Passwordless + Autopilot + Preview builds in Update rings ≠ True

Microsoft have been advocating passwordless for a long time and we (me, colleagues at Coligo, friends and others working with security in the Microsoft area) are pushing more and more customers towards passwordless. The most obvious reason for going passwordless is improved security, but it can and will also mean an increased user experience. However, there is a problem in the modern world which still lingers and negatively impacts the user experience.

Modern deployment meaning Autopilot and Intune

Organizations staying at the top of game is not using only passwordless but also Autopilot and Intune. Using Autopilot without the ESP page is not really an option, so I see this as a requirement for most organizations and use cases. That means blocking the device until “everything” is deployed to the device. This is also where the problem kicks in.

The problem: Update rings containing devices

The problem is with update rings when using Windows Update for Business or Autopatch (which by the way are in the process of being merged together). If the update ring has the setting “Enable pre-release builds” set to Enabled in combination with the update ring being targeted to devices, this causes a forced reboot during the Autopilot process. The setting behind the scene is the ManagePreviewBuilds CSP.

Enabling this setting breaks the passwordless flow, as the user will have to go through a second round of passwordless authentication before ultimately reaching the desktop, causing potential service desk calls and causing a bad user experience.

History

This problem has been around for a long time and still exist in Windows 11 24H2 which has just been released. Two additional problems are that the current release of Windows 11 24H2 breaks web sign-in (step 5 below) and that is really troublesome as these users will be forced to going back to using passwords!

Also, the coming feature to automatically have Windows updated during OOBE will likely break this passwordless flow, but fortunately I think we will see controls for the Windows updates during OOBE.

However, it would be best if Microsoft could just make sure to make sure that (new) features do not interfere with the passwordless authentication flow in the first place, of course.

Let’s look at the difference in flow during Autopilot

Below is an illustration of difference in flow and how the user targeted update rings mean a better user experience!

Autopilot with update rings targeted to devices, and having preview builds enabled.Autopilot with update tings targeted to users, and having preview builds enabled
1. OOBE sign-in with passwordless phone sign-in (could also be FIDO2 or certificate for instance).



2. ESP page kicks in.



3. Reboot occurs during Device setup due to update ring target groups containing devices and having preview builds enabled.



4. Windows welcome screen – passwordless authentication flow is broken.



5. Sign in with for example TAP or passwordless phone sign-in to continue (using web sign-in).



6. Windows Hello for Business enrollment.



7. Desktop.

1. OOBE sign-in with passwordless phone sign-in (could also be FIDO2 or certificate for instance).



2. ESP page kicks in.



3. Windows Hello for Business enrollment.



4. Desktop.








































Root cause and workarounds?

Applying this configuration, i.e. ManagePreviewBuilds should not warrant a forced reboot. The fix to this issue is something Microsoft must fix.

Potential workarounds are to keep using Windows Update for Business Update Rings (or Autopatch) targeted to devices, and to keep devices that should be running a preview build in a separate group which is excluded from all regular update rings. Then target update rings with preview build specifically to groups containing users instead.

What about upcoming Windows Autopilot device preparation?

The new “Autopilot 2.0” which is called Windows Autopilot device preparation do not have this problem (for the moment). The flow is a bit different from Autopilot and the Enrollment Status Page so let’s keep this under monitoring as device preparation evolves. For the moment there are quite a few things missing before we can start migrating away from Windows Autopilot to Windows Autopilot device preparation.

Summary

Reducing necessary (or unnecessary) reboots should be top of mind to fix, and if not easily fixed we should be able to control this and make a decision of our own instead of having a reboot forced upon us.

Whenever new features are built from scratch, or changed, two very strict guidelines should apply;
1) Do not force reboots upon anyone (or let organizations control this behavior).
2) Do not break the passwordless flow and keep it intact to keep a secure and user-friendly experience.

Field report: ~5 years with an ARM based Windows 10/11 Surface device

It is now almost 5 years since I got my current device, the ARM based Surface Pro X SQ1 device. I’ve been using it as my primary work device since then, although much work has also been conducted on other devices for the customers I work with. Still, I’ve used my Surface Pro X almost every day for soon 5 years.

This report is meant to help shed some light on the ARM platform, and aid in hopefully clearing out some questions marks for users or organizations looking to purchase ARM based devices, for instance any of the new Surface Pro or Surface Laptops devices with Snapdragon X Plus or Snapdragon X Elite processors released in 2024.

History – Windows 10 and ARM

When I got my Surface Pro X device back in the days, Windows 11 was not available, so I started out with Windows 10 on ARM. Back then, there were to be honest quite a few things that did not work, which hindered me in performing my work.

The biggest problem was that x64 applications did not run at all! That included the 64-bit Microsoft 365 Apps for Enterprise as well as 64-bit compiled PowerShell modules which are used to manage Microsoft 365 and Azure resources. Thankfully, these obstacles are since Windows 11 was released a memory of the past!

Windows 11 bring ARM devices to a useable level

As soon as I upgraded to Windows 11 on my Surface Pro X it was a new world opening – and the obstacles I previously had was long gone. With Windows 11, there is x64 emulation meaning basically any application will run without problems, including the PowerShell modules I previously had problems running and also running Microsoft 365 Apps for Enterprise on 64-bit.

Since the release of Windows 11, more and more features have been enabled over time, bringing Windows 11 on ARM to an almost feature-complete Windows if you compare it to the Windows 11 64-bit edition that is used on some 99%+ devices globally.

Limitations of Windows 11 on ARM

So, while there are no blockers for me to do my daily work, there are some limitations that you might want to be aware of.

Windows feature / componentLimitation / problemComments from the field
Drivers and hardware Drivers for both hardware as well as software needs to have a driver compiled for the ARM64 platform. This might include printers, VPN software, antimalware applications and such.The only application I personally have encountered problems with is the Camtasia screen recorder application. There are also quite a few vendors of third party antimalware solutions that do not (currently) support the ARM platform. Note: If you are invested on the Microsoft Defender platform, you are all good!
For some more information on compatibility with antimalware and VPN solutions, scroll down to “A growing Arm ecosystem…” in this blog post Available today: Windows Dev Kit 2023 aka Project Volterra – Windows Developer Blog
For hardware, the printers I have used have had ARM64 drivers (although they are not listed on the mopria.org site).
Hyper-V VMsYou can create and run Hyper-V virtual machines on Windows on ARM. However, you cannot run the x64 versions of Windows as guest OS in the VMs and are limited to Windows on ARM.This is a rather small limitation for me, and typical end-users will not even know what Hyper-V is. Virtualization based security features in Windows is fully supported.
Games, Windows Fax and Scan and moreMicrosoft has an official list of what could pose problems on ARM, see Windows Arm-based PCs FAQ – Microsoft SupportExcept the limitations I mention above, I have not seen any of the other problem that Microsoft describe in the article over the almost five years that I have used my ARM device.

ARM platform is expanding

Over the last years we have seen more and more ARM compiled versions appearing, for instance of Microsoft Teams, Company Portal app and Adobe Photoshop.

Also, the number of devices based on ARM have increased over the years and most major computer manufacturers have ARM devices to choose from. With the introduction of Copilot+ devices in 2024 the ARM platform is expanding even more.

One of the biggest changes with Windows 11 was the introduction of x64 emulation for applications. This has been improved even further in Windows 11 24H2 with significant improvements to performance with the new Prism emulator.

Management, ISO files, installation and recovery of the devices

One the biggest limitations is the lack of official installation media (ISOs) for Windows on ARM. That means, every time I need to wipe my Surface Pro X I will have to download the 10GB recovery file, put it on a USB stick and recover.

After that I will be on Windows 10 1803 which means to get to Windows 11 24H2 I will have to run a number of Windows Update passes, with hours and hours to go until I am on the latest Windows release. This is the area where Microsoft can do a lot better! There are ISOs for Insider builds however.

When it comes to management of ARM based devices, there are some things to take into consideration, for instance regarding application deployment. Apart from that management of ARM devices are more or less the same as any Windows device, at least if you are managing them using Intune. If you are using Configuration Manager, have a look at this article. My strongest recommendation is though, to use Intune to manage your ARM devices!

If you want to have a great summary of what management and deployment of ARM (Surface devices) mean, read Deploy, manage, and service ARM-based Surface devices.

Devices that (typically) does not make a sound

One of the biggest advantages which I have not mentioned yet is that the device is completely silent, and it has not given away one slightest sound over these three years. Fan-less, yet still enough powerful to do information work and being very mobile with the built in support for 4G/LTE (and newer devices which support 5G).

Although the “no noise” thing is true for my Surface Pro X (SQ1) I recommend you look this up for the particular model you potentially will be purchasing as some ARM based devices do have a fan.

ARM based devices generally use little energy and thereby produce little heat and with that often do not need any fans that generate noise.

Summary and recommendation

The ARM platform is definitely mature enough to put in hands of end-users and have many advantages over traditional processor platforms. All the security features of Windows are there (and also Defender for Endpoints) and basically all applications work, especially if you are using the Microsoft 365 suite.

Will I choose an ARM based device again when the Surface Pro X support come to an end and the new Copilot+ devices are available with 5G? The answer to that question is “yes, absolutely!”. Do I recommend end-users or organizations to try or evaluate ARM based devices? Yes, you should start today! As always, you need to test and make sure everything the end-users needs is working, before you do any broader deployments of ARM based devices.

To summarize, an ARM based device is user friendly with typically no noise and long battery times due to low energy consumption, and can also be kept as secure as any other device.

Efficient Windows troubleshooting: Identifying relevant event logs with Process Monitor

When doing troubleshooting one of the best places where you will find clues about the problem is in the Event Viewer logs. And when doing research on what is going on in the background when performing certain actions in Windows, the Event Viewer will come in handy.

The challenge with Event Viewer is that there are hundreds of log files, and how do you know which one(s) to investigate?

In this blog post you will learn:

  • How to use Process Monitor to figure out which the relevant event logs are, for instance when doing troubleshooting or figuring out what a specific action does in the background when researching solutions in Windows.

Method to find the relevant event logs

All event logs which are found in Event Viewer are basically files named <EventLog>.evtx and are located in C:\System32\Winevt\Logs. The key takeaway from this first part is the .evtx file ending.

The tool to use next is my favorite tool when it comes to troubleshooting and learning about stuff in Windows; and the tool is Process Monitor from Sysinternals (owned by Microsoft).

Process Monitor will gather thousands of rows of data within seconds, and this is where filtering comes in.

Crash course in Process Monitor

This is my standard procedure when using Process Monitor. Download Process Monitor if you do not already have it available.

  1. Start Process Monitor.
  2. Press Ctrl + E to pause recording events.
  3. Press Ctrl + X to clear out all events.

Adding the filter for identifying the event Logs

Now, to be able to identify the Event logs files that are of relevance to troubleshooting or to a specific action that you perform, using filters is the key in Process Monitor:

  1. In Process Monitor, press Ctrl + L to get to the filters.
  2. In the first drop down menu choose Path followed by contains in the next drop down and last enter .evtx
  3. Make sure Include is selected and click Add and OK.

Identify the relevant logs

Now you can prepare the troubleshooting step(s) or the action you want to perform and when you are ready for this:

  1. In Process Monitor, press Ctrl + E to start recording.
  2. As quickly as possible, now reproduce the problem or perform the action you want to know more about.
  3. Go back to Process Monitor and hit Ctrl + E to stop recording. Voila, you now have the relevant event logs to further investigate.

After you have the list above, you know exactly what event logs are being written to and you can do further analysis of these. Fire up Event Viewer – and happy hunting! 😊

Examples

Some examples when I’m using this method performing troubleshooting or researching in Windows:

  • Troubleshooting failed Store app installation.
  • How can I find what event logs are used when plugging in a FIDO2 security key so that I can add a scheduled task to trigger on a certain event to lock the machine when unplugged?
  • What log files are written to when doing a Sync with Intune?

Summary

Using Process Monitor to find the relevant event logs is a quick and efficient way to locate where to look next for more details. This applies to both troubleshooting and when researching the inner workings of Windows and figuring out what is going on in the background.

Enhance user experience by automatically relaunching apps and recovering unsaved data after a Windows restart

The Windows features I am covering in this article will give the following end-user benefits.

  • Improved user experience by:
    • having the applications that were open prior to restart automatically opened again after restart.
    • increasing productivity by letting the users continue their work instantly after having their device Windows patched.
  • Reducing the risk of data loss in applications in case of (unexpected) device restart.

Introduction to restartable applications

Windows 11 (and Windows 10) offers a feature that allows users to automatically restart apps and start them automatically when they sign back in after a device restarts. This will enhance productivity by ensuring that users can quickly resume their work after a restart, and also get back potentially unsaved data in some applications.

Examples of some of the most common and popular applications

The below table lists which applications that by default are automatically restarted when you enable the setting “Automatically save my restartable apps and restart them then I sign back in”. The rightmost column is a note if you manually enable each application to “survive” a device restart and what the user experience is in that scenario.

ApplicationAutomatically restarted Unsaved data restoredManual activation of “Register this program for restart” *
Adobe Acrobat ReaderApplication restarted but files do not re-open and thereby no data is restored (for instance in PDF forms).
Adobe PhotoshopApplication restarted but does not remember open file.
GitHub DesktopApplication not restarted.
Google ChromeN/AN/A
Microsoft 365 Apps (Outlook, Word, Excel, OneNote etc.)✅ (partly Microsoft 365 Apps feature)N/A
Microsoft EdgeN/AN/A
Microsoft Notepad✅ (Notepad feature)N/A
Microsoft PaintN/A
Microsoft PowerShell ISE✅ (PowerShell ISE feature)N/A
Microsoft Registry EditorN/AN/A
Mozilla FirefoxN/AN/A
Outlook (new)N/A
Spotify (Store app)N/AN/A
WhatsApp (Store app)N/AN/A
WiresharkApplication restarted but does not remember unsaved state.
Visual Studio CodeApplication restarted and data restored.
VLC Player (MSI install)Application restarted but does not remember open file.
Zoom WorkplaceApplication restarted.

* Right click an EXE file and choose Compatibility and then check Register this program for restart.

Although some applications have their own mechanisms to recover data after an application is “killed”, enabling the setting to re-launch to some extent increases the chances of recovering and saving the data that was worked on.

The settings are found under Accounts > Sign-in options

For manual testing and verification, the settings in focus of this blog post is found in Settings > Accounts > Sign-in options.

Configure “Automatically save my restartable apps and restart them then I sign back in” via Intune

Configuring this setting centrally via Intune ensures that all users in an organization benefit from this feature without needing to configure it manually.

Create the following as a PowerShell script and via Intune push out as a Script (make sure it is deployed in user context as it will write to HKEY_CURRENT_USER):

PowerShell
$Path = "HKCU:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
$Name = "RestartApps"
$Type = "DWORD"
$Value = "1"
Set-ItemProperty -Path $Path -Name $Name -Value $Value -Type $Type

Additional user experience improvement with enabling Automatic Sign-in after Windows patching

ARSO (Automatic Restart Sign-On) has been around for many years but is unknown to most Windows users and admins. This feature basically means that whenever you have installed Windows patches and the device reboots, the currently logged in user’s credentials will (securely) be used to automatically log the user in after reboot, while locking the screen.

The user experience gained is obvious. Whenever patch reboot happens, many users tend to perform other tasks or simply take a coffee. When ARSO is enabled and the user gets back, he or she will not have to wait for everything to load before being able to use the device and can start working instantly.

This feature in combination with enabling “Automatically save my restartable apps and restart them then I sign back in” makes the user experience even so much better.

Configure Automatic Restart Sign-On via Intune

The Automatic Restart Sign-On settings are available as a Settings catalog in the two settings:

  • Configure the mode of automatically signing in and locking last interactive user after a restart or cold boot.
  • Sign-in and lock last interactive user automatically after a restart.

Note: The sub-setting “Configure the mode of automatically signing in and locking last interactive user after a restart or cold boot (Devices)” will enable you to use this mode only if BitLocker is in Enabled state.

More information about this: Winlogon automatic restart sign-on (ARSO) | Microsoft Learn

Automatically save my restartable apps and restart them then I sign back inthe equivalent to “shutdown /g

The shutdown command has a “new” switch which is the /g switch:

Additional information and details on “Register this program for restart”

Let’s say you want an application to automatically start again after reboot, if it was running when the device was restarted, you can use central tools to push this out to all devices. What you need:

  1. Windows ADK, Download and install the Windows ADK | Microsoft Learn and specifically “Application Compatibility Tools” within Windows ADK.
  2. Using Compatibility Administrator (32 och 64-bit depending on what application architecture you are building the compat fix for). You can per EXE use “RegisterAppRestart” which is the equivalent to checking this on an EXE file by going to Properties > Compatibility.
  3. Distribute the database/compatibility shim and apply it using the good old sdbinst.exe command.

Security concerns?

In everything we do in IT configuration management today, we should think about how this potentially impacts our security posture. There are no exceptions to this, so let’s see what the implications can be by enabling these two features:

Automatically save my restartable apps and restart them then I sign back in

Enabling this feature could pose as a risk as being used by malicious persons to achieve persistence on a device. Similar examples are available in the MITRE framework, Persistence, Tactic TA0003 – Enterprise | MITRE ATT&CK® . Always do your own assessment.

Sign-in and lock last interactive user automatically after a restart

User credentials are stored on disk temporarily so could be a concern. Microsoft have some security recommendations in their ARSO documentation, but like I mentioned, do your own assessment. Yes, any device can potentially be stolen. Does this mean that ARSO increase the risks of compromise or not, or make the device or credentials easier to compromise? In case of stolen device, there are other concerns, assumptions and measures you would take action on so back to the question, do ARSO increase the risk of compromise? Not necessarily! As always, using BitLocker with PIN will mitigate quite a few attack vectors.

Summary

Enabling Automatically save my restartable apps and restart them then I sign back in and Sign-in and lock last interactive user automatically after a restart will save time for everyone using a Windows device and at the same time it will reduce the risks of data loss. Now, if only more applications could support it.

Recommendations for moving away from deprecated enterprise features in Windows 10 and 11

Microsoft are deprecating features in the Windows client at a quicker pace than ever, and some of these are more or less broadly used in organizations. Some of the most common ones that are now deprecated are WMIC, VBscript, TLS 1.0 and 1.1, PSR, Update Compliance and WebDAV. Some great although less used features that are deprecated lately are Defender Application Guard for Edge and Office and Windows Information Protection. Let’s have a look at what this means and what possible replacements there are!

No need to panic!

Before going into alternative solutions, keep in mind that the definition of deprecated means that the feature is no longer developed and might be removed from a future Windows version. Thus, there is absolutely no need to panic. My recommendation is to start planning for moving away from features that are deprecated, and with that communicating this information to all relevant stakeholders.

Common features in organizations that are now deprecated

This is a table of the more or less commonly used features within organizations, with potential alternative solutions.

Deprecated featureOrganizational impact from my personal viewAlternative solutions
WMICHave you ever used or still use for instance “wmic csproduct get name” or “wmic bios get serialnumber“? Those classic commands are still very much used by some and will soon be removed from out of the box in Windows.Use PowerShell is the alternative solution! More at WMI command line (WMIC) utility deprecation: Next steps | Windows IT Pro blog (microsoft.com).
Microsoft Defender Application Guard for OfficeOnly a few organizations have implemented App Guard for Office unfortunately. As it has also been a Microsoft 365 E5/E5 security add-on feature this has not had the best basis for broad use. Microsoft recommends Attack Surface Reduction (ASR) and I agree with that. I would add to that to use Defender for Endpoints which means extra scanning of documents coming from emails or internet through web browsing. See Safe Documents for more info.
Microsoft Defender Application Guard for EdgeAlthough this s a super secure browsing experience, I do not know a single organization that used this. It adds significant administration and high end-user impact so the feature never made it out into organizations.Use Edge security recommendations found in Microsoft Edge for Business security whitepaper.
Problem Steps Recorder (PSR.exe)A few organizations use this and have instructed end-users to record problems and attach to service desk. Some organizations (have) use(d) PSR to create guides.Snipping Tools which not only offers creating an image of the desktop now also offers video recording possibilities is a personal favorite and I strongly recommend everyone to use this. In the new release you can also add shapes to highlight your screen shots!
WebDAV ClientWebDAV is very much still used in many organizations. I last came in contact with this just before Xmas last year where users have the need to map on-premises SharePoint document libraries to Windows Explorer.Possible alternative solutions:
1. Moving to SharePoint Online is obvious but currently many organizations cannot do that for confidential information.
2. Enable and use Map SharePoint on-premises using OneDrive for Business.
VBscriptI have not come across any organization that do not use VBscript at all, but to be honest on more recent years most VBscripts are replaced by other means. The popular MDT (Microsoft Deployment Toolkit) which has been used by thousands or organizations over the years is still much in use and contains thousands of lines of code in VBscript.For those VBscript solutions that are still there, consider migrating them to other languages such as PowerShell. Also note that VBscript is still available as a Feature on Demand.

If you are using MDT, see this eminent guide from my fellow MVP and former colleague Johan Arwidmark.
TLS 1.0 and 1.1I think most know that TLS 1.0 and 1.1 are considered unsecure, and that anything using TLS 1.0 or 1.1 should have moved to using TLS 1.2 a long time ago. However, this is far from the case as TLS 1.0 and 1.1 are still requirements in several Line of business applications and other critical systems in organizations.Windows clients and servers will have no problems with disabling TLS 1.0 and 1.1. Line of business applications are the problem area.

Handle this with basic Application Lifecycle Management, and make sure application owners and vendors become aware of the problem and make a plan for moving to TLS 1.2 or later.
TroubleshootersTo be honest, the built-in troubleshooters in Windows that has been around since Windows 7 are not used that much in my experience. It is sad though because they offer some basic troubleshooting stuff.What I will miss are the PowerShell scripts behind the troubleshooters, which have proven to be very valuable when doing “automated troubleshooting”. Retain whatever you can from C:\Windows\diagnostics\system before these are removed.
Windows Information ProtectionBeing able to protect your company data is essential and I think a lot of organizations use Intune App Protection for iOS and Android. Under that same section was Intune App Protection for Windows, which is essentially “Windows Information Protection”.

However, although a good feature not many, to say no organizations, deployed this feature in production.
If you are looking to protect company data on your Windows devices, you should have a look at and implement Endpoint Data Loss Prevention as part of Purview.
Update ComplianceI have helped numerous customers over the years to implement Update Compliance to keep track of Windows quality and feature updates, even as a compliment if the customer is already using Configuration Manager or WSUS.Anyone using Update Compliance or want more insights into patching as a compliment should enable Windows Update for Business Reports as this adds additional value!

Sources for deprecated features and more information:

Enable the passwordless experience in Windows 11 to enhance identity security

Going passwordless should be the goal for anyone who cares about security and preventing identity and cyber attacks. It is possible to be almost 100% passwordless using Microsoft passwordless technologies. However, even if you have moved to not using your password, the password options are still available at Windows sign-in and also within Windows when signed in. It is now possible to reduce the password use in Windows.

New passwordless experience options available in Windows 11

One big step towards truer passwordless experience is to set the policy named EnablePasswordlessExperience. This will give you the following benefits:

  • No password sign-in option on the default Windows sign-in screen.
  • The primary user of the device sees only non-password sign-in options, and can only sign into the device using:
    • Windows Hello for Business.
    • FIDO2 security keys.
    • Web sign-in, which in turn uses either Temporary Access Pass (TAP) or the Authenticator app.
    • Smart cards.
  • No password options within Windows, when for instance elevating as administrator (UAC prompts).
    Note: You can still use runas to elevate with password as well as use the password for a local admin account (such as when using Windows LAPS).
  • The password setting option is removed from Settings > Accounts > Sign-in options.

This will mean that once this new setting is enabled, any user who used to use passwords is now much more likely to sign into Windows with anything else than the password. You can find more about this CSP setting at learn.microsoft.com: Authentication Policy CSP – Windows Client Management | Microsoft Learn.

Password credential provider is hidden from certain UI part of Windows

The reason why I say much more likely to sign in with anything else other than password is that the EnablePasswordlessExperience setting means that the password credential provider is only hidden on the Windows “primary user” sign-in screen.

That means that there are a number of ways to still use passwords in Windows, which is for example required to make sure for instance remote support through help desk is still a viable option:

  • Clicking Other users on the sign-in screen will allow the user to sign in using a password, as the password credential provider is enabled there.
  • Password use is available in Remote Desktop Connections and for web sites in Microsoft Edge.
  • Password can be used with runas to elevate with password as well as use the password for local admin accounts (such as when using Windows LAPS
  • Password change can still be accessed from Ctrl+Alt+Delete prompt.

Pre-reqs:

Currently, the following operating systems support the new setting EnablePasswordlessExperience:

Configuration

The Enable Passwordless Experience settings are configured via Intune and are available in the Settings Catalog and this is how I recommend that you configure this new feature:

  • Enable Passwordless Experience is set to Enabled. This will in practice remove the password credential provider from the aforementioned parts of the Windows UI.
  • Enable Web Sign In is set to Enabled. This will show the “globe” as a sign-in option on the sign-in screen and acts as fallback for logging in if Windows Hello for Business sign-in fails, or if an administrator needs to sign into the device.

UI changed when passwordless is enabled

When these two settings are enabled, the password credential provider is removed from some UI elements, as well as introducing the web sign-in “globe” on the sign-in screen.

Sign-in screen

At the sign in screen, this is where we have maybe the most benefit of enabling the passwordless experience. The reason is that the option to sign in using password is gone! This will certainly reduce the use of password to sign in. At the same time you see the globe which can be used to sign in when or if Windows Hello for Business fails.

UAC Elevation Prompt

When trying to elevate as admin, UAC kicks in. With the passwordless experience enabled, you will only see passwordless options + the ability to use any local admin account (with password). This is to make sure that help desk for instance can still help via remote connections. The important thing is that the typical end users cannot choose any password options. Basically, this means that there is no option “Use a different account”.

Extra #1 – Interactive logon: Require Windows Hello for Business or smart card policy

Just to get this new passwordless experience one step further, I tried the good old policy setting Interactive logon: Require Windows Hello for Business or smart card policy to Enabled. The idea was to also prevent circumventing the “Other users” trick and disable password use even there, as well as completely in Windows.

But no, that setting will not allow you to sign in with Web Sign-in (which is working by design) so that means the setting is useless unless you can live with having no “back door” into your computers if authentication fails or there are problems.

Extra #2 – Excluding the password credential provider all together

To really go passwordless already, you can enable the more hardcore passwordless option that has been in Windows 10 and 11 for some time. It is the ExcludedCredentialProvider setting ADMX_CredentialProviders Policy CSP – Windows Client Management | Microsoft Learn.

This means that you can disable the password credential provider all together in Windows, leaving no room to use a password anywhere within Windows. This might sound good at first thought but will likely mean trouble for remote help for instance by help desk staff, as they will not be able to elevate as admin when needed.

Extra #3 – KQL Kusto Query to find out who are signing into Windows using passwords

The following query is something I use all the time, and it lists how many times your users sign into a Windows device using password. This is useful for “smoking out” password use at Windows sign-in but also in general in Microsoft 365, with a slight modification.

Kusto
SigninLogs
| where Resource == "Microsoft.aadiam" and AppDisplayName == "Windows Sign In"
| extend authenticationMethod_ = tostring(parse_json(AuthenticationDetails)[0].authenticationMethod)
| extend succeeded_ = tostring(parse_json(AuthenticationDetails)[0].succeeded)
| where authenticationMethod_== "Password" and succeeded_ == "true"
| extend authenticationStepDateTime_ = todatetime(tostring(parse_json(AuthenticationDetails)[0].authenticationStepDateTime))
| extend displayName_ = tostring(DeviceDetail.displayName)
| extend trustType_ = tostring(DeviceDetail.trustType)
| extend deviceId_ = tostring(DeviceDetail.deviceId)
| summarize Count = count() by displayName_, Identity

Thanks to Michael Hildebrand for this blog for being a good inspiration on KQL and dashboards in this topic: Azure AD Sign-in Logs + Workbooks = Know Who is Using Windows Hello for Business – Microsoft Community Hub

Extra #4 – Single Sign-On to on-premises resources

When signing into Windows with Windows Hello for Business or security keys, you do not have single-sign on to on-premises resources such as file shares, printers or applications. By enabling Azure AD Kerberos you enable single sign-on using security keys and by settings an Intune setting to use Windows Hello for Business Cloud Trust, you enable single sign-on using Windows Hello for Business.

Summary

The Enable Passwordless Experience that has been added to Windows 11 is a great step in the right direction of becoming fully passwordless, at the same time as not interfering with remote help and support. Anything that can be done to reduce the use of passwords is simply great!

Sidenote: If you use security keys with multiple identities, you have probably learned that when trying to sign into Windows it will sign you in with the last written identity on the security key. If you like me want to be able to choose which identity to sign in with, please upvote this Windows Feedback item!

Troubleshooting an application that crashes in Windows – a few tools, tips and tricks

This blog post is an example of a problem I encountered the other day in a project I am in. An application that is used by a part of the business is installed properly but crashes. I thought I’d share some tips and tricks based on this troubleshooting, a troubleshooting which turned out to be a true sunshine story.

Problem

A ClickOnce application is installed in Windows 10 and 11 but when trying to start the application it never starts and instead silently crashes.

Investigation

As always when something crashes, more details can be found in the Event Viewer. The event ID 1000 lists some very general information:

Faulting application name: X.Y.Client.WpfClient.exe, version: 1.0.0.0, time stamp: 0x565f048b
Faulting module name: KERNELBASE.dll, version: 10.0.25357.1, time stamp: 0xc0dc8053
Exception code: 0xe0434352
Fault offset: 0x0014e0a4
Faulting process id: 0x0x473C
Faulting application start time: 0x0x1D9824B72D664C7
Faulting application path: C:\Users\andre\AppData\Local\Apps\2.0\KP6YOQBZ.QBT\10VX2RL2.D3R\X...tion_ae3633e36a16d69b_0004.0000_6d9d02277ead5c24\X.Y.Client.WpfClient.exe
Faulting module path: C:\WINDOWS\System32\KERNELBASE.dll

This in turn gives me nothing more to go on so next thing to do to get more information is to enable crash dump file generation for application crashes (or any other crashes apart from Windows crashes which already have dump files generated each time Windows crashes).

Enable crash dumps

Go to the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting

First Create a key named LocalDumps so that you end up with this key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps

Then in the LocalDumps registry key create these three registry values:

Name: DumpFolder
Type: REG_SZ
Value: C:\CrashTemp

Name: DumpCount
Type: REG_DWORD (32-bit)
Value: 10

Name: DumpType
Type: REG_DWORD (32-bit)
Value: 2

Restart the service named “Windows Error Reporting Service” and then start the application and note the DMP file created in the location that you specified above.

Analyze crash with WinDbg

Now we can analyze the DMP file with the classic tool Windows Debugging Tools. This is available in Windows ADK and SDK but the easiest way is to install WinDbg (Preview) via Store (or publish to Company portal). You can also use the winget command to install WinDbg by using “winget install 9PGJGD53TN86“.

Start WinDbg and then open the DMP file and choose:

!analyze -v

We can then clearly see some interesting exceptions:

Key  : CLR.Exception.System.ArgumentException._message
Value: Source property was not set before writing to the event log.
Key  : CLR.Exception.System.Security.SecurityException._message
Value: The source was not found, but some or all event logs could not be searched.  Inaccessible logs: Security.

This, plus the below entries also found as a result of analyzing the DMP file, clearly points toward event logs and specifically the security event log.

STACK_TEXT:
00f8eedc 64b54041 System_ni!System.Diagnostics.EventLogInternal.WriteEntry+0x16bc4d
00f8ef0c 649e53f9 System_ni!System.Diagnostics.EventLog.WriteEntry+0x19
00f8ef18 0314223b X_Y_Client_Business!X.Y.Client.Business.Logger.WriteToLog+0x103
00f8f034 0314211d X_Y_Client_Business!X.Y.Client.Business.Logger.WriteToLog+0x25

Process Monitor for the win!

To figure out what is going on I turn to my personal favorite tool named Process Monitor, a tool that has helped me troubleshoot and learn stuff about Windows for many years.

In Process Monitor, I did a simple recording and filtered on “Access denied”. The application process showed one access denied entry.

The application need read permissions on the registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\security 

Said and done, I set users to “Read” on the registry key and started the application again. It crashed still.

I did another trace with Process Monitor and this time it showed that read/write permissions was required on the registry key above security. Strange, but I set Users to Full Control on the registry key referenced:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

I once again tried to start the application and after that, the application started! Note: The good(?) thing is that after first start, one can revert the permissions to default permissions and the application still work. More investigation is needed in this area.

Summary

A few tools, tips and tricks were involved in this troubleshooting, and I hope to inspire others to use these tools and methods in their own troubleshooting in day-to-day work. My next step now is to contact the developers of the application and point out the rather strange problem, and hopefully get the problem fixed.

Field report: 3 years with an ARM based Windows 10 / Windows 11 device

NOTE: This blog post has been replaced as of September 2024 by a new version based on almost 5 years with an ARM based Surface device.

It is now exactly 3 years since I got my current device, the ARM based Surface Pro X SQ1 device. I’ve been using it as my primary work device since then, although much work has also been conducted on other devices for the customers I work with. Still, I’ve used my Surface Pro X almost every day.

This report is meant to help shed some light on the ARM platform, and aid in hopefully clearing out some questions marks for users or organizations looking to purchase for instance the Surface Pro 9 which comes both with an Intel processor as well as a Microsoft SQ3 (ARM) processor.

Windows 10 and ARM

When I got my Surface Pro X device Windows 11 was not available, so I started out with Windows 10 on ARM. Back then, there were to be honest quite a few things that did not work, which hindered me in performing my work.

The biggest problem was that x64 applications did not run at all! That included the 64-bit Microsoft 365 Apps for Enterprise as well as 64-bi compiled PowerShell modules which is used to manage Microsoft 365 and Azure resources. Thankfully, these obstacles are now a memory of the past!

Windows 11 bring ARM devices to a useable level

As soon as I upgraded to Windows 11 on my Surface Pro X it was a new world opening – and the obstacles I previously had was long gone. With Windows 11, there is x64 emulation meaning basically any application will run without problems, including the PowerShell modules I previously had problems running and also running Microsoft 365 Apps for Enterprise on 64-bit.

Since the release of Windows 11, more and more features have been enabled over time, bringing Windows 11 on ARM to an almost feature-complete Windows if you compare it to Windows 11 the 64-bit edition that is used on some 99%+ devices globally.

Limitations of Windows 11 on ARM

So, while there are no blockers for me to do my daily work, there are some limitations that you might want to be aware of.

Windows feature / componentLimitation / problemComments from the field
Drivers (hardware and software)Drivers for both hardware as well as software needs to have a driver compiled for the ARM64 platform. This might include printers, VPN software, antimalware applications and such.The only application I have encountered problems with is Camtasia screen recorder application. However, there used to be some manual work needed to get Adobe Photoshop installed, manually uninstalling Visual C++ runtimes, and then installing the ARM based Visual C++ runtimes. For hardware, the printers I have used have had ARM64 drivers.
Update March 14, 2023: For some more information on compatibility with antimalware and VPN solutions, scroll down to “A growing Arm ecosystem…” in this blog post Available today: Windows Dev Kit 2023 aka Project Volterra – Windows Developer Blog
Microsoft Defender Application GuardThis virtualization based feature of Windows is not available on Windows on ARM.This is too bad as I really like having the Application Guard feature protecting Office documents that come from the internet zone.
Update March 14, 2023: Since the blog post was written, David Weston announced on Twitter that Application Guard for ARM is here (unclear though what build you need to be on).
Hyper-V VMsYou can create and run Hyper-V virtual machines on Windows on ARM. However, you cannot run the x64 versions of Windows as guest OS in the VMs and are limited to Windows on ARM.This is a limitation for me – but although the Surface Pro X can run not only Hyper-V but also Android apps via Android Subsystem, the performance of the devices is just not fitted for running all these performance-demanding virtualization stuff.
Games, Windows Fax and Scan and moreMicrosoft has an official list of what could pose problems on ARM, see Windows Arm-based PCs FAQ – Microsoft SupportExcept the limitations I mention above, I have not seen any of the other problem that Microsoft describe in the article over the three years that I have used my ARM device.

ARM platform is expanding

Over the last year or so we have seen ARM compiled versions of Microsoft Teams and then also Company Portal app appearing. There are probably more examples, but these are what comes to mind.

Also, the number of devices based on ARM have increased over the years and most major computer manufacturers have ARM devices to choose from.

Management, ISO files, installation and recovery of the devices

One the biggest limitations is the lack of installation media (ISOs) for Windows on ARM. That means, every time I need to wipe my Surface Pro X I will have to download the 10GB recovery file, put in on a USB stick and recover.

After that I will be on Windows 10 1803 which means to get to Windows 11 22H2 I will have to run a number of Windows Update passes, with hours and hours to go until I am on the latest Windows release. This is the area where Microsoft can do a lot better! There are ISOs for Insider builds however.

When it comes to management of ARM based devices, there are some things to take into consideration, for instance regarding application deployment. Apart from that management of ARM devices are more or less the same as any Windows device, at least if you are managing them using Intune. If you are using Configuration Manager, have a look at this article.

If you want to have a great summary of what management and deployment of ARM (Surface devices) mean, read Deploy, manage, and service ARM-based Surface devices.

Does not make a sound

One of the biggest advantages which I have not mentioned yet is that the device is completely silent, and it has not given away one slightest sound over these three years. Fan-less, yet still enough powerful to do information work and being very mobile with the built in support for 4G/LTE.

Although the “no noise” thing is true for my Surface Pro X (SQ1) I recommend you look this up for the particular model you potentially will be purchasing.

ARM based devices generally use little energy and thereby produce little heat and with that often do not need any fans that generate noise.

Summary and recommendation

As I see it, the ARM platform is mature enough to put in hands of end-users. The security features of Windows are there (except for Application Guard which very few use) and basically all applications work, especially if you are using the Microsoft 365 suite.

Would/will I choose an ARM based device when the Surface Pro X support come to an end? The answer to that question is “yes, absolutely!”. Do I recommend end-users or organizations to try or evaluate ARM based devices? Yes, you should start today! As always, you need to test and make sure everything the end-users needs is working, before you do any broader deployments of ARM based devices.

Smart App Control vs Application Control in a cloud-native world

Smart App Control is a new feature in Windows 11 22H2 that allows only certain trusted, verified and reputable executables, DLL files and MSI installers to run. Anything not trusted will be blocked from running. This leaves us with a very high security posture.

Microsoft says this feature is intended for consumers and small businesses – and recommends larger organizations and enterprises to use Defender Application Control, which uses the same technology in the background, and has been available since the launch of Windows 10.

This blog post covers Smart App Control versus Defender Application Control in a cloud-native world, where Windows devices are connected only to Azure AD and Intune.

Background

One thing to start with – forget AppLocker as it is too weak and has too many flaws. We need something more secure that also includes anything running on the machine, regardless of user space vs kernel space and also applies to local administrators. At the same time, it must be hard to circumvent which is true for both Smart App Control and Application Control. AppLocker is too easy to circumvent, for instance by using a trusted process by AppLocker to load a malicious DLL file. See a number of examples on AppLocker bypasses here.

High-level overview

Smart App ControlApplication Control
Target audienceConsumers and small businesses.Organizations and enterprises.
ModesOn (Block), Evaluation (Audit), Off.Audit or Block mode.
ExceptionsNo exceptions possible – you are 100% in hands of Microsoft control and deciding what is trusted and reputable.You can create exceptions; however, it involves a certain amount of administration and manual work.
EnablementOnly for fresh deployment/installations, or resets of Windows 11 22H2.Any given time – whenever you choose to deploy it.

Goal is to set On (Block) mode, but first Evaluation (Audit) mode

Whenever enabling a technology that will effectively block stuff, it is highly recommended to first assess the situation obtaining intel about what would happen if we set a feature like this in On or Block mode.

So, our goal is without a doubt to first audit and collect information that we can use to evaluate how enabling either Smart App Control or Application Control in block would work. This is the focus to come, when we look at options on enabling audit/evaluation mode.

At the same time, we need to weigh in that running in audit mode gives us no raised security, it will only collect information. The sooner we can enable Block or On mode, the better.

Options to enable via Intune

Smart App ControlApplication Control (AppLocker CSP)Application Control (ApplicationControl CSP)
TechnologyRegistry value1.Endpoint Protection configuration profile (uses AppLocker CSP in background).Using Custom OMA-URI configuration profile using ApplicationControl CSP.
Mode of allow control featuresDefault Allow Microsoft binaries + Intelligent Security Graph (reputable binaries) + Microsoft recommended driver block rules + Microsoft recommended block rules (with exception of what is noted here)Default Allow policy in Audit or Block mode. “Optional” to use Intelligent Security Graph (reputable binaries), but if you want it to work and not block you from working you MUST use Intelligent Security Graph. Custom policy which might contain any number and type of rules, including Intelligent Security Graph.
Managed installerNo, not available.No, not available.Yes, this is possible. You can set Intune agent as Managed Installer to trust everything that comes through Intune. However, Managed Installer can only be applied via a custom created AppLocker XML file which must be applied with an AppLocker PowerShell command, plus the Application Control must use option 13 which is the “Managed Installer” enable switch.
RebootNo, not when applied but requires a reboot to take effect.When applied it forces a reboot of the computer, both in audit and block mode. This breaks ESP (Enrollment Status Page) when using Autopilot. No, not when applied, but needs a restart to take effect (unless you specify option 16 when creating the policy).

1 Registry value to configure Smart App Control is found in HKLM\SYSTEM\CurrentControlSet\Control\CI\Policy. The DWORD value named VerifiedAndReputablePolicyState can be set to 0 = Off, 1 = On or 2 = Evaluation.

AppLocker CSP vs ApplicationControl CSP

The big difference is that the AppLocker CSP always requires a forced reboot, which means we cannot use it in practice when doing Autopilot and using the Enrollment Status Page. That leaves us with manual configuration of Application Control via ApplicationControl CSP, which is the most secure option where you are in total control. The only problem is that this involves many manual steps, and this surely needs a user interface (in Intune).

“WDAC policy deployment via the AppLocker CSP will continue to be supported, all new feature work will be done in the ApplicationControl CSP only”

https://learn.microsoft.com/en-us/windows/client-management/mdm/applicationcontrol-csp?source=recommendations

Example policies and check if policy is applied

You can check what policies are applied, if any on your computers, by looking at two places in the file system. If only one single policy is applied, which is the case if using Application Control with AppLocker CSP, it will be found in the below directory and names SIPolicy.p7b:

C:\Windows\System32\CodeIntegrity\CIPolicies

However, if multiple policies are applied, which is the case if you applied Smart App Control or using ApplicationControl CSP with base and supplemental policies, they will be found in:

C:\Windows\System32\CodeIntegrity\CIPolicies\Active

You can also start msinfo32.exe and see the current configuration.

Caption from msinfo32.exe

Analyzing potential impact of Smart App Control or Application Control

Regardless of if you enable Smart App Control in Evaluation mode or Application Control in audit mode, you can and must follow-up in Microsoft 365 Defender portal (https://security.microsoft.com). This is where you find everything you need to get an overview of the current situation.

Timeline

If you go to a specific device in the Defender portal (https://security.microsoft.com), you can explicitly see the actions by Application Control (and Smart App Control).

Device timeline showing block actions for this particular device.

KQL – Advanced hunting

To be able to get the big picture in a larger organization we need to use advanced hunting to get all the information we can about the audit events.

Smart App Control or Application Control in Evaluation / Audit mode

Use the following KQL query to list everything that would be blocked if switching the Smart App Control to On or Application Control policy to Block mode.

DeviceEvents
| where ActionType == "AppControlCodeIntegrityPolicyAudited"

Smart App Control or Application Control in On / Block mode

Use the following KQL query to list everything that is noticed by users that is blocked when running in On or Block mode.

DeviceEvents
| where ActionType == "AppControlCodeIntegrityPolicyBlocked"

To execute these KQL queries, head over to security.microsoft.com and go to Hunting > Advanced hunting and run the query and note the results, see below example:

Blocked actions, i.e. files that were prevented from being executed.

Getting from audit / evaluation mode to Block / On

Getting from Evaluation mode to On when using Smart App Control is technically easy – but the limitation is that you cannot create any exceptions if necessary. This basically means that you will be forced to live with some things being blocked, provide other means of delivering that app such as via Cloud PC, or simply disabling Smart App Control. In the best of worlds, having Smart App Control in On mode from day 1, let it be only for some or almost all devices is a huge security gain.

Getting from Audit mode to Block for Application Control requires some work as you will have to create the baseline policies and test, test and test before deploying full scale.

Something to note here as well is that when using Application Control, it is a strong recommendation to have the policies signed with a code signing certificate to provide the best security, i.e. protect the policy or policies from tampering by users or administrators. The code signing recommendation also adds some complexity to the process and routines around handling the signing itself.

Summary

I agree with Microsoft that Smart App Control is limited when it comes to exceptions and that Application Control is the superior technology to use. However, as it looks right now, there are no shortcuts to using Application Control and for most organizations, the threshold to pass to get to a block mode today is extensive and very time-consuming. At the same time, there are technical implementations that break most Autopilot scenarios which is not OK to step aside from.

What I really like about Smart App Control is that you get it for free when fresh installing or obtaining Windows 11 22H2 machines, having the ability to easily turn on the protection mechanism that will truly protect your devices. And you can start monitoring from day 1, and with minimum effort easily enable the protection mechanism.

The big drawback of Smart App Control is that you cannot make any exceptions if something is blocked and you want to allow it, that is very obvious. In this scenario you would have to disable Smart App Control or present the application to the users in another way, via for instance Azure Virtual Desktop where you could publish the application as a remote application.

So, what Microsoft should provide are the tools that will help IT departments to enable Application Control. There must be an easy way via Intune to 1) making sure we have an easy way of defining the Intune agent to become a managed installer and 2) making it easy to create a great baseline policy, and 3) making it easy to create supplemental policies whenever something needs to be allowed (as an option to deploying the binary via the Intune agent).

Cloud PC (Windows 365): “Another user is signed in. If you continue, they’ll be disconnected. Do you want to sign in anyway?”

If you try to connect to a Cloud PC (Windows 365 device) you can see the below message:

“Another user is signed in. If you continue, they’ll be disconnected. Do you want to sign in anyway?”

The root cause

This happens if you have configured Web Sign-in CSP policy to be Enabled.

Resolution

Make sure that the Web Sign-in CSP is disabled or not being set at all to start with.