Fantastic content (as usual). I did not know about Windows MFA, nor that you could centrally configure Windows Hello. Also loved that explanation of why a local PIN is more secure than a global password! Outstanding!
@spitzer666
Ай бұрын
Great video Jonathan. Most of the enterprises have User identity synced with On prem AD. This poses another challenge where device requires Kerberos ticket to be provided to the device for WHfB to work efficiently. For next video may be.
@bearded365guy
Ай бұрын
@@spitzer666 Yes, indeed.
@DruDubay
Ай бұрын
That's a pretty easy one to solve as long as your DC's aren't too old. kzitem.info/news/bejne/l2x_mIRskZyFrI4
@zouzou7619
27 күн бұрын
Fantastic as usual ! Continue this way. It is always a pleasure to learn new tips and way to configure Microsoft 365 watching you. Many thanks.
@philhersh
Ай бұрын
Great and useful information as always.
@macm3086
Ай бұрын
Thank you so much for your dedication and for sharing your knowledge with us. In light of the upcoming migration of legacy MFA authentication methods in September, it would be useful if you could make a video explaining how to migrate legacy authentication methods.
@bearded365guy
Ай бұрын
@@macm3086 Yes, let’s do it.
@JerryM365
17 күн бұрын
This is not for MFA for cloud apps right? It's MFU multi factor unlock? Right?
@macm3086
16 күн бұрын
@@JerryM365 i am talking about Office 365 Multi-factor authentication on the portal. According to the article, it was originally planned to expire in September 2024, but it appears that the date has now been moved to September 2025 of next year.
@ashishantony4752
Ай бұрын
Great video as usual. One quick thought that came to my mind. What happens if the web cam on your laptop breaks or is faulty. How would you handle such a case?
@bearded365guy
Ай бұрын
@@ashishantony4752 It would allow you to enter your password.
@imei2006
Ай бұрын
When configuring WHfB it will prompt to create a pin for just such a reason
@luhmduda
19 күн бұрын
Great class, greetings from 🇧🇷
@robertpearson5069
Ай бұрын
I wish there was an option to have your fingerprint work to log you into any device in the domain.
@davidadams421
Ай бұрын
Cloud-stored biometrics. I very much like that idea.
@DruDubay
Ай бұрын
Yeah, with WHB you Finger/Face/PIN are just unlock factors for a key stored in TPM. This is why WHB is technically Multifactor even without using Multifactor unlock. There are solutions which offer similar function, RFID login, login with Security Keys, and software credential providers like solutions from Idemeum and CyberQP, where the login screen just shows a QR code, and the user wanting to login scans it with an app on their phone.
@emilsdl
Ай бұрын
it not secured because biometric keys are not changing; look nomidio, it is promising
@andresdaza3557
25 күн бұрын
Appreciating your enormeous work for community, a liittle quest.: I hve a hybrid AD DS (no FS) Entra Active directory environment, is it possible with these settings to make it work? what about previous defined GPO's for WHFB. DO i have to disable ¿ if you go arround the web, there's a lot of issues or problems with hybrids configurations for WHFB. It could be great to add an example from your projects. Best regards
@bearded365guy
24 күн бұрын
Hi, thanks for your message. I need to put together some material for hybrid solutions, I usually focus on cloud-only.
@johnrhines3473
24 күн бұрын
@@bearded365guy I've deployed WHfB in a hybrid environment (legacy machines are AD DS, newer ones Entra joined deployed with Intune) and the AD DS setup was very confusing!
@andresdaza3557
24 күн бұрын
@@johnrhines3473 thanks for reply, considerating my lab, still confused with Mr Microsoft about hybrids ad D's , ad FS which mostly documentations is based for AdFs and no AdDs or at least mentioned. Based on your other intune projects I have successfully listed my devices into M entra Id. I appreciate that.
@Sergio-Here-In-Community
Ай бұрын
Hello Jonathan, Does Microsoft has a tool for MFA sign-in to Windows similar than MFA using DUO? Why a PIN is stronger than password? The PIN in only numbers and I believe can be cracked faster than longer password with characters, why I will change from long password to PIN using wih WH4B
@bearded365guy
Ай бұрын
@@Sergio-Here-In-Community The multi-lock I describe in this video is MFA. Also, Microsoft class WHfB as MFA too. The PIN is tied to the device. So the hacker would need the device and the PIN to log on. That’s why it is stronger.
@glennbullion9069
9 күн бұрын
Hopefully someone here can help. I did a test group with a few users. Created a configuration profile (I'm trying to make people set up AFTER enrolling, so that part is turned off, like in the video). Despite all this, users aren't getting prompted during logon to set up Windows Hello. Any idea of what might be happening here? Are there any logs to check somewhere?
@LukedeCroes
Ай бұрын
Great video Jonathan thank you. One issue I have with Windows Hello for Business on my test Azure AD joined machine was access to on-prem resources. If I used biometrics to logon I couldn't access on prem resources. If I logged on using my 365 credentials, I then had access to on-prem resources. How can I configure Windows Hello for business to allow my users on-prem resource access? Thank you in advance.
@bearded365guy
Ай бұрын
@@LukedeCroes Deployment of Windows Hello for Business in hybrid is a whole new ball game. I might cover this in future video.
@davidadams421
Ай бұрын
Google: Microsoft Entra Connect Sync. It purports to sync your cloud accounts (Microsoft Entra, aka Azure Active Directory) to your on-prem Active Directory.
@davidadams421
Ай бұрын
Google Microsoft Entra Connect Sync. It purports to sync your cloud accounts (Microsoft Entra, aka Azure Active Directory) to your on-prem Active Directory.
@davidadams421
Ай бұрын
Microsoft Entra Connect Sync
@dj_paultuk7052
Ай бұрын
Yup we have exactly the same issue, so i turned it off for now and users are back to regular passwords
@JerryM365
17 күн бұрын
This is not for MFA for cloud apps right? It's MFU multi factor unlock? Right?
@bearded365guy
16 күн бұрын
@@JerryM365 Yes, the MFA unlock is for the device.
@JerryM365
16 күн бұрын
@@bearded365guy thank you and one more doubt, Can we achieve it via cloud trust deployment ??
@JOEMU51
18 күн бұрын
Great video, although I’ve run into an issue with Entra Ad joined devices using GSA for access to mapped drives and also VBS script for copying files down from server to local device. Would it be correct to say that Windows Hello for business is not compatible with Microsoft Private Access/ GSA or are you aware of any sort of a work around for that?
@bloodstallion
25 күн бұрын
Hi Jonathan, @12.54 , the pin requirements says it needs 4 characters eventhough u specify 6 characters. I also notice on the intune config page under windows hello there are some user settings like min pin(user), max pin(user). should we choose those settings instead for min pin requirement to be reflected correctly.
@bearded365guy
25 күн бұрын
@@bloodstallion It depends which deployment method you’re going for….
@chriso1523
Ай бұрын
Thanks for this. What do you recommend for hybrid environments? Cloud Trust?
@bearded365guy
Ай бұрын
@@chriso1523 Yes…. I’ve obviously focussed on cloud-only deployment here.
@davidadams421
Ай бұрын
Doesn't Microsoft 365 / Entra have a hybrid sync capability for both account authentication and policy deployment (CM + Intune)?
@MarcelLaino
Ай бұрын
Excellent tips!!! good work
@artin1641
Ай бұрын
Do you think windows hello would work same way with Google workspace?
@bearded365guy
Ай бұрын
@@artin1641 If you’re using a Windows device, then Windows Hello is built in.
@crocaliph
Ай бұрын
What happens if you set multi factor whfb login with pin + fingerprint or facial, but users do not have finger or face set up in advance of this setting applying, will they be force to set it up also next time they login, or they wont be able to login because they didnt set it up in advance? and is there a way to set PIN + either face or fingerprint, but not force both?
@bearded365guy
Ай бұрын
@@crocaliph It will fall back on PIN number and then password…..
@davidadams421
Ай бұрын
You can also use a TAP (Temporary Access Pass) sign-in, which is classed as a MFA sign-in, to allow initial access to setup biometrics, then, when they next sign in, they can use those biometrics. TAP is setup in Entra > Protection > Authentication Methods, then added via Entra > Users > User > Authentication Methods > Add authentication method. Note 1: Entra Joined devices only. Note 2: Web sign-in must also be enabled and deployed. Note 3: TAP can also be used during Windows setup if you want a true end-to-end passwordless experience. No passwords were harmed during the creation of this comment.
Пікірлер: 51