I'm curious about how support teams go about setting up new computers for users when it comes to managing their passwords. It's clear that having access to a user's password can streamline processes like configuring Microsoft 365 accounts and personalizing their profiles. Do you typically change their passwords after setting up the computer, allowing them to update it later? Or do you have them physically log in and type their passwords themselves? We aim to provide as much assistance as possible to minimize follow-up support calls, but this approach makes it necessary for tech staff to know the network passwords. I appreciate any insights!
7 Answers
Using Autopilot for setups is great, and I make sure to implement MFA for user authentication and app deployment through Intune and the Company Portal. Also, don’t forget about configuring LAPS for better security management!
I utilize SSPR with the users' mobile numbers and personal emails, deploying devices with Autopilot/Intune and doing soft tests prior to shipment. Apps are categorized into mandatory and elective, which helps reduce the hassle during setup.
There's generally no need to log in as the user beforehand. Most setups can be automated, so consider what might actually need to be customized before handing over the device. It simplifies things quite a bit.
What I do is set everything up, then ship the laptop. I log in with a local admin account powered by LAPS, and have the user join the device to the Entra domain with their credentials. This way, Intune picks it up. After rebooting, I guide them to save their BitLocker key, verify their login, and ensure everything works. It's a quick 15-minute session where I help them through the process and confirm their MFA setup is correct and that they can change passwords without issues.
Just to clarify, when you mention "network password," are you leaning more towards the M365 passwords? If so, temporary access passwords are a good solution. They allow users to log in and then change their passwords securely later.
Autopilot with Intune is the way to go. For new hires, we assign them a default password that they have to change during their first login, which keeps things secure. It's critical that support staff don't have access to user passwords. If they happen to find out a password during a support session, the user should change it immediately afterwards.
I have users log in with their credentials, authenticate via MFA, and set a temporary PIN that we both know. Once I finish the setup, they change that PIN to something secure before taking over the device.
Totally agree, but in SMBs, implementing this can be trickier.