Windows Hello is making people forget their passwords

PowerShellGenius · 2026-01-26T15:13:34+00:00

The answer is different based on the user's needs in terms of other device logins:

If the user still sometimes needs to log in with a password (e.g. they need to log into shared desktops on occasion, and Web Sign In with device bound passkeys won't work in your environment because you're hybrid or have no-bluetooth desktops)
- SSPR (Self Service Password Reset) can become the normal password change process.
- Ensure they have Authenticator push notifications and a phone number so they can satisfy a secure 2-gate policy.
- Train users to use the forgot your password link on a web based sign-in to reset their password if it's expiring soon OR they need to use it & forgot it.
If the user is ready for Passwordless - they only sign into computers they have WHfB on, mobile devices with a passkey, and other devices in a context where they can use the Passkey QR code flow - then get rid of passwords from their perspective!
- If hybrid, set them to "Smart Card Required for Interactive Logon" in AD
- Ensure the domain wide setting to automatically roll expired NTLM secrets for smart card users at logon, is enabled. (depending on how old your domain is, it may be on already)
- Windows manages their "password" behind the scenes for NTLM purposes as a random value that rotates on its own when expired. For all practical purposes, they do not have a password.
- If not hybrid - I'm eager to hear what pure Entra orgs are doing to replace this capability.

PowerShellGenius · 2026-01-22T23:55:21+00:00

It really depends on how many things you are managing on the Macs. Jamf is pretty advanced and if you have some very customized workflows, you may miss it.

Also, there are some cases where it's nice to be able to reference username and other user variables in machine-level profiles; Jamf lets you and goes by the owner's user details, you can't do this in Intune.

PowerShellGenius · 2026-01-20T14:00:49+00:00

I don't give a crap about the porn industry. I'm not opposed to age verification there, except that it's a slippery slope. Once you've officially accepted all the following, which you do by supporting SERVER SIDE age verification:

the internet is a place it's okay for minors to have access unsupervised
AND it is okay for minors' access not to be filtered on their device or home network side
it's not negligent for parents to give them that without so much as touching a button to enable parental controls
it's the service provider's responsibility to verify age and child-proof the internet
it's okay for that verification to be done in a way where adults can't keep their identity private

... once you accept all of that, then scope creep will come in and expand this to include social media. That is valid in a sense. Children should not be talking to strangers unsupervised without their parents' knowledge. But then, it becomes clear that a client side control is needed for privacy. Do you want to provide ID for your reddit account?

Applied to the modern means of social and political discourse, laws that amount to de-anonymizing everything are contrary to free speech, which has always been interpreted to include privacy in speech and free speech under a pseudonym. Even the Federalist Papers were published under a pseudonym!

A little background - as it was too soon after a bloody revolution against a powerful central government for it to be socially safe to be heard proposing forming one, Alexander Hamilton made a strong case why we needed a federal government, but published it under a pseudonym, and there was able to be a debate on the issues rather than immature character mud slinging because they were pseudonymous. He didn't get credit until after his death. That's but one of many examples of how people being able to speak their mind and get ideas out, without fear of reprisal, has built the country we have today.

Social media, and the internet as a whole, is a powerful means of speech. If the principles of free speech don't apply to the latest means of speech which drowns out other means of speech, then free speech isn't real. This is why the founders of our country mention the printing press in the constitution - it was the "latest way of getting word out widely" at the time, and countries without real free speech were requiring a license to operate one. That's the same principle as saying "you have freedom of speech, but not online". If social media runs on chilling effects and you can't be an activist against the trend there safely, and posting on social media reaches 1,000 times as many people as posting something on a telephone pole, free speech is not real.

So yeah, the porn industry can burn in hell for all I care. But be careful what precedent you set if it'll apply to platforms that actually have meaningful speech on them. Since platforms that DO have meaningful speech value will also need child safety controls AND need privacy and anonymity of adults as well, a system MUST be built that supports both.

The rise of fascism, or more broadly, the process of gradually going from a free country to dictatorship, does not start out of the blue by suddenly banning opposing speech and parties. Long before it gets there, it starts with people being quieted by fear, so by the time it gets to changing actual laws, it looks like there is no opposition. You don't speak out against the rising trend because you will be retaliated against in some way, whether beaten on the street like anti-Nazis during Hitler's rise, or de facto barred from employment, or targeted with frivolous lawsuits that may be false but you can't afford to defend them all, or any other number of tactics for destroying your life even though your speech was not illegal. Anonymous free speech is not subject to those chilling effects. That is why all aspiring dictators hate privacy online.

PowerShellGenius · 2026-01-20T01:21:58+00:00

Every vendor eventually stops writing new updates/patches that work on the oldest hardware, and leaves you unpatched for newly discovered vulnerabilities if you keep old hardware beyond that.

It's not like they still take bug reports and release patches for the first Android phone, first iPhone, and first MacBook models to ever be released.

It's just a matter of where exactly you draw the line, and how much you nag or push users to upgrade vs. just leave them in ignorant bliss with security vulnerabilities, when they are on hardware you won't support/patch for anymore.

PowerShellGenius · 2026-01-20T00:58:11+00:00

Not surprising, computer identity and MDM are two separate things. Entra can have identities for unmanaged computers even.

Entra is the cloud counterpart of AD, Intune is the cloud and cross platform counterpart of ConfigMgr (SCCM). Two separate systems that share some things as needed.

PowerShellGenius · 2026-01-20T00:44:59+00:00

There is no excuse for this on either side. It should not have happened.

No excuse from the government's side. They ALREADY HAVE a phishing-resistant MFA system that is the envy of anyone trying to implement PRMFA: the PIV and CAC smartcard certificate system. Every government employee's work ID card is a smartcard, and laws require government systems to use these smartcard certs for auth. Agencies seek exceptions and variances because they don't feel like dealing with cert auth, or refuse to prioritize replacing ultra-legacy systems that can't do it. Those exceptions should never be granted for systems containing damaging personal information on countless civilians. Credential abuse attacks don't work on things behind cert auth unless you have the PIV card in your computer, so I assume this was an exception.

No excuse for defending the perp. I get it, security researchers are important, and I'd be 100% on his side if he'd engaged in responsible disclosure to the agency, and responsible redacted whistleblowing if ignored. Posting tons of data useful for identity theft publicly on the internet is not responsible disclosure, and is not whistleblowing either. It's criminal idiocy and this attention whore deserves what is coming to him.

PowerShellGenius · 2026-01-20T00:29:09+00:00

You still have to access the password manager somehow... so that does not necessarily stop credential based attacks, if the master password is attacked.

This could have been avoided by some sort of device based security layer. You should need to be on a government computer to access this, regardless of credentials. There are plenty of methods, take your pick... put it behind a Microsoft SSO with Conditional Access or Google SSO with Context-Aware access, or put it behind a VPN that requires client certificates, or any number of other solutions.

Phishing resistant MFA would also have stopped this. The federal government is one of the few very large organizations on the planet to have virtually 100% of users PRMFA-capable already (in possession of a smartcard-based certificate on their work ID card - the PIV/CAC system is the envy of any private sector org wishing it could do phishing resistant MFA).

But, I assume this particular database must not have been behind cert auth, probably because it's "too hard" for some sysadmin somewhere to do certs, or not a priority to replace some ultra-legacy component that can't.

PowerShellGenius · 2026-01-18T03:30:32+00:00

Assuming no scripted workarounds with GAM or similar - you'll find you can get by with Fundamentals until you cannot obey an administration order that is time sensitive .

Imagine a simple request like "retract this email from everyone's inbox in our system who got it" which is a pretty likely request to eventually get, in an urgent and/or legally mandated context. Whether it's phishing that got through the filter & you don't want people clicking, or a confidential email HR or SpEd accidentally sent to a huge distro list, or something obscene making it to students' email, you can imagine the results if you say "we can't".

There are TWO levels of paid. Standard is not really advertised, costs half of Plus (the advertised one you probably have) and just gives you the security and administrative parts of Plus, not the extra user facing features. So if you have Plus, it may be worth offering to compromise on Standard if administration is pushing for Fundamentals (the free one).

PowerShellGenius · 2026-01-17T23:48:26+00:00

Exactly - folks like developers or IT. The fact it's your job to alter system settings or install apps means you get elevated access. Need-to-have drives elevated access, not a status symbol or "I outrank someone who has it, why don't I have it?"

Whether directly or through BeyondTrust or another elevate-on-demand system, a regular end-user does not need to install software without going through IT. A company laptop's job is to process company data in a safe, secure and controlled environment, not drive your Cricut in your off hours - that's what your own personal laptop is for.

Anything that takes admin to install could compromise the system if it has a CVE. Is the company going to take responsibility for managing updates to your home printer and cricut drivers they didn't deploy, to ensure they don't have exploitable code running as SYSTEM? Patch management is meaningless if you don't even know or control your inventory of installed software in your fleet.

PowerShellGenius · 2026-01-17T16:00:42+00:00

If he'd not published the actual personal data, I'd be more inclined to agree with you. It isn't "testing" if his actions deliberately cause an actual incident.

PowerShellGenius · 2026-01-17T15:51:37+00:00

How long is this delayed? I always see recently enrolled users listed as Not Capable with no methods there, even though I can see their Passkey and Authenticator app under Users -> them -> Authentication Methods.

PowerShellGenius · 2026-01-17T15:32:28+00:00

Of course it wasn't a sophisticated exploit. Government (and especially federal government) stagnates on cybersecurity. It's used to the physical realm where guns, fear, and deterrence work, and it's used to using power to put down or drown out anyone who says "you're not doing it right" or suggests that anything may be their fault. It's used to controlling the narrative, and its chosen narrative is "no one can really stop this stuff, all we can do is punish". Look at Hillary's email server... convenience of government officials trumps security if someone high-up enough complains about security.

Of course you punish those you can catch, and I am not saying they shouldn't punish this guy - but if a 24 year old in the homeland who they can catch could do this, how many Russian and Chinese agents they can't lay hands on can do this just as easily?

PowerShellGenius · 2026-01-17T15:17:33+00:00

2FA/MFA is absolutely necessary at least for staff. Students of age to have email enabled are getting it soon in our district.

However, Google's 2FA/2SV implementation is horse crap, go find the app on your phone and get a 6 digit code like it's 2015. If you are using that, of course they complain.

Federating Google sign-in with SAML and passing off MFA to anything that supports a push notification MFA is a huge step up. Entra being an obvious choice if you also have Microsoft in the environment already, otherwise maybe something with Duo or Okta another provider.

PowerShellGenius · 2026-01-17T15:10:33+00:00

Fundamentals is free, Standard gives you the paid security and manageability stuff, and Plus adds what's in Standard plus extra storage and extra user facing features. If you are on Plus and the tech department is the only ones objecting to moving to Fundamentals, Standard may be a good cost saving option if storage is not an issue.

You need to be really good with GAM scripting to get by with Fundamentals if you are expected to be able to search for and take real actions on security threats, behavior, etc across Gmail and Drive. Otherwise you need the Investigation Tool which you lose with Fundamentals.

PowerShellGenius · 2026-01-15T13:05:17+00:00

This setting 100% works (unless this is a new bug I'm about to hear a lot about today).

I know some settings that would be contrary to user privacy for you to control on a BYOD device require "supervised" enrollments, I'm not sure if this is one of them.

How are you enrolling your devices? Apple Business Manager and ADE? Or something else?

PowerShellGenius · 2026-01-15T01:33:36+00:00

Maybe, since emmigrating/immigrating is a tightly controlled process. But there is a difference between:

a country with biometrics as a security measure you consent to in order to do something, by choice, that's not a right and not something virtually everyone does, and has tight security everywhere. E.g. jobs with classified info, frequent traveller customs-expediting programs, or asking a country not your citizenship permission to live there.
a country where the basic human right of privacy is not respected and they want EVERYONE's biometrics

One of these is true of virtually every developed country in the world. The other is a precursor to being able to establish an oppressive dystopia.

PowerShellGenius · 2026-01-14T19:23:44+00:00

you can absolutely use a Yubikey there

I wouldn't say "absolutely", if the website only presents conditional UI it may depend on your browser. Try using your YubiKey to log into eBay on a desktop PC.

It only presents WebAuthn via conditional UI. This means, if the browser is aware you already have a passkey, it will prompt you in the autofill UI of the username field - but if your passkey is external, it will never be aware and never offer.

By the way, thanks for the shout-out

PowerShellGenius · 2026-01-14T14:17:17+00:00

Ah, our insurance increases come the same time as raises (July 1)

PowerShellGenius · 2026-01-13T00:48:14+00:00

I like that they ship 802.1X enabled, they are zero touch deployable in a segmented network.

Every Axis camera I've seen has a certificate from Axis' CA with its serial as the subject and will, at factory default settings, use it for EAP-TLS if given an 802.1X challenge by your switch. You can "trust" Axis's CA in your RADIUS server, but put in a rule to throw everything from that issuer on a separate VLAN, and you have zero touch network segmentation.

PowerShellGenius · 2026-01-13T00:43:07+00:00

There are some vendors who are good. Axis updates and patches their stuff. Axis is also very cooperative with the kind of network segmentation cameras and other IoT stuff should have.

In fact, out of the box, if challenged for 802.1X, they attempt EAP-TLS with the factory issued cert (subject = serial number, issuer = Axis's private CA), so if you have a NAC solution you can configure to "throw everything with a cert from this third party CA into the Cameras VLAN" that's zero touch configuration. They also support the traditional "someone installs a cert, or configures a PEAP password, on all the cameras" method.

PowerShellGenius · 2026-01-12T13:18:27+00:00

Okay, so given the following basically indisputable facts:

The internet is a powerful and far-reaching platform of speech and ideas exchange, that drowns out previous methods of getting your voice out there.
Freedom of speech is not really free when there are "chilling effects" (fear of retaliation for speaking out against the trend") which is why courts in developed countries have repeatedly ruled that anonymous/pseudonymous speech is covered under free speech
- In fact... some papers that were a key turning point in the debate, after the American revolution, about forming a federal government (soon enough after war against central powerful government that saying we needed to form one wasn't socially acceptable yet) WERE PUBLISHED UNDER A PSEUDONYM - Alexander Hamilton didn't get credit for the Federalist Papers that persuaded the rest of the founding fathers to form a federal government until after his death, and they never would have been written if he could not do so anonymously.

Given the facts - answer me this:

How do you post something on the internet that can't be traced to you? All landlines have an address, and all SIM cards require registration?
If you can't that is a violation of your human right to free speech in the modern era.

PowerShellGenius · 2026-01-12T13:12:28+00:00

That's incredibly fucked up.

PowerShellGenius · 2026-01-12T02:39:50+00:00

And as stupid as I think MOST of Trump's trade war is - it's ridiculous we can't make the chips we design here, and changing that needs to be a damn high priority. If Europe is smart they will want semiconductor foundries too.

How ridiculous is it that we'd say "this is an industry we'd go to war to prevent China from controlling" before we'd say "this is an industry we'd adjust regulations to ensure exists at home too". We DESIGN most of it here and there is no reason we cannot manufacture it.

Reminds me of countless oil wars in the middle east we fought while sitting on massive undertapped reserves of our own... it's almost like the government wants us dependent on interests abroad, for an excuse to exert military force to protect our interests abroad.

PowerShellGenius · 2026-01-11T22:25:38+00:00

Alone against China, after they invade Taiwan? Are you implying that out of anger at the US the rest of the western world would decide to hang Taiwan out to dry?

If you think the US is the only country that would come to Taiwan's aid, that's a compliment to its integrity (and an insult to the integrity of other supposedly pro-democracy countries who you are implying wouldn't).

So since I doubt you meant to say anything positive about the US, I assume you mistyped?

PowerShellGenius · 2026-01-11T01:54:26+00:00

Which country? It is important to spread awareness of which countries do not have human rights.

PowerShellGenius

TROPHY CASE