ZTNA Options

This is for Windows OS. We run a hybrid domain, on-prem and Azure AD.

We use VPN for remote users. We keep hitting the same wall where users either change passwords and forget them, fat finger the password too many times, or forget to reset them and they expire, locking them out. As the old password is cached on the laptop and a VPN connection is needed to reset it, unless the user can get onto VPN (which requires a successful login) they have to bring the laptop into work and plug it in.

Is there anything out there that allows a persistent domain connection through ZTNA, even when the user is logged off, so we as admins can access that machine and work on it? Ideally, if the laptop is turned on and has an Internet connection, we want to be able to access it remotely.

We have used LogMeIn, but unless the tech already has a profile on that PC with a cached password, they can’t login either.

A bit of a late reply, but there are a few different things going on in this question that could be solved in a few different ways with some combination of the below.

It sounds like your password reset process runs on-premise, but in a hybrid environment it is possible to do a self-service password reset through AAD as well.

There are also VPN clients, e.g., Cisco Secure Client (formerly AnyConnect), which can be configured to install a widget in the login/lock screen for signing in to a VPN prior to login.

There are also VPN clients which can run as a service on the device, which may be referred to as “device tunnel.” A version of this “always on” VPN is built in to Windows.

Intel vPro/AMT can be used for remote access and this will even work to access the UEFI or reinstall the OS, although it won’t directly help with having the admin log in to the OS, and it depends on having purchased specific hardware with this capability.

You could use LAPS to manage passwords for local administrative accounts to cover the situation where the administrator doesn’t have cached credentials.