More and more companies are using Windows Hello to allow their users to login or unlock their Windows 10 devices, because using a PIN or Facial Recognition is more secure than a password.
But there are situations when using a PIN code isn`t that secure as it seems. When you are working at a Starbucks where someone watched you entering your PIN and waits for you to leave your laptop unmanaged for a few seconds, it is very easy for that person to unlock your laptop. A solution for this is requiring a second factor to unlock your device; Windows Hello Multifactor Device Unlock.
With Multifactor Device Unlock the user unlocks his device by using two credential providers. This can be a combination of PIN, Facial recognition, Fingerprint or Trusted Signal. A trusted signal can be a trusted network for example or a phone connected via Bluetooth.
In this blogpost we use PIN or a biomatric gesture as first unlock factor and a trusted network or a phone with Bluetooth as second unlock factor. As fallback we can use PIN as second factor (if the PIN is not used as first factor) or the user can authenticate using the password.
How does this look like for the user:
- User authenticates with PIN or biomatric gesture as first unlock factor
- Windows Hello verifies the first factor. First factor passed.
- Windows Hello checks the device is connected with a trusted network. Second factor passed, user is logged on.
- If the device is not connected to a trusted network, Windows Hello checks for the Bluetooth connected phone. Second factor passed, user is logged on.
- If Windows Hello doesn`t detect the phone, the user is allowed to use the PIN (if not already used as first factor) or use the password.
Configuration
Pre-requisites:
Windows Hello for Business enabled
Windows 10 1709 or later (1803 when using Intune to configure this)
(Azure) AD
Bluetooth capable device (optional)
To get Multifactor Device Unlock configured we can use Policy CSP PassportForWork which can be found here.
Using the node DeviceUnlock of this policy we can set the first and second unlock credential providers and the unlock plugins.
In GroupA we configure the first unlock credential provider, in GroupB the second credential provider and in Plugins we configure the unlock signals.
The credential providers are set using there GUID.
The credential provider and the related GUIDs:
Facial Recognition: {8AF662BF-65A0-4D0A-A540-A338A999D36F}
PIN: {D6886603-9D2F-4EB2-B667-1971041FA96B}
Fingerprint: {BEC09223-B018-416D-A0AC-523971B639F5}
Trusted Signal: {27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}
Because we use Bluetooth as one of the trusted signals, we also need to set the corresponding classofDevice attribute. The default attribute is Phone, but there are multiple possible values.
Available classofDevices values:
Miscellaneous: 0
Computer: 256
Phone: 512
LAN/Network Access Point: 768
Audio/Video: 1024
Peripheral: 1280
Imaging: 1536
Wearable: 1792
Toy: 2048
Health: 2304
Uncategorized: 7936
Now that we have the required information, it`s time to set the Intune policies.
- Open the Device Management portal and click Device Configuration– Profiles;
- On the Profiles tab click Create Profile and provide the required information;
Name: Provide the preferred name of the policy
Description: Provide a description (Optional)
Platform: Windows 10 and later
Profile type: Custom - On the Custom OMA-URI Settings tab click Add to open the Add Row tab. On the Add Row tab provide the following information and click OK;
Name: Provide the preferred name of row
Description: Provide a description (Optional)
OMA-URI: ./Device/Vendor/MSFT/PassportForWork/DeviceUnlock/GroupA
Data type: String
Value: {8AF662BF-65A0-4D0A-A540-A338A999D36F},{D6886603-9D2F-4EB2-B667-1971041FA96B},{BEC09223-B018-416D-A0AC-523971B639F5}
- Click Add again to add the second row.
- On the Add Row tab provide the following information and click OK;
Name: Provide the preferred name of row
Description: Provide a description (Optional)
OMA-URI: ./Device/Vendor/MSFT/PassportForWork/DeviceUnlock/GroupB
Data type: String
Value: {27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD},{D6886603-9D2F-4EB2-B667-1971041FA96B}
- Click Add to add the third row.
- On the Add Row tab provide the following information and click OK;
Name: Provide the preferred name of row
Description: Provide a description (Optional)
OMA-URI: ./Device/Vendor/MSFT/PassportForWork/DeviceUnlock/Plugins
Data type: String
Value: see printscreen below
To see all the options you have when configuring Trusted Signals, like the different options for ipconfig have a look at this Microsoft doc.
User-experience
Now let`s have a look at the user experience.
When I`m at the office and connected to the corporate (trusted) network with Gateway 192.168.10.1 and DNSsuffix interchange.nl, I only need to authenticate once. With my PIN, facial recognition or fingerprint.
When I`m not at the office, but my Bluetooth phone is connected to my laptop, I only need to authenticate once.
But when I`m not at the office and my phone is not connected to my laptop, I need to authenticate a second time.
As you can see in this picture it first tries to verify my network.
And after the network verification fails, it tries to verify my phone.
When both network and phone failed to verify, it shows me a message:
Cannot verify additional factor. Use another sign-in option.
I can click on Sign-in options, to pick another sign-in option to authenticate a second time.
That`s all to further secure your Windows 10 devices using Windows Hello for Business!
Is it also possible to use the Authenticator app as a second or first factor in a cloud only setup?
No, not that I know unfortunately.
Hi Peter,
Have you found a way to stop people just logging on using their password?
From my limited testing, you can bypass this 2-factor stuff and use only the password. 🙂
F.
No as far as I know, that’s not possible (yet).
Group Policy:
Windows Settings/Local Policies/Security Options
Interctive logon: Require Windows Hello for Business or smart card
…I guess that my reply above isn’t exactly an Intune setting. Sorry about that!
No, unfortunately that policy isn`t available through Intune.
At this moment this can be only accomplished using a PowerShell script (and deploy that via Intune).
Hi Peter,
I had configured Face/Finger for my first factor auth and PIN and Signals as second factor auth. To mimic a scenario to see what happens when Hello fails, I disabled camera of the laptop so that face recog fails, but I was able to login using PIN twice and get access to Desktop. Is that a bug or an expected behavior? Remember that I haven’t configured PIN on my first factor and it is only there on second factor. Am i allowed to get access to desktop just using PIN because PIN happens to be failback mechanism for Hello? I also read that if you have configured a credential provider in both factors, using that particular auth factor can only be used once and not twice. ie. If PIN is configured in both first and second, it only accepts one time use? Appreciate if you can shed some light on this behavior
Just to add, I have enforced Hello sign-in so that login using Windows password credential will prompt me to login using Hello/Smart cart.
Hi Sanjay,
Sign in by providing your PIN twice? I don’t think that’s supposed to be possible.
Did you get on with this? Or received some feedback from Microsoft (via a support case for example)?
Hi Sanjay and Peter,
We’re testing this at the moment and have run into a similar issue.
The problem we’ve run into is that users can register both Fingerprint and Facial Recognition.
But they won’t “failover” between each other.
What this means is that I can have Fingerprint+Pin and Face+Pin setup in the config but the policy will only apply to one of them.
On the sign in screen, Fingerprint+Pin will work as expected but I can then log in only with Face, effectively bypassing the 2nd factor.
At the moment, I can’t find a way to disable users from being able to register for than one Windows Hello method which would resolve the issue.
It’s either all Biometrics on or all off, it can’t be done selectively.
Do I need to configure the trusted signals factor? I just want face/finger for first and PIN for second unlock factor without trusted signals. Is this possible? Thanks for your article.
Hey Peter
we are just about testing the solution. With the OMA-URI configured we have some questions with it. I configured PIN as first and FaceID / Finger as second factor. We are still able to login with FaceID or Finger without asking for a second factor. Where you able to have Multi-factor unlock working as well when using FaceID or Finger as the first factor?