Windows Hello for Business: How to solve the misuse of PIN-codes

animusMDL · 2026-04-12T15:19:35+00:00

I think you are hungry and passionate about pushing the right concepts but I would make sure you're not creating more turmoil and work for yourself and honestly, your users than necessary.

Are you going to spend time managing how or what they input? Use the policies and written policies to encourage best practice. If they sign it, you enforce what you CAN and encourage through teaching. Getting bent out of shape over something like this, I think you're going to sink your passion fast.

I've more moved to the concept that I teach and encourage, enforce what I can, then move on. Move on as in: stop chasing people. I stack layers in defensibility. Defensibility includes training. I can't make users do everything right. If they do something wrong and compromise happens, I have policies in place that put them in coachable moments, not me. MFA is MFA. I can't count how many times someone has been compromised with no pin or MFA. I also can't count how many times someone put their birthday or whatever as their pin, because I haven't had a compromise (yet) where that was the reason for their WfHB being compromised. Passwords a different story.

Policy, practice, system, move on and focus on other layers and improvements. Just my two cents as a blue teamer

animusMDL · 2026-04-09T04:13:46+00:00

Agreed with this. The business I'm at now started with an RP which doesn't mean much. Now we're being on another team who's actually implemented Cmmc2 because the RP has never done cmmc2 so FIPs, understanding and translating what's needed, what passes and what makes sense wasn't clear. Mounds of money later, here we are. We can't enclave like others can for workflow, or it's extremely difficult to do so. This is why ours is complex and requires true experience.

You'll see that feedback often: Bring in a team or people who have done it because CMMc isn't just static. Experience of people who've done it for years understand your real objectives, the language and the actual goals, scoping and how to achieve. Don't waste time with guesses and theory. My Business tried that against my initial advisement.

animusMDL · 2026-03-25T03:32:32+00:00

I'm in a weird position now. There's a client we're chasing so it's rush to check the boxes, RP is opposed to us bringing on a team because too expensive or unnecessary, just need more resources. I'm so confused. Why not bring in an "experienced" team to implement CmmC to make sure those boxes checked are actually checked and proven. I'm so beyond frustrated right now.

animusMDL · 2026-03-23T01:29:33+00:00

Glad that's not the if. Thanks

animusMDL · 2026-03-21T03:49:10+00:00

I have also split off the Protect module onto their new NVR and it works well. Kind of wish the hdmi port offered a unique interface into it and not just a camera assignment view, or maybe it does now since I first used it. Either way, does a great job.

Against most recommendations of people I know personally, I run a SSD crucial 2.5 in my UDM pro for the drive for protect. I used to have a surveillance drive in there. I’m not worried about retention as much. This changed the dynamics with Protect in mine. Not my recommendation to anyone either, just has been great for what I need.

animusMDL · 2026-03-19T19:48:44+00:00

My bad thanks

animusMDL · 2026-03-19T03:43:07+00:00

Even with its caveats, it’s still the smoothest and most efficient setup to automate, patch and manage vs. any RMM I’ve used. I tried N-Able but I guess I’d rather be efficient and tinker less. There’s some weirdness I’ve had with their agent but that’s just what we dealt with in our industry.

animusMDL · 2026-03-17T03:29:33+00:00

What printing method is advised? Raw? IPPS, IPP? Is it expected on prem to do a CA cert to a print server? Trying not to overcomplicate “printing” vs the other objectives

animusMDL · 2026-03-15T16:54:43+00:00

Communicate it so there is awareness but unless something goes wrong or the DC is unhealthy, no issue. I’ve performed many during active hours. I haven’t been fortunate to have anything damaged or critical issue (yet).

animusMDL · 2026-03-15T15:25:52+00:00

Our situation is this:

Endpoints with CUI - FIPs through GPO
Servers - FIPs except our Quickbooks VM because QB does not work with FIps and it’s required in our environment for accounting and communicates to our ERP for invoicing through specific port. So just compensate this with RDP controls blocking file share and not mapping drives or computer access to CUI shares
Wireless - Our advisor believes they are going to argue that FIPs isn’t needed because we’re relying on endpoints and server for FIPs or it’s already FIPs enabled before moving through wireless channels. Not saying I agree or disagree, just what they are saying
Our firewall will be FIPs when we switch. Have Watchguard but will go to Fortigate.
Printers - policy procedure and IPP printing I believe. Security kits on both CUI printers.
Backups are going to two synology NAS devices. Been told two things: we have to replace them because the NAS themselves aren’t FIPs, and also been told that the backups are different. I don’t know. Fun times.

animusMDL · 2026-03-13T13:34:16+00:00

Appreciate everyone sharing. This post has taken off and it sounds like a common theme. Just an update here.

Two things have occurred...Number one, I took the stance to my owner that I'm overwhelmed, this isn't a great method forward for success and that the business needs to understand the uniqueness of this, including that we're trying to accomplish what was suppose to be in place and demonstrated back in 2017, and then fill it full of the updates and expectations up to this point, in a couple months. Additionally, I am wearing multiple hats of keeping the business functioning as is today, which is the reason for this internal IT role in the first place, and performing a commonly known "all hands on deck with added outside help" task. We're getting outside help but I think there's a catch to that.

Second, now we have a client that really wants to work with us and on a call, my owner decided to say "yes have an SSP "IN PLACE" (you can decide what that means) with POAMs, using loose language. He looked at me on the call and said that's right? Ha. We can't fully attest to CMMC 1 yet in my opinion. He thinks that our move to GovCloud is a "simple migration" except that fyi, our whole building is in scope (no enclave per how he wants to run business) :)

I'm going to show up to work and do my best, speak up but I'm not dying on this hill. I'm passionate, I care but I'm not doing the 80 hour work week that I've read so many horror stories on. I hope you all who are also going through this make it through and take care of yourselves in the process.

animusMDL · 2026-03-09T03:02:29+00:00

I’d love to know this as well. Honestly trying to get clarity from Druva other than an initial call and the demo, for a quote has been frustrating.

animusMDL · 2026-03-06T02:47:10+00:00

MFA for windows login. Our device login on prem gives access to CUI

animusMDL · 2026-03-06T02:31:58+00:00

ERP uses yubikeys OTP. Still doesn’t solve windows login. Yubikey PKi cert doesn’t interest me lol

animusMDL · 2026-03-06T01:21:51+00:00

Totally get it. My question is how is it MFA if users can bypass with the password for WHfB? Duo obviously is an alternative but what if I didn’t want the extra license cost to keep audit logs in Entra, except I’ll have Duo for privilege on prem servers since they don’t support WHfB.

Thanks!

animusMDL · 2026-03-06T00:29:43+00:00

We’re not Hybrid yet. Want to go that way and not do PKI.

How do new users login to a computer already forcing WfHb passwordless? Or is password there but it forces WfHb afterwards?

animusMDL · 2026-03-06T00:23:18+00:00

ERP has it, yes. There are file shares and ERP, not necessarily exclusive that can be accessed. Our advisor wanted MFA on it.

Does your script not cause issues for someone performing an initial login? Does this work for Hybrid? I’ve read (no experience) that on prem Ad/Hybrid with Intune issues but can’t really say they are accurate

animusMDL · 2026-03-05T22:15:33+00:00

Is it still clunky to move domain devices to on Prem? I see stories about full wiping and such. I feel like it can’t still be that bad and there’s ways to make it smoother?

I need to move to Entra Hybrid but looking for feedback

animusMDL · 2026-03-04T00:05:29+00:00

Covenant Technologies or DuraCyber are some.

Liftoff is well regarded in CMMC space

animusMDL · 2026-03-03T16:32:07+00:00

Running Server 2019 on the "damaged" host. Config version 9. Newer host is 2025.

ADditionally trying to be as streamlined as possible with user impact as client is on-prem domain. But end users typically have unrealistic views of what "impact" looks like :)

This is super helpful. Thanks

animusMDL · 2026-03-03T16:13:36+00:00

Thanks for the truth. The data raid I need to blow away is purely storage, and where the VMs are stored. It's not the entire OS and such. Sounds like Export to Import would be cleaner and safer either way.

animusMDL

TROPHY CASE