@@M365tunes Yes, indeed.

That's a pretty easy one to solve as long as your DC's aren't too old. kzbin.info/www/bejne/bGesY4Nsjc-Hr7s

Hi, thanks for your message. I need to put together some material for hybrid solutions, I usually focus on cloud-only.

@@bearded365guy I've deployed WHfB in a hybrid environment (legacy machines are AD DS, newer ones Entra joined deployed with Intune) and the AD DS setup was very confusing!

@@johnrhines3473 thanks for reply, considerating my lab, still confused with Mr Microsoft about hybrids ad D's , ad FS which mostly documentations is based for AdFs and no AdDs or at least mentioned. Based on your other intune projects I have successfully listed my devices into M entra Id. I appreciate that.

@@ashishantony4752 It would allow you to enter your password.

When configuring WHfB it will prompt to create a pin for just such a reason

@@macm3086 Yes, let’s do it.

This is not for MFA for cloud apps right? It's MFU multi factor unlock? Right?

@@JerryM365 i am talking about Office 365 Multi-factor authentication on the portal. According to the article, it was originally planned to expire in September 2024, but it appears that the date has now been moved to September 2025 of next year.

@@LukedeCroes Deployment of Windows Hello for Business in hybrid is a whole new ball game. I might cover this in future video.

Google: Microsoft Entra Connect Sync. It purports to sync your cloud accounts (Microsoft Entra, aka Azure Active Directory) to your on-prem Active Directory.

Google Microsoft Entra Connect Sync. It purports to sync your cloud accounts (Microsoft Entra, aka Azure Active Directory) to your on-prem Active Directory.

Microsoft Entra Connect Sync

Yup we have exactly the same issue, so i turned it off for now and users are back to regular passwords

Yes, I don’t want to make it too complex so users forget. This isn’t a password….

@@Sergio-Here-In-Community The multi-lock I describe in this video is MFA. Also, Microsoft class WHfB as MFA too. The PIN is tied to the device. So the hacker would need the device and the PIN to log on. That’s why it is stronger.

I also have questions about how this would work with accessing mapped drives.

@@chriso1523 Yes…. I’ve obviously focussed on cloud-only deployment here.

Doesn't Microsoft 365 / Entra have a hybrid sync capability for both account authentication and policy deployment (CM + Intune)?

Cloud-stored biometrics. I very much like that idea.

Yeah, with WHB you Finger/Face/PIN are just unlock factors for a key stored in TPM. This is why WHB is technically Multifactor even without using Multifactor unlock. There are solutions which offer similar function, RFID login, login with Security Keys, and software credential providers like solutions from Idemeum and CyberQP, where the login screen just shows a QR code, and the user wanting to login scans it with an app on their phone.

it not secured because biometric keys are not changing; look nomidio, it is promising

@@bloodstallion It depends which deployment method you’re going for….

@@JerryM365 Yes, the MFA unlock is for the device.

@@bearded365guy thank you and one more doubt, Can we achieve it via cloud trust deployment ??

@@crocaliph It will fall back on PIN number and then password…..

You can also use a TAP (Temporary Access Pass) sign-in, which is classed as a MFA sign-in, to allow initial access to setup biometrics, then, when they next sign in, they can use those biometrics. TAP is setup in Entra > Protection > Authentication Methods, then added via Entra > Users > User > Authentication Methods > Add authentication method. Note 1: Entra Joined devices only. Note 2: Web sign-in must also be enabled and deployed. Note 3: TAP can also be used during Windows setup if you want a true end-to-end passwordless experience. No passwords were harmed during the creation of this comment.

@@artin1641 If you’re using a Windows device, then Windows Hello is built in.