Enable Windows 10 Multifactor Authentication with Windows Hello Multifactor Device Unlock & Microsoft Intune


In this blog post I’ll explain how to configure and enable Windows Hello Multifactor Device Unlock using Microsoft Intune. Windows Hello Multifactor Device Unlock provides multifactor device authentication for login or unlocking  Windows 10 devices.

Windows Hello for Business

Windows Hello for Business

Windows Hello for Business is a private/public key or certificate-based authentication approach for organizations and consumers that goes beyond passwords. This form of authentication relies on key pair credentials that can replace passwords and are resistant to breaches, thefts, and phishing. With Windows Hello, biometric authentication and recognition is easy with a face or fingerprint.

Windows Hello credentials address many of the inherent problems with passwords. Passwords can be difficult to remember, can be reused on multiple sites, and can sometimes be easy to guess. Server breaches can expose symmetric network credentials, or users can inadvertently divulge their passwords to phishing attacks. Because PINs are tied to the device and are stored locally, they are more secure than a password.

Windows, today, natively only supports the use of a single credential (password, PIN, fingerprint, face, etc.) for login or unlocking a device. Therefore, if any of those credentials are compromised (shoulder surfed), an attacker could gain access to your local device only. Since Windows 10 (1709) Windows offers Multifactor device unlock by extending Windows Hello with trusted signals. You can configure Windows 10 to request a combination of factors and trusted signals to unlock your Windows 10 devices.

The Basics: How it works

First unlock factor credential provider and Second unlock credential provider are responsible for the bulk of the configuration. Each of these components contains a globally unique identifier (GUID) that represents a different Windows credential provider. With the policy setting enabled, users unlock the device using at least one credential provider from each category before Windows allows the user to proceed to their desktop.

Windows Hello for Business Supported Factors

The Multifactor Device Unlock policy consists of three components:

  • First unlock factor credential provider (primary authentication);
  • Second unlock factor credential provider (second factor authentication);
  • Signal rules for device unlock (defines second unlock credential provider);

The credential providers included in the default policy settings are:

Credential Provider GUID
PIN {D6886603-9D2F-4EB2-B667-1971041FA96B}
Fingerprint {BEC09223-B018-416D-A0AC-523971B639F5}
Facial Recognition {8AF662BF-65A0-4D0A-A540-A338A999D36F}
Trusted Signal {27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}

The default credential providers for the First unlock factor credential provider includes the following credential providers:

  • PIN
  • Fingerprint
  • Facial Recognition

In the example below first unlock factor credential provider, PIN will be the first unlock provider followed by Facial Recognition and Fingerprint as fallback.

{D6886603-9D2F-4EB2-B667-1971041FA96B},{8AF662BF-65A0-4D0A-A540-A338A999D36F},{BEC09223-B018-416D-A0AC-523971B639F5}

For the Second unlock factor credential provider includes the following unlock providers:

  • Trusted Signal
  • PIN

In the example below second unlock factor credential provider, trusted signals will be the first unlock provider followed by PIN as fallback.

{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD},{D6886603-9D2F-4EB2-B667-1971041FA96B}

Based on your preference you can change the order of the unlock factor credential providers. Trusted Signal will be the first unlock provider followed by PIN as fallback.

Now we explained the first two components of Multifactor Unlock (Unlock Factor Credential Providers) the final component is Signals rules for device unlock. The Signal rules for device unlock setting contains the rules the Trusted Signal credential provider uses to satisfy unlocking the device and works similar as Dynamic Lock works

The default signal rules for the policy setting include the proximity of any paired Bluetooth smartphone.

<rule schemaVersion=”1.0″>

<signal type=”bluetooth” scenario=”Authentication” />

</rule>

The classofDevice attribute defaults Phones and uses the values from the following table

Description Value
Miscellaneous 0
Computer 256
Phone 512
LAN/Network Access Point 768
Audio/Video 1024
Peripheral 1280
Imaging 1536
Wearable 1792
Toy 2048
Health 2304
Uncategorized 7936

To successfully reach their desktop, the user must satisfy one credential provider from each category. The order in which the user satisfies each credential provider does not matter.

Windows Hello for Business Unlock Policy Definition

Therefore, using the default policy setting a user can provide:

  • PIN and Fingerprint
  • PIN and Facial Recognition
  • Fingerprint and PIN
  • Facial Recognition and Trusted Signal (Bluetooth paired smartphone)

Important!

  • PIN must be in at least one of the groups
  • Trusted signals must be combined with another credential provider
  • You cannot use the same unlock factor to satisfy both categories. Therefore, if you include any credential provider in both categories, it means it can be used to satisfy either category, but not both.

Configuration

Now we have the basic understanding of how Windows Hello Multifactor Unlock works, it is time to configure it using Microsoft Intune.

The configuration of Multifactor Device Unlock has been described here using Group Policy. The Configure device unlock factors policy setting is located under Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business.

Configure Windows Hello for Business unlock factors & trusted signals.

As explained Windows Hello Multifactor Device Unlock consists of 3 components which will be configured each using a custom OMA-URI policy setting, as the configuration can’t be done (yet) using the Intune UI.

  1. Open the Azure Portal and select Microsoft Intune service;
  2. Create a new profile in Device Configuration blade;
  3. Provide a name and description and select Windows 10 and later as platform;
  4. As profile type select Custom;
  5. On the Custom OMA-URI settings blade select Add to add the first unlock credential provider;

Name: Windows Hello Multifactor Unlock – First Unlock Factor

OMA-URI: ./Device/Vendor/MSFT/PassportForWork/DeviceUnlock/GroupA

Data Type: String

Value: {D6886603-9D2F-4EB2-B667-1971041FA96B},{8AF662BF-65A0-4D0A-A540-A338A999D36F},{BEC09223-B018-416D-A0AC-523971B639F5}

Configure first unlock factor credential provider.
  • On the Custom OMA-URI settings blade select Add to add the second unlock credential provider;

Name: Windows Hello Multifactor Unlock – Second Unlock Factor

OMA-URI: ./Device/Vendor/MSFT/PassportForWork/DeviceUnlock/GroupB

Data Type: String

Value: {27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD},{D6886603-9D2F-4EB2-B667-1971041FA96B}

Configure second unlock factor credential provider.
  • On the Custom OMA-URI settings blade select Add to add the unlock signals rules;

Name: Windows Hello Multifactor Unlock – Unlock Signals Rules

OMA-URI: ./Device/Vendor/MSFT/PassportForWork/DeviceUnlock/Plugins

Data Type: String

Value: <rule schemaVersion=”1.0″> <signal type=”bluetooth” scenario=”Authentication” classOfDevice=”512″ rssiMin=”-10″ rssiMaxDelta=”-10″/> </rule>

Configure unlock signals.
  • Now the configuration of Windows Hello Multifactor Device Unlock has completed we save the configuration and deploy the custom policy to Windows 10 devices.
Windows Hello Multifactor Device Unlock custom configuration.

User Experience

The configuration of Windows Hello Multifactor Device Unlock has completed, however there is one final step left which must be completed by the end-user. As we’ve configured Bluetooth smartphone as unlock signal, we have to pair a smartphone via Bluetooth to your Windows 10 device.

  • Use Search and enter “Blue”, search will give a result “Bluetooth and Other Device settings” or via Windows Start select Settings;
  • In the Windows Settings menu select Devices;
  • Select Add Bluetooth or other device;
  • In the Add a device wizard select Bluetooth
  • That’s it!

Now we successfully paired our smartphone as Trusted Signal we’re ready to use Windows Hello Multifactor Device Unlock, using Facial Recognition as first unlock factor followed by a smartphone (connected with Bluetooth)  as second factor.

In the first video I’m log in to my Windows 10 device…

…where the second video I’m unlocking my Windows 10 device.

When it comes to user experience, the response we received so far are very positive. Based on notes from the field, users are very enthusiast: “It just works. It is seamless and intuitive in use”.

Requirements

  • Windows Hello for Business deployment (Native, Hybrid or On-premises)
  • AD-, Azure AD- or Hybrid Azure AD deployments
  • Windows 10, version 1709 or later
  • Bluetooth, Bluetooth capable devices (optional)

Under the hood

When logging in or unlocking your device Windows Hello processes the Multifactor MulgiUnlock policy. The First Unlock Factor Credential provider determines which unlock options are available (PIN, Facial and Fingerprint).

As Facial Recognition meets the policy First Unlock Factor Credential Provider we are successfully logged in.

Now the Second Unlock Factor Credential Provider is challenged which is Trusted Signals.

Because we paired our smartphone the Second Unlock Factor Credential Provider is met as well challenged as well after which we are logged in successfully on the basis of 2 factors.

Throubleshooting

In case of issues with Windows Hello for Business, the Windows  Eventlog is a valuable startpoint to start your troubleshooting journey.

Windows Logs>>Applications and Service Logs>>Microsoft>>Windows>>HelloForBusiness>>Operational

Event ID

Details

3520

Unlock attempt initiated.

Example:

Attempting device unlock using provider {8AF662BF-65A0-4D0A-A540-A338A999D36F}. The list of acceptable providers are:

Group A: {D6886603-9D2F-4EB2-B667-1971041FA96B}, {8AF662BF-65A0-4D0A-A540-A338A999D36F}, {BEC09223-B018-416D-A0AC-523971B639F5}

Group B: {27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}, {D6886603-9D2F-4EB2-B667-1971041FA96B}

5520

No Policy

Example:

Device unlock policy is not configured on this device.

6520

Warning

Example:

Provider is not in the acceptable provider list.

7520

Failure

Example:

Failed to authenticate the user’s credential.

Error: The user name or password is incorrect. (0x8007052E)

Correlation vector: qf/ugLLYq0Wp+e7K.1.0

Processing time: 50 milliseconds.

8520

Success

Example:

Successfully authenticated the user’s credential.

Processing time: xx milliseconds.

Recap

By enhancing Windows Hello for Business with Multifactor Device Unlock, the user (logon/unlock) experience on Windows 10 is taken to a higher level. Besides the use experience  Multifactor Device Unlock addresses many of the inherent problems with passwords including reduces the chance get compromised (e.g. shoulder surfed).

Extending Windows Hello

Organizations can take advantage of Windows Hello Multifactor Device Unlock when:

  • Have expressed that PINs alone do not meet their security needs;
  • Want to prevent Information Workers from sharing credentials;
  • Want their orgs to comply with regulatory two-factor authentication policy;
  • Want to retain the familiar Windows logon UX and not settle for a custom solution.

Sources

Special thanks to Pieter Wigleven (Microsoft) & Karanbir Singh (Microsoft) for reviewing and providing valuable input.

Windows Hello for Business

https://docs.microsoft.com/en-us/windows/access-protection/hello-for-business/hello-identity-verification

Windows Hello for Business Features

https://docs.microsoft.com/en-us/windows/access-protection/hello-for-business/hello-features#multifactor-unlock

Enabling remote access with Windows Hello for Business in Windows 10

https://msdn.microsoft.com/en-us/library/mt728163.aspx

Extending Windows Hello with trusted signalshttps://channel9.msdn.com/Events/Ignite/Microsoft-Ignite-Orlando-2017/BRK2075

Advertisements

6 thoughts on “Enable Windows 10 Multifactor Authentication with Windows Hello Multifactor Device Unlock & Microsoft Intune

  1. Hello! Can you provide a link or more details how to configure trusted signals based on network location? Does it use a gateway address, a default DNS domain name via DHCP or what? thanks!

  2. Hi there,

    Yes, you can use your network properties like gateway, subnet, DNS suffix, etc. to configure as trusted signals. Will follow this up with a detailed blogpost soon. Stay tuned!

  3. Jan

    Hi Ronny, thanks for this post. Awesome. I was playing around with this today and a couple of questions came to mind :
    1. What if I configured the user to authenticate with PIN and Phone, but the user has not configured the device via BT yet ?
    2. Can I prevent users logging on with their passwords, once this PIN is enabled? In other words, how do I prevent that users can still log in to their machines with one single password ?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.