|
Our big password reset pain right now is when people let their passwords expire and it prevents them from connecting to the VPN. When that happens we have to go through this big song and dance of resetting their password, walking them through connecting to the VPN, making sure their local machine syncs with AD, then changing their password again.
|
#
?
Dec 2, 2020 17:58
|
|
|
|
| # ? Jun 4, 2024 16:37 |
|
|
I just got put in charge of improving support efficiency for a newly-acquired product line. Their site, in addition to username/password, has the most utterly rear end-backward second line of security I've ever seen. See, when you created your account, you also had to create a "passphrase". Then, when you log in, you have to give your username and password. Then it asks you to input the Nth and Nth characters of the passphrase. So if your passphrase was "whatthefuck?" you might be prompted for the 3rd and 9th characters, or "a" and "u". There are ways to reset this passphrase, but it's the same flow as resetting your password, and people get those two confused all the time, and it's a huge mess. Needless to say something like half--fully half--of the calls Support gets are people going "I CANT LOG INTO MY ACCOUNT"
|
|
#
?
Dec 2, 2020 17:59
|
|
|
We've been in this permanent WFH situation for eight months now, if a company hasn't got their poo poo together and at least deployed always-on VPN to keep AD-bound devices managed, or even just turned off password expiry then what the gently caress have people been focusing on instead?
|
|
#
?
Dec 2, 2020 18:04
|
|
|
Thanks Ants posted:We've been in this permanent WFH situation for eight months now, if a company hasn't got their poo poo together and at least deployed always-on VPN to keep AD-bound devices managed, or even just turned off password expiry then what the gently caress have people been focusing on instead? lol In this case it is literally me and one other guy doing the work, and we are going live with always-on in.. *checks notes* 35 days
|
|
#
?
Dec 2, 2020 18:07
|
|
|
Always-on VPN isn't that simple to deploy and auditors will only allow an exception for password expiry for so long. We currently have the ability to let the user update their password in Azure AD. Looking to add self-service password reset so they can also do that if they've forgotten it. This updates the password they use to connect to the VPN, and once they connect to that they can sync it down to their local machine. If they can't get into their local machine, we can do an unattended remote session to them and log in as a cached admin or local admin, then connect to the VPN, then run a process as them to get their new password synced down. The VPN is slowly being phased out, but a main line of business app got implemented last year that was in the works for 2 years that requires the VPN. Before my time and a bit above my paygrade at the new place, but what a boneheaded move. I'm also working on implemented Azure AD Password Protection w/ sync to local ADs, so we can get rid of the password expiration requirement and tell the auditors to gently caress off. Internet Explorer fucked around with this message at 18:25 on Dec 2, 2020 |
|
#
?
Dec 2, 2020 18:20
|
|
|
It wasn't a dig at anybody here, it's just something I've seen in other companies where there's a monthly dance to get password resets lined up with being on a VPN, and it just seems like a thing that leadership should be prioritizing. I think there was an attitude that it could be muddled through for four months or so and people are playing catch-up now. Though if any company is expecting to go back to 100% in-office and no requirement to WFH again in the future they are in for a shock.
|
|
#
?
Dec 2, 2020 18:34
|
|
|
mattfl posted:Oh hey cool, they just cancelled the work from home schedule we've had for the past 7 months for "reasons". That sucks. At this point, I'll be looking for the door if my company tries to recall people back to the building before a vaccine is rolled out.
|
|
#
?
Dec 2, 2020 18:35
|
|
|
Thanks Ants posted:It wasn't a dig at anybody here, it's just something I've seen in other companies where there's a monthly dance to get password resets lined up with being on a VPN, and it just seems like a thing that leadership should be prioritizing. I think there was an attitude that it could be muddled through for four months or so and people are playing catch-up now. Though if any company is expecting to go back to 100% in-office and no requirement to WFH again in the future they are in for a shock. Oh yeah, I didn't take it that way. I agree with you 100%. Unfortunately, as we all know, leadership isn't always the best. If I'm not managing up, nothing happens around here. And our CIO is really banking on these vaccines changing our situation overnight. 
|
|
#
?
Dec 2, 2020 18:37
|
|
|
The Fool posted:When that happens we have to go through this big song and dance of resetting their password, walking them through connecting to the VPN, making sure their local machine syncs with AD, then changing their password again. Logging into their system as an admin account, establishing a VPN, switch user, have them log in and get the prompt to change their password?
|
|
#
?
Dec 2, 2020 18:38
|
|
|
klosterdev posted:Logging into their system as an admin account, establishing a VPN, switch user, have them log in and get the prompt to change their password? This works if you have fast user switching enabled and the other account still has the VPN logged in when you switch. We found running a process as the user to be easier.
|
|
#
?
Dec 2, 2020 18:42
|
|
|
Internal tooling team locks down all write access to a tool. Then calls a huge meeting to discuss the fact that, when there are problems with the tool, nobody knows what to do about it. First suggestion: “give people write access so they can self-manage.” Response: “that’s off-topic.” 
|
|
#
?
Dec 2, 2020 18:44
|
|
|
klosterdev posted:Logging into their system as an admin account, establishing a VPN, switch user, have them log in and get the prompt to change their password? No way to access their system as admin without them being on the VPN. So the process right now is: reset user to temporary password, have them connect to the vpn, Lock Screen, log in to laptop with temporary password while vpn is connected, user changes password Some users can do it if you just send them the steps and tell them what their temporary password is, some can do with some coaching on teams or over the phone, others take an hour of phone support just to get through step 2.
|
|
#
?
Dec 2, 2020 19:50
|
|
|
ConfusedUs posted:Their site, in addition to username/password, has the most utterly rear end-backward second line of security I've ever seen. See, when you created your account, you also had to create a "passphrase". Webroot's MSP/Partner management portal had this "feature", so it's A Thing that at least two companies have used. The justification I was given at the time was that even if there was a keylogger on your computer an attacker would only get a few bits of your passphrase, leaving them unable to log into your account (unless it asks for the same characters again oops).
|
|
#
?
Dec 2, 2020 21:45
|
|
|
The Fool posted:No way to access their system as admin without them being on the VPN. You don't have a remote support tool that isn't reliant on the VPN? Without always-on, that seems, uh....inadvisable.
|
|
#
?
Dec 2, 2020 22:10
|
|
|
Assorted Gubbins posted:You don't have a remote support tool that isn't reliant on the VPN? Without always-on, that seems, uh....inadvisable. lol, no kidding In the before times no-one was out of the office for more than a couple weeks, so it was never a big deal It immediately became an issue when we moved out of the office and we got directives to expand our infrastructure to support long term remote work we’ve been getting ready to roll out always-on and should have the going live at the beginning of the new year
|
|
#
?
Dec 2, 2020 22:18
|
|
|
Assorted Gubbins posted:You don't have a remote support tool that isn't reliant on the VPN? Without always-on, that seems, uh....inadvisable. This was us 3 months ago. I floated the idea of fixing that a few times but no one seemed interested, especially before the pandemic. I finally just rammed it through and now everyone is like THIS IS AMAZING. Yeah, no poo poo.
|
|
#
?
Dec 2, 2020 22:19
|
|
|
I wish MS would expand on Quick Assist and use it as a basis for remote support for Intune-managed devices
|
|
#
?
Dec 2, 2020 22:23
|
|
|
Thanks Ants posted:I wish MS would expand on Quick Assist and use it as a basis for remote support for Intune-managed devices YES! It's so annoying. And don't worry about TeamViewer integration in Intune/MEM. It's terrible.
|
|
#
?
Dec 2, 2020 22:25
|
|
|
If only Quick Assist could do UAC elevation
|
|
#
?
Dec 2, 2020 22:26
|
|
I’ve been curious if you can use the SCCM remote tools for comanaged devices, but I also have 0 SCCM knowledge and the current stuff I’m working on the folks I work with decided Teams is fine for remote support 
|
|
|
#
?
Dec 2, 2020 22:27
|
|
|
i am a moron posted:I’ve been curious if you can use the SCCM remote tools for comanaged devices, but I also have 0 SCCM knowledge and the current stuff I’m working on the folks I work with decided Teams is fine for remote support You can't, the device has to be on the network/VPN.
|
|
#
?
Dec 2, 2020 22:31
|
|
|
Actuarial Fables posted:Webroot's MSP/Partner management portal had this "feature", so it's A Thing that at least two companies have used. The justification I was given at the time was that even if there was a keylogger on your computer an attacker would only get a few bits of your passphrase, leaving them unable to log into your account (unless it asks for the same characters again oops). Yeah, I hear similar things. Basically they're trying to get a pseudo two-factor auth in without actually doing two-factor auth. In the worst possible way.
|
|
#
?
Dec 2, 2020 22:32
|
|
Internet Explorer posted:You can't, the device has to be on the network/VPN. I figured the devices could only communicate with the CMG and not the other way around, I’m assuming there’s a reason for it but it seems odd they don’t bolt some remote management features onto the config manager agent.
|
|
|
#
?
Dec 2, 2020 22:33
|
|
|
I guess if you're all-in with SCCM you also have DirectAccess deployed
|
|
#
?
Dec 2, 2020 22:36
|
|
|
We didn't have a CMG (don't ask), but I don't think it works with one.
|
|
#
?
Dec 2, 2020 22:36
|
|
|
Actuarial Fables posted:Webroot's MSP/Partner management portal had this "feature", so it's A Thing that at least two companies have used. The justification I was given at the time was that even if there was a keylogger on your computer an attacker would only get a few bits of your passphrase, leaving them unable to log into your account (unless it asks for the same characters again oops). The amount of time companies spend cooking up stuff like this when they could just integrate the application with Azure AD or Google Workspace and have all their authentication headaches taken away, as well as improving things for their customers.
|
|
#
?
Dec 2, 2020 22:37
|
|
Thanks Ants posted:I guess if you're all-in with SCCM you also have DirectAccess deployed Not this shop, and I did poo-poo DA semi recently but I don’t remember why other than hating it when I was in the Army for some reason I can’t remember. Internet Explorer posted:We didn't have a CMG (don't ask), but I don't think it works with one. But now I have to ask! Do you rely on a VPN in that scenario? Expose SCCM to the internet? That’s the reason I had to deploy this because for whatever insane reason they’re 100% opposed to deploying VPNs to everyone. Which is fine for this case generally but really interesting for all the laptops and desktops at peoples homes that are still AD classic
|
|
|
#
?
Dec 2, 2020 22:40
|
|
|
We relied on the VPN, and a user-initiated one, not always-on. Between that and only being able to set policies via GPO while users were on the VPN, it put our project to migrate from SCCM to Intune/MEM into high gear. My current place is super dysfunctional and all the engineers got together and were like "gently caress it, we're going to do this on our own." It's been nice, because we're now about to roll out several hundred laptops using Autopilot. Not even unboxing them. Previously, someone would have had to gone into the office and imaged them, done a few steps by hand, etc.
|
|
#
?
Dec 2, 2020 22:46
|
|
|
Ah, so hybrid joins? Assuming cause you said GPO. I’ve been working on Azure AD only which I am very all in on at this point.
|
|
|
#
?
Dec 2, 2020 22:48
|
|
|
Yeah, AutoPilot is next on the list after we get AlwaysOn finished up I won’t be around for that though, and new job is extremely removed from those concerns and I couldn’t be happier
|
|
#
?
Dec 2, 2020 22:49
|
|
|
i am a moron posted:Ah, so hybrid joins? Assuming cause you said GPO. I’ve been working on Azure AD only which I am very all in on at this point. Yes, sorry, Azure AD Hybrid Join. I really wish we could have done Azure AD only, but it's not in the cards here. Next job, maybe. This is all somewhat odd to me because I have done all-in on VDI for the vast, vast majority of my career. The Fool posted:Yeah, AutoPilot is next on the list after we get AlwaysOn finished up Yeah, it was a bit odd to do AutoPilot without AlwaysOn VPN. We added a task during ESP that installs our VPN software and connects using a profile with a "service" account for the VPN, the uninstalls it when done. Then installs the proper VPN package. I hate it, it's a hack, but it needed to be done to do this project.
|
|
#
?
Dec 2, 2020 22:53
|
|
|
It's a neat workaround though, better than trying to send Meraki gateways out to everybody to do the VPN for you
|
|
#
?
Dec 2, 2020 22:57
|
|
|
Thanks Ants posted:The amount of time companies spend cooking up stuff like this when they could just integrate the application with Azure AD or Google Workspace and have all their authentication headaches taken away, as well as improving things for their customers.
|
|
#
?
Dec 2, 2020 23:10
|
|
|
Internet Explorer posted:Yes, sorry, Azure AD Hybrid Join. I have a hybrid setup as part of our migration last year to Exchange Online and M365... didn't know this feature existed.
|
|
#
?
Dec 2, 2020 23:48
|
|
|
I had WP Engine enable Azure AD integrated SSO on a plan we pay like £30/month for, which in turn provided SSO access to the WordPress control panel for the site in question. I was working with someone who uses 8x8 for their phone system and that supports SSO as well as provisioning from AAD at no extra cost. There's no excuse for lumping stuff like that in a more expensive tier, and I'll try and avoid companies that do it.
|
|
#
?
Dec 2, 2020 23:48
|
|
|
Autopilot with direct join to Azure AD is the poo poo. We have a mostly remote/distributed workforce anyways, so it has been an absolute game changer for the desktop team. I also just flipped every single domain joined machine into an OU/gpo that does license upgrades to enterprise and enables auto-enrollment for hybrid join. As those machines are replaced/reimaged through with attrition, we will eventually have just a handful of workstations that are directly AD joined for the infra engineering team. Not that I don’t trust the desktop team, bit I’m not taking any chances on an errant intune policy jacking up my machine.
|
|
#
?
Dec 2, 2020 23:50
|
|
|
devmd01 posted:Autopilot with direct join to Azure AD is the poo poo. We have a mostly remote/distributed workforce anyways, so it has been an absolute game changer for the desktop team. OK so, as someone who's spun up umpteen MDT/WDS servers (and a couple SCCMs), and who likes images to be squeaky clean, but also as someone who knows he needs to keep up with where things are going, here's my question: what does Autopilot actually do when you unpack a laptop and turn it on? I assume you can create tasks to run various software installs and so on, but what options does it give you for dealing with the Windows 10 install itself? Basically, I loathe and distrust all factory images, so while Autopilot sounds great, my issue is that as far as I understand it's basically building on the factory image. There's no way to have it install Windows from scratch without bloatware, run things like Win10 Decrapifier during install, and so on, right? So the best you can do is run scripts to try and uninstall whatever crap Lenovo shoves on there and hope they didn't include a rootkit like they did a few years ago? This is essentially the reason that I haven't moved to Autopilot in general, and the documentation, or at least the admittedly minimal amount I've read, doesn't seem to explain this in terms of what you can actually do and what you have to start with. But if you're forced to live with building off the factory image, I'm probably going to resist moving to Autopilot as long as possible simply because of the huge amount of garbage the OEMs load machines up with, not to mention all the random poo poo Microsoft shoves in there as well.
|
|
#
?
Dec 3, 2020 01:34
|
|
|
Thanks Ants posted:We've been in this permanent WFH situation for eight months now, if a company hasn't got their poo poo together and at least deployed always-on VPN to keep AD-bound devices managed, or even just turned off password expiry then what the gently caress have people been focusing on instead? Our VPN times out after 12 hours. We use MFA to have as the only means of signing on (unless you're lucky to get a company iphone and use a one time code). These 60 year old guys They either have to bother someone else who's signed in to change their pw on their neighbor's system, or we have to re-enable the disabled windows login option, effectively highjacking their account. They don't want to change how this works. Oh, and if they update their pw or update their MFA cert while on VPN, and don't lock the screen and log back in, it pooches their saved credentials and they have to drive into work and physically connect to the network to fix it.
|
|
#
?
Dec 3, 2020 01:48
|
|
|
I don’t know the answer to that one, but yeah likely a deployment package/script of some kind. We have a base golden image with nothing but drivers on it that gets slapped on every laptop that comes in the door, then boxed back up until they put a shipping label on it. We were having SHI do the imaging and drop shipping for the initial mass rollouts but now the volume is low enough that our desktop team can handle it no sweat especially since all they need to do is image it and box it back up.
|
|
#
?
Dec 3, 2020 01:52
|
|
|
|
| # ? Jun 4, 2024 16:37 |
|
Assorted Gubbins posted:OK so, as someone who's spun up umpteen MDT/WDS servers (and a couple SCCMs), and who likes images to be squeaky clean, but also as someone who knows he needs to keep up with where things are going, here's my question: what does Autopilot actually do when you unpack a laptop and turn it on? I assume you can create tasks to run various software installs and so on, but what options does it give you for dealing with the Windows 10 install itself? I’ve only done it with Microsoft hardware, but I’d imagine the factory image stuff from, say, Lenovo remains. AutoPilot reaches out to apply all the settings in InTune and Defender and compliance policies and is not an image. I’m not a desktop guy, so I personally could not care less. Not to discount what you’re saying, but I personally don’t think a squeaky clean image and the amount of overhead that goes into that and complete bullshit like SCCM outweighs the modern endpoint management MS is going for. It’s probably the best thing they’ve ever done. If I could put every AD and SCCM and WSUS and SCOM and SCORCH deployment on a figurative funeral pyre I’d piss on the ashes when it’s done burning.
|
|
|
#
?
Dec 3, 2020 01:59
|
|