Windows Hello for Business Cloud Kerberos Trust | Part 1

The blog post discusses the deployment of Windows Hello for Business via the Cloud Kerberos Trust deployment model. Windows Hello for Business uses methods like cloud Kerberos trust for user authentication. Advantages include simplified deployment, reduced infrastructure, enhanced security, and seamless user experience. It involves setting up a Kerberos server object for cloud Kerberos trust, installing the Azure AD Hybrid Authentication Management module, and creating the Kerberos server object using Windows PowerShell.

Install the Microsoft Defender for Identity sensor on Active Directory Certificate Services

Microsoft released a new Microsoft Defender for Identity (MDI) sensor type for Active Directory Certificate Services (ADCS). This article demonstrates the steps to deploy the sensor on your ADCS Servers.

Download the Microsoft Defender for Identity sensor

The Microsoft Defender for Identity (MDI) sensor can be downloaded from the Microsoft 365 Defender portal. The MDI sensor installation package is the same for Domain Controllers, ADFS and ADCS. If you have previously downloaded the package, you can use this for the installation, although I would recommend downloading the latest version for any new deployments.

Use the Microsoft Authenticator application as backup sign-in method when mobile device has no connectivity.

You can use the Microsoft Authenticator application to complete MFA (Multi-Factor Authentication) sign-in when your mobile device has no connectivity. The Authenticator application functions as the primary and backup sign-in method.

Azure MFA | Number Matching Enabled by Default

Number matching is a key security upgrade to traditional second factor notifications in Microsoft Authenticator. Microsoft will remove the admin controls and enforce the number match experience tenant-wide for all users starting May 8, 2023.

Microsoft Defender for Identity | Enable NTLM Auditing

If you recently deployed Microsoft Defender for Identity on your Domain Controllers and haven't gone through all the prerequisites, you may find that you receive health alerts indicating NTLM Auditing is not enabled. You can also enable NTLM Auditing on your Domain Controllers if you are planning to deploy Microsoft Defender for Identity.

Field Notes: Service running with gMSA account not starting

I recently deployed a new Active Directory Forest in my lab on Windows Server 2022. I wanted to configure the Microsoft On Demand Assessments for Active Directory and also needed to deploy Microsoft Defender for Identity (MDI). I wanted to use a Group Managed Service account to run these instead of a normal service account. … Continue reading Field Notes: Service running with gMSA account not starting →

Disable Server Manager automatic startup

This is a short blog showing how to disable Server Manager from automatically starting up at logon.

How to Enroll a Huawei Device in Intune

In May 2019, then-United States President Donald Trump announced that Huawei, along with several other Chinese companies, was now on something called the Entity List. Companies on this list are unable to do business with any organization that operates in the United States. This made the lives of administrators difficult, to ensure that these devices … Continue reading How to Enroll a Huawei Device in Intune →

How to use the Intune Group Policy Analytics Migration Tool

In my blog Using PowerShell to create Windows 10 Custom Device Policy from the output of Endpoint Manager Group Policy Analytics - Azure Cloud & AI Domain Blog (azurecloudai.blog) we looked at using PowerShell to assist with GPO migration. Today we a new migration tool available in the Microsoft Endpoint Manager admin center and we … Continue reading How to use the Intune Group Policy Analytics Migration Tool →