DeviceCraft Digest

Weekly update on Microsoft devices and services

7 March 2021

Passwordless security keys now generally available

Nearly 2 years ago in July 2019, Microsoft released security key based authentication in public preview. The security keys are based on the FIDO2 standard, “Fast IDentity Online” developed by FIDO Alliance industry association.

This week Microsoft announced the general availability of FIDO2 security key authentication under the guise of “passwordless authentication is now generally available”.

Passwordless has been available since at least 2018 with biometric authentication via Windows Hello for Business, however, WHfB has various limitations that security keys address;

  • WHfB requires a TPM on the client PC (when using the recommended Hybrid Key Trust deployment model) security keys do not.
  • WHfB fallback PINs are tied to a device thus multiple unrelated PINs while security key PINs are tied to the security key.
  • WHfB on shared devices supports a maximum of 10 WHfB enrollments while security keys have no such limitation.

FIDO2 compatible security keys are available from various providers. An example key from YubiKey (pictured) starts at $45.

To add to the above announcement is a significant new feature called Temporary Access Pass. This enables a user to never know their password if combined with a security token (the TAP, see pictured, enables initial registration of a Security Token, which from that point forward can be used to sign-in to a machine). The services is in public preview.

Edge Sleeping tabs rolling out, along with Vertical Tabs

Sleeping Tabs, released in December with Beta 88, will now be made available in the Stable version 89 release. Analysis by Microsoft during Beta testing shows sleeping tabs uses 26% less CPU on average compared to a non-sleeping tab. It also reduces memory usage by 16% on average. Note, it appears sleeping tabs will be enabled by default and this may cause undesired re-authentication prompts with corporate applications; If this is of concern, see our previous advice on the policy settings available to prevent certain sites from sleeping.

Vertical Tabs has been announced as generally available this month (pictured), a simple change but so much more usable in my view.

Configuration Manager March 2021 Technical Preview release

Configuration Manager Technical Preview 2103 has been released. Key features delivered include:

  • There are updates to enable TLS 1.2 for new Cloud Management Gateway (CMG) deployments
  • Powershell cmdlet updates
  • Updates so that Tenant Attach devices will merge antivirus exclusions if targeted with more than one antivirus policy
  • Community hub support (available within the Configuration Manager console – see pictured) to support sharing configuration baselines.

Tenant Attach provides a low friction option to adopt cloud management

Before Tenant Attach the steppingstone to cloud management was to use co-management (enrolling Configuration Manager devices into Intune) which is a significant exercise for large enterprises.  In contrast, Tenant Attach enables Configuration Manager devices to be uploaded using an almost trivial process. Tenant Attach enables access to a subset of cloud management features such as Endpoint Analytics and Event Timeline which were released during 2020.

New Endpoint Analytics page for Microsoft Productivity Score

In case you missed it, last November Microsoft Productivity Score was released to give organisations insight into both people and technology experiences. Productivity Score includes data from Exchange, SharePoint, OneDrive, Teams, Word, Excel, PowerPoint, OneNote, Outlook, Yammer, and Skype, and also from Endpoint Analytics. The later using telemetry from Configuration Manager or Intune to identify applications and hardware issue, including options for proactive remediation scripts.

Previously Endpoint Analytics insights were not available to roles with Productivity Score access, now that has been rectified (pictured).

Known Issue Rollback: a new capability to rollback Windows updates issue

Known Issue Rollback provides a method to rollback non-security Windows update issues that have been identified by Microsoft. KIR has been around for some time for user-mode processes, however now with Windows 10 version 2004 or later KIR provides support for all non-security Windows including Windows kernal-mode.

So what does this mean? Well, if Microsoft identifies a non-security Windows update issue it will be automatically resolved for computers using Windows Update or Windows Update for Business. For computers updating using alternative methods, Microsoft will publish a Group Policy to resolve the issue; an example is posted within the “Known Issues” section of KB4550945. Thus, future non-security Windows update issues should have graceful known issue rollback options, so long as you have Windows version 2004 or later.

Microsoft 365 App admin capabilities continue to improve

Various capabilities that organisations using Microsoft 365 apps will want to know about:

  • Preview of Microsoft 365 Apps Inventory providing information on Apps versions including most installed add-ins and security update status by device.
  • Microsoft 365 Apps Servicing Profile options to pause/resume deployments and to skip specific periods such as holidays. Currently in preview and only for Monthly Enterprise Channel.
  • Microsoft 365 Apps Servicing Profiles can control rollback to a previous version and also skip an upcoming update (see picture).

Windows Update for Business receives new controls and capability for driver and firmware updates!

For organisations using or considering using Windows Update for Business there are significant new capabilities for delivering Windows updates:

  • approve and schedule update content
  • stage deployments over a period of time
  • automatically avoid updates to devices likely to get issues based on Microsoft Machine Learning
  • manage driver and firmware updates just like feature updates and quality updates (this is a huge announcement as to date, most admins had to use a deployment tool such as SCCM to manage driver and firmware updates, or just ignore updates all together).
  • integration with Microsoft Endpoint Manager

The Windows Update for Business deployment service will release in preview in first half of 2021 for Azure AD joined and Hybrid Azure AD joined devices covered by a Microsoft 365 or Windows 10 E3 user license.

Universal Print now generally available

Universal Print, the cloud-based print server service is now Generally Available after about a year in Private Preview. The service fill a nice gap for organisations wanting to retire on-prem servers that didn’t have print server solution. Included in the announcement is a teaser for the future capability to print from mobile devices.