Windows 10: How to Prevent Brute Force Attacks on Windows 11 Non-Domain Joined & Azure AD Joined Devices

Hello Microsoft Community,We are currently working on securing our Milestone servers running Windows 11. These devices are not domain joined, and we are looking for Microsoft-supported options to prevent brute force attacks, particularly on local login and RDP if enabled.We need to understand what built-in or supported tools and configurations are available to mitigate brute force attacks on:Non-domain joined Windows 11 devicesAzure AD joined Windows 11 devices OS: Windows 11 Pro RDP: May be enabled for remote accessNo third-party endpoint protection currently in useWhat are t

:)

 

Join Azure Ad or Local domain

We have recently migrated to Office 365 with a hybrid AD setup. I am setting up a new laptop for a user, first one since the migration, and in the original setup it had me join the Azure AD. However, I usually set these laptops up to join the local domain so the users can access the file shares. The shares are accessed via Mapped Drives from Group Policy, and being joined to the Azure AD did not map these drives. When I go to join the laptop to the local domain, I get an error saying "The device is joined to an Azure AD. To join an Active Directory domain, you must .... disconnect your device from your work or school." So there's no way to be joined to the Azure, even though its syncing with my local AD? I want the best of both worlds. What's the best way of doing that? I feel if I unjoin from the Azure AD I'm kind of going backwards, but they need access to those local file stores. Any brilliant workarounds out there? Thanks!

 

Image W10 workstations for Azure AD join?

Hi All,

I want to image Windows 10; but more importantly I need to join Azure AD 'Out of the Box'!

I don't have a 'master' Azure AD account. I am not even sure that such a thing exits, e.g.: the Administrator account on a standard Active Directory Domain.

Where should I be looking for configuration, where it comes to Azure AD automatic joining?

My thoughts are PowerShell DST! But that is just a rumour.

Any suggestions would be amazing.

Regards,

Davo

 

Join Windows 10 PC to a Domain  

That would explain it.

Active Directory is the way, the tool local domains use for user control and management. There are three different methods a user / device can join AD: joining local domain and signing in with domain credentials, joining through Azure AD and signing in with Azure AD credentials, and the "lowest level" so called workplace join, connect a local or Microsoft sign-in account to an Azure AD (workplace) account.

Joining a local domain and Azure AD basically is the same. Of course there are administrative differences from IT departement's point of view, but for the most the only difference end user sees is the sign-in credentials.

Once you have joined a local domain, you cannot join Azure AD, and vice versa. It's one or the other.

Joining Azure AD instead of joining a domain is in my opinion the future, Microsoft's clear goal being to get corporate users to move from local domains and on-premises domain controllers to Azure AD. I posted an opinion piece about that just a few days ago on my site: Secure Windows on a Secure Device Win10.Guru

Azure AD gives you two levels to join: Workplace join simply adds your Azure AD account to Windows 10 for single-sign-on to all your workplace services, but you will continue signing in to Windows with your current local or Microsoft account:




This will be shown as a connected account:




As you will continue signing in with your local or Microsoft account, you are still pretty much in control. You can use workplace services, company store and such but IT admin cannot set up any restrictions on your device. A workplace joined user / device can still join a local domain.

If you select Join Azure AD instead, your sign-in account will be changed to Azure AD account. This is shown as Azure AD joined:




Once joined to Azure AD, joining a local domain is no longer possible.

I'm not sure if the above explains this clear enough. The point is, a local domain and Azure AD effectively chooses the way you are joined to your workplace. Only one of these methods to join can be used.