Close Menu
Peter Klapwijk – In The Cloud 24-7Peter Klapwijk – In The Cloud 24-7
    Facebook X (Twitter) Instagram
    Peter Klapwijk – In The Cloud 24-7Peter Klapwijk – In The Cloud 24-7
    • Home
    • Intune
    • Windows
      • Modern Workplace
    • macOS
    • Android
    • iOS
    • Automation
      • Logic Apps
      • Intune Monitoring
      • GitHub
    • Security
      • Passwordless
      • Security
    • Speaking
    • About me
    Peter Klapwijk – In The Cloud 24-7Peter Klapwijk – In The Cloud 24-7
    Home»Security»Enable Windows Hello Multifactor Device Unlock with Microsoft Intune
    Security

    Enable Windows Hello Multifactor Device Unlock with Microsoft Intune

    Peter KlapwijkBy Peter KlapwijkFebruary 15, 2019Updated:December 3, 2019134 Mins Read

    More and more companies are using Windows Hello to allow their users to login or unlock their Windows 10 devices, because using a PIN or Facial Recognition is more secure than a password.
    But there are situations when using a PIN code isn`t that secure as it seems. When you are working at a Starbucks where someone watched you entering your PIN and waits for you to leave your laptop unmanaged for a few seconds, it is very easy for that person to unlock your laptop. A solution for this is requiring a second factor to unlock your device; Windows Hello Multifactor Device Unlock.

    With Multifactor Device Unlock the user unlocks his device by using two credential providers. This can be a combination of PIN, Facial recognition, Fingerprint or Trusted Signal. A trusted signal can be a trusted network for example or a phone connected via Bluetooth.
    In this blogpost we use PIN or a biomatric gesture as first unlock factor and a trusted network or a phone with Bluetooth as second unlock factor. As fallback we can use PIN as second factor (if the PIN is not used as first factor) or the user can authenticate using the password.

    How does this look like for the user:

    1. User authenticates with PIN or biomatric gesture as first unlock factor
    2. Windows Hello verifies the first factor. First factor passed.
    3. Windows Hello checks the device is connected with a trusted network. Second factor passed, user is logged on.
    4. If the device is not connected to a trusted network, Windows Hello checks for the Bluetooth connected phone. Second factor passed, user is logged on.
    5. If Windows Hello doesn`t detect the phone, the user is allowed to use the PIN (if not already used as first factor) or use the password.

    Configuration

    Pre-requisites:
    Windows Hello for Business enabled
    Windows 10 1709 or later (1803 when using Intune to configure this)
    (Azure) AD
    Bluetooth capable device (optional)

    To get Multifactor Device Unlock configured we can use Policy CSP PassportForWork which can be found here.
    Using the node DeviceUnlock of this policy we can set the first and second unlock credential providers and the unlock plugins.
    In GroupA we configure the first unlock credential provider, in GroupB the second credential provider and in Plugins we configure the unlock signals.

    The credential providers are set using there GUID.

    The credential provider and the related GUIDs:
    Facial Recognition: {8AF662BF-65A0-4D0A-A540-A338A999D36F}
    PIN: {D6886603-9D2F-4EB2-B667-1971041FA96B}
    Fingerprint: {BEC09223-B018-416D-A0AC-523971B639F5}
    Trusted Signal: {27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}

    Because we use Bluetooth as one of the trusted signals, we also need to set the corresponding classofDevice attribute. The default attribute is Phone, but there are multiple possible values.

    Available classofDevices values:
    Miscellaneous: 0
    Computer: 256
    Phone: 512
    LAN/Network Access Point: 768
    Audio/Video: 1024
    Peripheral: 1280
    Imaging: 1536
    Wearable: 1792
    Toy: 2048
    Health: 2304
    Uncategorized: 7936

    Now that we have the required information, it`s time to set the Intune policies.

    1. Open the Device Management portal and click Device Configuration– Profiles;
    2. On the Profiles tab click Create Profile and provide the required information;
      Name: Provide the preferred name of the policy
      Description: Provide a description (Optional)
      Platform: Windows 10 and later
      Profile type: Custom
    3. On the Custom OMA-URI Settings tab click Add to open the Add Row tab. On the Add Row tab provide the following information and click OK;
      Name: Provide the preferred name of row
      Description: Provide a description (Optional)
      OMA-URI: ./Device/Vendor/MSFT/PassportForWork/DeviceUnlock/GroupA
      Data type: String
      Value: {8AF662BF-65A0-4D0A-A540-A338A999D36F},{D6886603-9D2F-4EB2-B667-1971041FA96B},{BEC09223-B018-416D-A0AC-523971B639F5}

    1. Click Add again to add the second row.
    2. On the Add Row tab provide the following information and click OK;
      Name: Provide the preferred name of row
      Description: Provide a description (Optional)
      OMA-URI: ./Device/Vendor/MSFT/PassportForWork/DeviceUnlock/GroupB
      Data type: String
      Value: {27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD},{D6886603-9D2F-4EB2-B667-1971041FA96B}

    1. Click Add to add the third row.
    2. On the Add Row tab provide the following information and click OK;
      Name: Provide the preferred name of row
      Description: Provide a description (Optional)
      OMA-URI: ./Device/Vendor/MSFT/PassportForWork/DeviceUnlock/Plugins
      Data type: String
      Value: see printscreen below

    To see all the options you have when configuring Trusted Signals, like the different options for ipconfig have a look at this Microsoft doc.

    User-experience

    Now let`s have a look at the user experience.
    When I`m at the office and connected to the corporate (trusted) network with Gateway 192.168.10.1 and DNSsuffix interchange.nl, I only need to authenticate once. With my PIN, facial recognition or fingerprint.
    When I`m not at the office, but my Bluetooth phone is connected to my laptop, I only need to authenticate once.

    But when I`m not at the office and my phone is not connected to my laptop, I need to authenticate a second time.
    As you can see in this picture it first tries to verify my network.

    And after the network verification fails, it tries to verify my phone.

    When both network and phone failed to verify, it shows me a message:
    Cannot verify additional factor. Use another sign-in option.
    I can click on Sign-in options, to pick another sign-in option to authenticate a second time.

    That`s all to further secure your Windows 10 devices using Windows Hello for Business!

    Azure AD Conditional Access EMS Microsoft 365 Security WHfB Windows Hello for Business Windows10
    Share. Facebook Twitter LinkedIn Email WhatsApp
    Peter Klapwijk
    • Website
    • X (Twitter)
    • LinkedIn

    Peter is a Security (Intune) MVP since 2020 and is working as Modern Workplace Engineer at Wortell in The Netherlands. He has more than 15 years of experience in IT, with a strong focus on Microsoft technologies like Microsoft Intune, Windows, and (low-code) automation.

    Related Posts

    Azure AD Conditional Access explained – Android and iOS

    April 1, 2020

    Automatically wipe a Windows 10 device after a number of authentication failures

    November 14, 2019

    Force Windows Information Protection with Conditional Access

    March 12, 2019
    View 13 Comments

    13 Comments

    1. Martijn Steffens on May 30, 2019 11:13

      Is it also possible to use the Authenticator app as a second or first factor in a cloud only setup?

      Reply
      • Peter Klapwijk on May 30, 2019 12:18

        No, not that I know unfortunately.

        Reply
    2. Fergus on October 2, 2019 13:40

      Hi Peter,
      Have you found a way to stop people just logging on using their password?
      From my limited testing, you can bypass this 2-factor stuff and use only the password. 🙂

      F.

      Reply
      • Peter Klapwijk on October 4, 2019 21:30

        No as far as I know, that’s not possible (yet).

        Reply
      • Tony on October 10, 2019 21:15

        Group Policy:
        Windows Settings/Local Policies/Security Options
        Interctive logon: Require Windows Hello for Business or smart card

        Reply
      • Tony on October 10, 2019 21:16

        …I guess that my reply above isn’t exactly an Intune setting. Sorry about that!

        Reply
        • Peter Klapwijk on October 21, 2019 14:15

          No, unfortunately that policy isn`t available through Intune.
          At this moment this can be only accomplished using a PowerShell script (and deploy that via Intune).

          Reply
    3. Sanjay on June 6, 2021 17:45

      Hi Peter,

      I had configured Face/Finger for my first factor auth and PIN and Signals as second factor auth. To mimic a scenario to see what happens when Hello fails, I disabled camera of the laptop so that face recog fails, but I was able to login using PIN twice and get access to Desktop. Is that a bug or an expected behavior? Remember that I haven’t configured PIN on my first factor and it is only there on second factor. Am i allowed to get access to desktop just using PIN because PIN happens to be failback mechanism for Hello? I also read that if you have configured a credential provider in both factors, using that particular auth factor can only be used once and not twice. ie. If PIN is configured in both first and second, it only accepts one time use? Appreciate if you can shed some light on this behavior

      Reply
      • Sanjay on June 6, 2021 17:47

        Just to add, I have enforced Hello sign-in so that login using Windows password credential will prompt me to login using Hello/Smart cart.

        Reply
        • Peter Klapwijk on June 15, 2021 21:19

          Hi Sanjay,

          Sign in by providing your PIN twice? I don’t think that’s supposed to be possible.
          Did you get on with this? Or received some feedback from Microsoft (via a support case for example)?

          Reply
      • Edward on March 2, 2023 16:06

        Hi Sanjay and Peter,

        We’re testing this at the moment and have run into a similar issue.

        The problem we’ve run into is that users can register both Fingerprint and Facial Recognition.
        But they won’t “failover” between each other.

        What this means is that I can have Fingerprint+Pin and Face+Pin setup in the config but the policy will only apply to one of them.
        On the sign in screen, Fingerprint+Pin will work as expected but I can then log in only with Face, effectively bypassing the 2nd factor.

        At the moment, I can’t find a way to disable users from being able to register for than one Windows Hello method which would resolve the issue.
        It’s either all Biometrics on or all off, it can’t be done selectively.

        Reply
    4. Alexej on July 1, 2022 23:19

      Do I need to configure the trusted signals factor? I just want face/finger for first and PIN for second unlock factor without trusted signals. Is this possible? Thanks for your article.

      Reply
    5. Marc Kuhn on September 11, 2023 11:13

      Hey Peter
      we are just about testing the solution. With the OMA-URI configured we have some questions with it. I configured PIN as first and FaceID / Finger as second factor. We are still able to login with FaceID or Finger without asking for a second factor. Where you able to have Multi-factor unlock working as well when using FaceID or Finger as the first factor?

      Reply
    Leave A Reply Cancel Reply

    Peter Klapwijk

    Hi! Welcome to my blog post.
    I hope you enjoy reading my articles.

    Hit the About Me button to get in contact with me or leave a comment.

    Awards
    Sponsor
    Latest Posts

    Create deployment ring groups for Microsoft Intune

    June 27, 2025

    Update Windows Defender during Windows Autopilot enrollments

    May 16, 2025

    Hide the “Turn on an ad privacy feature” pop-up in Chrome with Microsoft Intune

    April 19, 2025

    How to set Google as default search provider with Microsoft Intune

    April 18, 2025
    follow me
    • Twitter 4.8K
    • LinkedIn 6.1K
    • YouTube
    • Bluesky 1.5K
    Tags
    Administrative Templates Android Automation Autopilot Azure Azure AD Browser Conditional Access Edge EMS Exchange Online Feitian FIDO2 Flow Google Chrome Graph Graph API Identity Management Intune Intune Monitoring iOS KIOSK Logic Apps macOS MEM MEMMonitoring Microsoft 365 Microsoft Edge Microsoft Endpoint Manager Modern Workplace Office 365 OneDrive for Business Outlook Passwordless PowerApps Power Automate Security SharePoint Online Teams Windows Windows 10 Windows10 Windows 11 Windows Autopilot Windows Update
    Copy right

    This information is provided “AS IS” with no warranties, confers no rights and is not supported by the authors, or In The Cloud 24-7.

     

    Copyright © 2025 by In The Cloud 24-7/ Peter Klapwijk. All rights reserved, No part of the information on this web site may be reproduced or posted in any form or by any means without the prior written permission of the publisher.

    Shorthand; Don’t pass off my work as yours, it’s not nice.

    Recent Comments
    • Parth Savjadiya on Using Visual Studio with Microsoft Endpoint Privilege Management, some notes
    • Chris Johnson on Assign Deny Local Log On user right to an (Azure) AD group by using Microsoft Intune
    • Northernsky on Automatically wipe a Windows 10 device after a number of authentication failures
    • Henrik on Intune Driver update for Windows – Get applicable devices
    • Adam on Get notified on expiring Azure App Registration client secrets
    most popular

    Application installation issues; Download pending

    October 1, 2024

    Restrict which users can logon into a Windows 10 device with Microsoft Intune

    April 11, 2020

    How to change the Windows 11 language with Intune

    November 11, 2022

    Update Microsoft Edge during Windows Autopilot enrollments

    July 9, 2024
    Peter Klapwijk – In The Cloud 24-7
    X (Twitter) LinkedIn YouTube RSS Bluesky
    © 2025 ThemeSphere. Designed by ThemeSphere.

    Type above and press Enter to search. Press Esc to cancel.

    Manage Cookie Consent
    To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
    Functional Always active
    The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
    Preferences
    The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
    Statistics
    The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
    Marketing
    The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
    Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
    View preferences
    {title} {title} {title}