Can anyone point me toward a best practice to deal with shared laptops using Pre-Boot Authentication?
We are required to enable the PBA screen on all mobile devices. The issue is, let's say we have a laptop assigned to a conference room - I can add ALL domain users, ... not a problem. But what happens when this PC sits in the closet in the conference room for 7 months and the user has changed their AD password 4 times since then?
Is it any different if the laptop is being used, even if by someone else during the time frame User A originally signed in and authenticated - and 7 months down the road if User A tries to log in to a machine that has been used regularly by User B, C, D, E, etc.?
I'm afraid I will have users doing the initial logon with 12345 on multiple machines and also having potentially different answers to different challenge questions all over our environment.
All the credentials, for all allocated users, are synced whenever the machine does an asic - it's not just the current users creds.
So your scenario won't be an issue, as everytime anyone logs in, or any time it does an ASCI, it will be looking for credential updates for every possible user.