This demo shows the user experience difference during Autopilot when assigning the below policy configurations to a user vs a device.
Both VM’s had exactly the same spec and were running through the same Autopilot profile and ESP.
Video is sped up in certain sections for brevity.
Device Guard:
Configure System Guard Launch – Unmanaged Enables Secure Launch if supported by hardware
Credential Guard – (Enabled without lock) Turns on Credential Guard without UEFI lock.
Enable Virtualization Based Security – enable virtualization based security.
Require Platform Security Features – Turns on VBS with Secure Boot and direct memory access (DMA). DMA requires hardware support.
Local Security Authority:
Configure Lsa Protected Process – Enabled without UEFI lock. LSA will run as protected process and this configuration is not UEFI locked.
Virtualization Based Technology:
Hypervisor Enforced Code Integrity – (Enabled without lock) Turns on Hypervisor-Protected Code Integrity without UEFI lock.
Require UEFI Memory Attributes Table – Require UEFI Memory Attributes Table
Time Stamps:
00:00:00 – Initial Login
00:00:16 – Device Setup begins
00:00:37 – Apps begin installing
00:00:50 – User VM transitions from Device to User ESP Phase
00:01:35 – Device VM transitions from Device to User ESP Phase
00:01:48 – Device VM reboots
00:02:00 – Device VM re-requests user credentials. User VM prompts for MFA to configure WHfB
00:02:20 – User VM requests WHfB PIN
00:02:30 – User VM hits desktop
00:02:51 – Device VM prompts for MFA to configure WHfB
00:03:00 – Device VM requests WHfB PIN
00:03:05 – Device VM hits desktop
[ad_2]
source
