Windows Hello for Business: Multi-factor Unlock

Windows Hello for Business normally uses a single sign-in method, such as a PIN or biometric data (fingerprint or facial recognition) to unlock a device. If one of these credentials is compromised, for example by someone observing the PIN being entered, an attacker could potentially access the device.

To improve security, Windows Hello for Business can be configured to require multi-factor unlock. This feature allows administrators to require multiple factors to unlock a device instead of just one.

The goal is to configure two factors: Group A and Group B. In Microsoft Intune, we assign credential providers to each group.
One provider from Group A satisfies the first factor, and one provider from Group B satisfies the second. Both are required to unlock the device.

💡Note that a credential provider can only be used once, even if we add a credential provider to both groups.

Here is a table with the supported credential providers. We will add the corresponding GUID to our policy while configuring multi-factor unlock with Intune.

💡It is possible to add a passive credential provider, such as bluetooth proximity or network to have the second factor as a passive/silent factor. This basically means that if the computer is connected to an approved phone over bluetooth, this will act as the second factor, same goes for network connect. The passive credential provider must be included in Group B and cannot be included in Group A.

Pre-requisites

• Users should have onboarded to Windows Hello for Business and added at least one biometric credential provider.
• I recommend that Enhance facial recognition protection is enabled.
• Any version of Windows 11. Both Pro & Enterprise are supported.
• It makes sense to remove the password credential provider, but that is not a hard requirement. 💡Multi-factor unlock will be ignored while using password to sign in.
• Multi-factor unlock doesn’t support security keys as a credential provider.

Use Microsoft Intune to configure Windows Hello for Business Multi-factor unlock

1. Open: Intune portal -> Devices -> Windows -> Configuration
2. Create: New policy
3. Platform: Windows 10 and later
4. Profile type: Settings catalog
5. Click: Create
6. Add a name
7. Scroll down to Windows Hello for Business and select:
   • Device Unlock Plugins
   • Group A
   • Group B
8. In my scenario I want to allow a bluetooth connection to my phone to act as the second factor, so I will add a string for that (see below, after step 12)
9. For group A I will allow: PIN, Fingerprint & Facial recognition.
   • {D6886603-9D2F-4EB2-B667-1971041FA96B},{BEC09223-B018-416D-A0AC-523971B639F5},{8AF662BF-65A0-4D0A-A540-A338A999D36F}
10. For Group B I will allow: PIN, Fingerprint, Facial recognition AND Trusted Signal.
    • {D6886603-9D2F-4EB2-B667-1971041FA96B},{BEC09223-B018-416D-A0AC-523971B639F5},{8AF662BF-65A0-4D0A-A540-A338A999D36F},{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}
11. This is what my policy looks like at this point:
    
12. Assign the policy to a test group
    

Here is my Device Unlock Plugins string. 💡I recommend that you check this article to learn about to to configure this one… there are a lot of options Configure Signal Rules for the Trusted Signal Credential Provider

<rule schemaVersion="1.0"><signal type="bluetooth" scenario="Authentication" classOfDevice="512" rssiMin="-10" rssiMaxDelta="-10"/></rule>

User experience (without a passive factor)

• I will use my PIN as my first factor (Group A):
  
  
• I am then asked to use a second factor (Group B). In this case I will use facial recognition:
  

User experience (with a passive factor)

• I will use my PIN as my first factor (Group A):
  
  
• I am then asked to use a second factor (Group B). In this case I will use my passive factor (bluetooth connection to my phone):
  
  
  

A passive factor can be effective as it’s silent and only requires the phone to be nearby. Since users are more likely to carry their phone than their device, adoption is easier, but the security implications must be evaluated.