|
sporkstand posted:I'm looking for a way for an Azure AD joined machine to ONLY allow logins from local accounts. This is for a machine that some of our computerless users will use to login and do their mandatory trainings. I'd like to have them log in using a local 'Training' account, then once logged in, launch a browser and log into the training system using their personal credentials. These are older machines (with no budget to purchase anything new) so I'd prefer to not have a bunch of user profiles taking up space on the machine if possible. Sounds like you want a single app Kiosk profile in intune. https://learn.microsoft.com/en-us/mem/intune/configuration/kiosk-settings-windows
|
#
¿
Mar 25, 2023 18:58
|
|
|
|
| # ¿ May 14, 2024 09:54 |
|
|
I’m not missing anything obvious here, right? I have approximately 100 users who use teams and outlook on their BYOD phone with MAM-WE policies. Otherwise they just use MFA with authenticator and SSO to sign into a third party enterprise app. They have a kiosk mode PC at their office they can log into webmail if need be, but that’s very rare. Any reason not to just go with the $6/mo Business Basic licenses for these users? We have AAD P2 already due to a few E5 licenses.
|
|
#
¿
May 24, 2023 17:22
|
|
|
klosterdev posted:Won't each user need at least a AAD P1 license for MAM to actually apply to their phones? Looks like F3 comes with AAD P1 and MDM for mobile phones if we ever need to provide a device, so it looks like that’s the way to go for us.
|
|
#
¿
May 24, 2023 23:03
|
|
|
Shaocaholica posted:I'm spilling over from the networking thread. My wife is a manager at a very small 10 person company. They don't have any IT...yet. They have an email server run by godaddy and they pull email using outlook. Apparently there's no email filtering in their current setup? I'm just so used to getting server side email filtering through gmail and other webmail. How does a small company setup email that has all the modern conveniences like spam filtering? Can you do it at the client side in outlook? Do you do it server side if that's even possible with some cheapo ISP email service? Ideal effort: pay somebody to migrate your wife’s company to full Microsoft since you are using outlook and office apps already, and ditch the Google drive for sharepoint. Or find an MSP who sells a service like proofpoint and have inbound mail flow through that.
|
|
#
¿
May 25, 2023 00:16
|
|
|
Silly Newbie posted:I've got security and compliance e3 + office 365 e1, e3, and E5 rolled out to all my users. By my reading, I could swap all of my field techs to just Microsoft 365 F3 rather than Security E3 + Office E1 and the only downside is a smaller mailbox, is that right? I just need them to get company wide emails, maybe send vacation requests to their supervisors, and have MAM-WE licensing for personal phones. I’m in the same boat and that’s my understanding. I’m about to swap a few maintenance techs over today. They only use their Microsoft account for SSO and a company email. If they ever use a PC for training it’ll be in a browser.
|
|
#
¿
Jun 5, 2023 11:56
|
|
|
Silly Newbie posted:Update: talked to my CSP, we're right. Also https://m365maps.com is great. Thanks for the follow up. I switched 6 over yesterday as a test group and no issues so far. I never considered the F3 license until a few posts ago but it’s going to save us around 20k a year which is noticeable percentage of my yearly budget. Cyks fucked around with this message at 15:30 on Jun 6, 2023 |
|
#
¿
Jun 6, 2023 13:32
|
|
|
Not only is it a third the cost of business premium but the f3 licenses don’t count towards the 300 business license max which is nice. I did accidentally buy Office 365 F3 instead of Microsoft 365 F3 and super told me “You can just cancel the license for the next billing cycle!” Thanks support; the next billing cycle is 363 days from now; I was asking if I can get refunded today. Only cost like $250 but still.
|
|
#
¿
Jun 7, 2023 13:19
|
|
|
Trauts posted:So I got issued a work laptop w/ windows 11. Only local account is admin, and that's where they supposedly entered my domain credentials. Did the change the password for myname@domain. It shows up in Accounts under Email, but when I try to use that as a Microsoft account to get into the store to download apps, it won't let me use that login, says no account exists even though I am looking at it in the other window? Accounts for business/enterprise can’t be used for the normal Microsoft store. Ideally you should be using company portal or a third party tool to install apps at this point, not the Microsoft store.
|
|
#
¿
Jul 7, 2023 11:37
|
|
|
Never done it but sounds doable. You can configure CA policies based off windows/Mac/android/iPhone and you can target specific Microsoft apps. Kind of an odd request though and there might be a better way depending on what your goal is. If it is to block outlook on personal PCs but still allow for iPhone and android you may want to consider MAM policies.
|
|
#
¿
Aug 24, 2023 23:15
|
|
|
kiwid posted:I considered this, either that or Papercut. But they don't put pricing on their website and I didn't want to waste hours talking with a sales rep. I just got my renewal quote today and it’s $130/yr for under 25 printer queues. Over 25 is suppose to be $93 each but my quote isn’t discounted correctly so I need to rep one. Printer logic will get you in touch with a company who handles smaller purchases so it should be similar pricing for everyone.
|
|
#
¿
Sep 14, 2023 21:01
|
|
|
A director requested the ability for staff to have a dial-in number for Teams meetings and from what I can tell, this was made free last year, I just need to purchase the free license (that’s called dial-out) and assign to users. I tested it on my account and it seemed to work no problem. Is there anything I need to be careful of before assigning licenses out? Like a way for somebody to accidentally rack up charges?
|
|
#
¿
Sep 29, 2023 02:54
|
|
|
I don’t think I’ve ever solved the WHfB prompt on shard laptops myself but I got around it by only assigning F3 licenses to employees who are not given their own device. They just log on to a shard laptop as guest and sign in to their account in a browser. Works well for what we need but I need to disable sign in as an option still as we keep getting tickets about how they tried to log in and it fails after an hour despite explaining multiple times they can’t do that.
|
|
#
¿
Oct 24, 2023 15:29
|
|
|
There isn’t any way to force enabling passwordless via authenticator is there? I use to show the steps to enable it back when onboarding groups were smaller but that kind of ran away from me. I know I can do a CA to require it but that’s going to lock people out while I’m more interested in a campaign to get them on it.
|
|
#
¿
Nov 29, 2023 19:41
|
|
|
It’s still a very good thing to learn. You can manually add devices if you don’t have an OEM doing it by running the commands in powershell: Install-script get-windowsautopilotinfo Set-executionpolicy bypass Get-windowsautopilotinfo -online One feature you won’t be able to test with a VM is preprovision deployments (aka white glove/oobe) but that’s not a big deal. Getting autopilot up is pretty straight forward. Only gotcha I can remember is that Company Branding must be configured first.
|
|
#
¿
Jan 12, 2024 04:39
|
|
|
I’m sure the way I do it isn’t the most efficient but we buy like 5-20 laptops at a time and just get much better pricing straight from provantage than any discount Dell has offered us. So we run that script to enroll it in autopilot then run OOBE/predeployment before adding it to our “app and configurations” security group to get it entra joined. About 5 minutes per laptop. We then fresh start it to wipe the Dell bloatware and run OOB/predeployment to load office plus a few extra apps and configuration profiles. Sounds repetitive but it takes about 10 minutes of employee time and we save like $300 bucks per device over ordering a pre-enrolled and clean image from Dell.
|
|
#
¿
Jan 12, 2024 13:51
|
|
|
Potato Salad posted:Wow, you guys aren't making more than $1,800 per hour? I have the CEO doing the imaging so really we break about even.
|
|
#
¿
Jan 12, 2024 14:09
|
|
|
Hughmoris posted:This is an overly broad question but do you all feel there is money to be made specializing in Intune + Autopilot, or are you looking for the door? Autopilot is just a very small piece of intune and intune is just a small piece of M365. There’s definitely jobs out there in large enough organizations that just handles intune but I still recommend doing the greater picture of M365. Great money and very WFH friendly technology.
|
|
#
¿
Jan 12, 2024 22:42
|
|
|
Silly Newbie posted:What kind of bloatware are you all seeing from Dell? Ours come with Command Update, which isn't bad, and Office, that's it. Dell Optimizer, which is well documented for causing issues with m365 products staying connected/syncing. It’s more malware than bloatware. I also replace the preinstalled Microsoft 365 with Microsoft 365 apps for business/enterprise.
|
|
#
¿
Jan 15, 2024 13:25
|
|
|
Conditional access policies aren’t actually checked until after you’ve successfully signed in, which in your case is by using a username and password. I recommend breaking out conditional access policies into multiple policies whenever possible. My MAM and MFA policies are separate. Cyks fucked around with this message at 13:44 on Jan 29, 2024 |
|
#
¿
Jan 29, 2024 13:37
|
|
|
|
| # ¿ May 14, 2024 09:54 |
|
|
Despite requiring number matching/strong MFA, I’ve had a couple of recent alerts of unauthorized logins that bypassed MFA (looks like session stealing) that were thankfully blocked by a foreign country CA. Course, that’s super easy to bypass and I have no idea if or how many got around it. Think it’s about time to cut off access from any device that’s not AD joined and limit mobile devices to teams and outlook only.
|
|
#
¿
Feb 24, 2024 02:23
|
|