Intune Microsoft 365
ludwig  

Pre-deployment, with a touch of magic.

Okay, here’s the deal. You’ve got a new computer to set up for Karen, your favorite (read: very particular) employee. Let’s be real: Karen needs everything to be just right, or you’ll be hearing about it for days.

Your trusty Autopilot pre-deployment? Nah, that’s not gonna cut it. Karen’s too special for that one-size-fits-all approach. You need to do the whole setup for her.

So, What Now?

First off, we’re not about to ask Karen for her password (because that’s just weird, and we should never ever ever ask a user what their password is!), and we’re also not resetting her password (because annoying her isn’t on today’s agenda). So how do we get into the new machine and set it up without stepping on any password toes?

Enter: TAP – Temporary Access Pass

This little gem is your golden ticket. TAP is a temporary passkey generated in Entra ID (fancy, right?). It’s time-limited, so you’re not going to be holding onto it forever, and—wait for it—it even bypasses MFA. It’s like the cheat code of IT.

Now, TAP is usually designed for Web sign-ins that are Entra-based. But here’s the kicker: you can use TAP to set up Windows devices, too. More on that magic later. First, let’s dive into some tech-y goodness and get this bad boy enabled.

Step 1: Enable TAP (Because, Duh, It Doesn’t Work Without It)

To enable TAP, here’s your step-by-step:

1. Head to Entra -> Authentication Methods.

2. Click on Temporary Access Pass.

3. Enable it.

That’s it. Boom, TAP is live. Let’s keep the ball rolling.

Step 2: Generate the Magic (aka TAP)

Now that TAP is all set up, let’s generate one for Karen so you can get her machine sorted without ever asking for her password (or even resetting it—because no one’s got time for that). Here’s how you do it:

1. Go to Karen’s user profile in Entra.

2. Press “authentication methods” (make sure you’re using the new user authentication experience—trust me, it’ll change soon).

3. Add a new method, and from the dropdown, select TAP.

4. Configure it how you need, and bam—TAP is generated.

Heads up: Make sure you note that key! You’ll only see it this one time, so don’t let it slip away into the void.

Step 3: Make TAP Work on Windows Devices

Alright, we’ve got TAP ready to roll, now let’s make it work on Windows. Here’s where you flex your Intune skills:

1. Go to the Windows section in the Microsoft Intune admin center.

2. Create a new configuration profile.

3. Choose Windows 10 or later, and then go to Settings Catalog.

4. Name it something catchy, like “Windows – Enable Web Sign-In.”

5. Search for “Enable Web Sign-In”, select it, and enable it.

Pro Tip: Assign It Right

Scope it out as needed and assign it where you want—but remember, it has to be assigned to the device since, well, Karen hasn’t logged in yet. Don’t make the rookie mistake of assigning it to the user.

Final Note: Only Entra ID Joined Devices Allowed

Important: This slick trick only works on Entra ID-only joined devices. Hybrid setups? Nope. But honestly, who’s still running hybrid setups in 2024? If you’re in that camp, it might be time to consider the modern world of Entra ID-only devices.
Most of the reasons to run Hybrid joined machines are gone. The user authentication works just fine (even when using WH4B or other non-password logins, if you follow this guide:Cloud Kerberos Trust and Windows Hello for Business.

That way you can user auth to fileshares, internal webservers and even, god forbid, Printers.

Actually, if you set that up, the user doesn’t ever have to know their actual password. You can hand them a TAP on their first day, so they can set up Windows Hello 4 Business, MFA and register their phone. Everything else should be able to run passwordless.
Imagine that…

Anyways, that’s it! You’ve got Karen’s machine all set up, without resetting a password or even asking her what it is. Now she can get straight to work (and you can bask in the glory of having avoided a major password headache).

Leave A Comment