Close Menu
    Security

    Enable Windows Hello Multifactor Device Unlock with Microsoft Intune

    Peter KlapwijkBy Updated:134 Mins Read

    More and more companies are using Windows Hello to allow their users to login or unlock their Windows 10 devices, because using a PIN or Facial Recognition is more secure than a password.
    But there are situations when using a PIN code isn`t that secure as it seems. When you are working at a Starbucks where someone watched you entering your PIN and waits for you to leave your laptop unmanaged for a few seconds, it is very easy for that person to unlock your laptop. A solution for this is requiring a second factor to unlock your device; Windows Hello Multifactor Device Unlock.

    With Multifactor Device Unlock the user unlocks his device by using two credential providers. This can be a combination of PIN, Facial recognition, Fingerprint or Trusted Signal. A trusted signal can be a trusted network for example or a phone connected via Bluetooth.
    In this blogpost we use PIN or a biomatric gesture as first unlock factor and a trusted network or a phone with Bluetooth as second unlock factor. As fallback we can use PIN as second factor (if the PIN is not used as first factor) or the user can authenticate using the password.

    How does this look like for the user:

    1. User authenticates with PIN or biomatric gesture as first unlock factor
    2. Windows Hello verifies the first factor. First factor passed.
    3. Windows Hello checks the device is connected with a trusted network. Second factor passed, user is logged on.
    4. If the device is not connected to a trusted network, Windows Hello checks for the Bluetooth connected phone. Second factor passed, user is logged on.
    5. If Windows Hello doesn`t detect the phone, the user is allowed to use the PIN (if not already used as first factor) or use the password.

    Configuration

    Pre-requisites:
    Windows Hello for Business enabled
    Windows 10 1709 or later (1803 when using Intune to configure this)
    (Azure) AD
    Bluetooth capable device (optional)

    To get Multifactor Device Unlock configured we can use Policy CSP PassportForWork which can be found here.
    Using the node DeviceUnlock of this policy we can set the first and second unlock credential providers and the unlock plugins.
    In GroupA we configure the first unlock credential provider, in GroupB the second credential provider and in Plugins we configure the unlock signals.

    The credential providers are set using there GUID.

    The credential provider and the related GUIDs:
    Facial Recognition: {8AF662BF-65A0-4D0A-A540-A338A999D36F}
    PIN: {D6886603-9D2F-4EB2-B667-1971041FA96B}
    Fingerprint: {BEC09223-B018-416D-A0AC-523971B639F5}
    Trusted Signal: {27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}

    Because we use Bluetooth as one of the trusted signals, we also need to set the corresponding classofDevice attribute. The default attribute is Phone, but there are multiple possible values.

    Available classofDevices values:
    Miscellaneous: 0
    Computer: 256
    Phone: 512
    LAN/Network Access Point: 768
    Audio/Video: 1024
    Peripheral: 1280
    Imaging: 1536
    Wearable: 1792
    Toy: 2048
    Health: 2304
    Uncategorized: 7936

    Now that we have the required information, it`s time to set the Intune policies.

    1. Open the Device Management portal and click Device ConfigurationProfiles;
    2. On the Profiles tab click Create Profile and provide the required information;
      Name: Provide the preferred name of the policy
      Description: Provide a description (Optional)
      Platform: Windows 10 and later
      Profile type: Custom
    3. On the Custom OMA-URI Settings tab click Add to open the Add Row tab. On the Add Row tab provide the following information and click OK;
      Name: Provide the preferred name of row
      Description: Provide a description (Optional)
      OMA-URI: ./Device/Vendor/MSFT/PassportForWork/DeviceUnlock/GroupA
      Data type: String
      Value: {8AF662BF-65A0-4D0A-A540-A338A999D36F},{D6886603-9D2F-4EB2-B667-1971041FA96B},{BEC09223-B018-416D-A0AC-523971B639F5}

    1. Click Add again to add the second row.
    2. On the Add Row tab provide the following information and click OK;
      Name: Provide the preferred name of row
      Description: Provide a description (Optional)
      OMA-URI: ./Device/Vendor/MSFT/PassportForWork/DeviceUnlock/GroupB
      Data type: String
      Value: {27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD},{D6886603-9D2F-4EB2-B667-1971041FA96B}

    1. Click Add to add the third row.
    2. On the Add Row tab provide the following information and click OK;
      Name: Provide the preferred name of row
      Description: Provide a description (Optional)
      OMA-URI: ./Device/Vendor/MSFT/PassportForWork/DeviceUnlock/Plugins
      Data type: String
      Value: see printscreen below

    To see all the options you have when configuring Trusted Signals, like the different options for ipconfig have a look at this Microsoft doc.

    User-experience

    Now let`s have a look at the user experience.
    When I`m at the office and connected to the corporate (trusted) network with Gateway 192.168.10.1 and DNSsuffix interchange.nl, I only need to authenticate once. With my PIN, facial recognition or fingerprint.
    When I`m not at the office, but my Bluetooth phone is connected to my laptop, I only need to authenticate once.

    But when I`m not at the office and my phone is not connected to my laptop, I need to authenticate a second time.
    As you can see in this picture it first tries to verify my network.

    And after the network verification fails, it tries to verify my phone.

    When both network and phone failed to verify, it shows me a message:
    Cannot verify additional factor. Use another sign-in option.
    I can click on Sign-in options, to pick another sign-in option to authenticate a second time.

    That`s all to further secure your Windows 10 devices using Windows Hello for Business!

    Share.

    Peter is a Security (Intune) MVP since 2020 and is working as Modern Workplace Engineer at Wortell in The Netherlands. He has more than 15 years of experience in IT, with a strong focus on Microsoft technologies like Microsoft Intune, Windows, and (low-code) automation.

    Related Posts

    View 13 Comments

    13 Comments

    1. Martijn Steffens on

      Is it also possible to use the Authenticator app as a second or first factor in a cloud only setup?

      Reply
    2. Fergus on

      Hi Peter,
      Have you found a way to stop people just logging on using their password?
      From my limited testing, you can bypass this 2-factor stuff and use only the password. 🙂

      F.

      Reply
    3. Sanjay on

      Hi Peter,

      I had configured Face/Finger for my first factor auth and PIN and Signals as second factor auth. To mimic a scenario to see what happens when Hello fails, I disabled camera of the laptop so that face recog fails, but I was able to login using PIN twice and get access to Desktop. Is that a bug or an expected behavior? Remember that I haven’t configured PIN on my first factor and it is only there on second factor. Am i allowed to get access to desktop just using PIN because PIN happens to be failback mechanism for Hello? I also read that if you have configured a credential provider in both factors, using that particular auth factor can only be used once and not twice. ie. If PIN is configured in both first and second, it only accepts one time use? Appreciate if you can shed some light on this behavior

      Reply
      • Sanjay on

        Just to add, I have enforced Hello sign-in so that login using Windows password credential will prompt me to login using Hello/Smart cart.

        Reply
        • Peter Klapwijk on

          Hi Sanjay,

          Sign in by providing your PIN twice? I don’t think that’s supposed to be possible.
          Did you get on with this? Or received some feedback from Microsoft (via a support case for example)?

          Reply
      • Edward on

        Hi Sanjay and Peter,

        We’re testing this at the moment and have run into a similar issue.

        The problem we’ve run into is that users can register both Fingerprint and Facial Recognition.
        But they won’t “failover” between each other.

        What this means is that I can have Fingerprint+Pin and Face+Pin setup in the config but the policy will only apply to one of them.
        On the sign in screen, Fingerprint+Pin will work as expected but I can then log in only with Face, effectively bypassing the 2nd factor.

        At the moment, I can’t find a way to disable users from being able to register for than one Windows Hello method which would resolve the issue.
        It’s either all Biometrics on or all off, it can’t be done selectively.

        Reply
    4. Alexej on

      Do I need to configure the trusted signals factor? I just want face/finger for first and PIN for second unlock factor without trusted signals. Is this possible? Thanks for your article.

      Reply
    5. Marc Kuhn on

      Hey Peter
      we are just about testing the solution. With the OMA-URI configured we have some questions with it. I configured PIN as first and FaceID / Finger as second factor. We are still able to login with FaceID or Finger without asking for a second factor. Where you able to have Multi-factor unlock working as well when using FaceID or Finger as the first factor?

      Reply
    Leave A Reply