1

Hello SH ,

Have a client that has online EMR program/Software with 10 users all using local account on there laptops/pc.

Quite a mess to make them more secure with there login process on there machines I was thinking since they dont have AD to set them up with MS Entra and eventually intune they have MS Office Business Premium. with a Azure P1 license.

All users have a O365 email with that license we are setting up some new laptops and pc since they have old win 10

Question is how do I set them up with secure logins using there O365 accounts?
Do I setup Windows Hello For Business ?

3 Spice ups
2

So they are pure entra, with no on prem AD at all correct?

They are already secure if their machines are Entra joined and you have a decent password length set. 365 should be enforcing MFA. Windows Hello takes it a step further allowing them to sign in to their local machine with a pin or fingerprint and then a secure key exchange takes place rather then sending a password across.

How to set it up with Entra

1 Spice up
3

One thing to note, people frequently ask, how can a 4 or 6 digit all numeric sign on PIN be more secure than a 20 character random password?

The answer is, it’s not in terms of brute forcing a local logon for the machine, however when it comes to cloud authentication, or even AD authentication, that PIN never leaves the machine. All the PIN does is validate that someone that knows it is logging in locally to the machine with the correct information. What happens then between the machine and either AD or Entra is described in the first link of my previous reply.

2 Spice ups
4

@PatrickFarrell

Machine are not Entra joined or AD anything they just have O365 business email setup.

So that is where I should start Entra join there machines in intune correct?

1 Spice up
5

You have to be either Entra or Hybrid joined to use Windows Hello for business. Business Premium includes licensing for Intune, so you are good there.

1 Spice up
6

I think your plan to move to an EntraID joined domain is solid, but I would also investigate if the EMR supports SSO via EntraID and look at adding that into your road map. Having a single logon across the board is win win for everyone

Intune and EntraID Joining machines are two different things. But doing them at the same time will allow you to control things via Intune Policies from the get go.

I would also look into an RMM or something like Action1 if budget is tight. as it will give you better remote management than Intune.. Intune is good for base policy, software deployment and things like that, but its not great for managing windows update and any task that with any sort of immediacy

1 Spice up
7

It does a fair job pushing updates. It does a garbage job reporting on it. The reporter can lag a week behind sometimes. Prior to going A1 I used to use it to deploy updates in rings and it was serviceable. It’s great in that if you have Intune, it’s free. If you have anything better however, use the alternative. Action1 is fantastic at this. Just bear in mind Action1 is not an RMM and Mike will tell you that. It has some RMM features like remote control, but that’s not the primary purpose of the product.

2 Spice ups
8

If I had a larger environment and/or budget, I’d go with SCCM or PDQ deploy (though I really do want to see what A1 can do).

9

agreed, that is why I said RMM or Action1 :slight_smile:

1 Spice up
10

We use Datto RMM so all should work out fine then?

2 Spice ups