns out you can actually disable password sign ins using one of two policies. There is little point to MFA if you can opt out of going through it on any login. While Microsoft considers Hello as MFA, I would argue that it's just a convenience login with some security perks because you can always skip using it and go straight to the password. The goal was to see-with minimal infrstructure-what kind of MFA option is achievable using Microsoft solutions.
0 Comments
Leave a Reply. |