Interesting question for home users.
First, the background. At my house, we have a few Win10 tablets and laptops that are shared between adults and kids. To apply different policies, we use the Client Authentication Agent and Match Known Users firewall rules. Everything else on my network is defined as client-less, so my final FW rule will pop-up the Network Login if nothing else matches. This works reasonably well.
Now, the issue. My kid recently changed her Windows 10 (Microsoft Account) password and then promptly forgot what she changed it to. She tried the "I forgot my password" options, but Win10 needs to be online for any of those options to work. Even the "try using your old password" failed so I'm assuming those cached credentials had already been purged. I ended up logging in with my account and letter her reset her PW online, but since Win10 has no mechanism for network authentication on the sign-in screen, I had to create a temporary client-less user for one of the laptops so her account credentials could sync when she logged in. When she wants to use another laptop, I'm going to have to create yet another temporary client-less user. Rinse and repeat.
To make this smoother in the future, I'm assuming I will need to put a FW rule in somewhere that allows connections to the MS Account servers without authenticating to the XG. What I don't know is the domains that need to be allowed or the services used, though I assume it's just HTTPS. I've done some googling for the required information but came up dry. Has anyone worked through this issue yet? I'm wary of trying to capture all the info by testing since that will required countless password changes, resets, lost-password codes, etc which at some point may result in locking the account completely.
Thanks,
Gary
This thread was automatically locked due to age.
