Windows Hello for Business multi-factor unlock with Intune

This article will describe how to setup Windows Hello for Business multi-factor unlock with Intune

Situation:

Azure AD Joined computers/laptops
Devices managed with MEM (Microsoft Endpoint Manager) – Intune

Target:

Enabling Windows Hello for Business
Enabling multi factor unlock: face recognition + trusted device (smartphone) or PIN

In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and uses a bio metric or PIN. Windows Hello for Business lets user authenticate to an Active Directory or Azure Active Directory account. Windows Hello addresses the following problems with passwords:

Strong passwords can be difficult to remember, and users often reuse passwords on multiple sites.
Server breaches can expose symmetric network credentials (passwords).
Passwords are subject to replay attacks.
Users can inadvertently expose their passwords due to phishing attacks.

Prerequisites cloud only deployment:

Windows 10, version 1511 or later
Microsoft Azure Account
Azure Active Directory
Azure Multi-factor authentication
Modern Management (Intune or supported third-party MDM), optional
Azure AD Premium subscription – optional, needed for automatic MDM enrolment when the device joins Azure Active Directory

1. Enable Windows Hello for Business in MEM (Intune)

Navigate to Devices – Enroll devices – Windows Hello for Business

Do take care though, these settings here apply to All Users, if you want to start enrolling this you should always work with a POC, you can also create a Configuration Profile for these settings and assign them at a group (Devices – Configuration Profiles – Create profile – Identity protection). l Some settings worth talking about:

Use a Trusted Platform Module (TMP) – Required: A Trusted Platform Module (TPM) provides an additional layer of data security. If set to required, only devices with an accessible TPM can provision Windows Hello for Business. If set to preferred, devices attempt to use a TPM, but if not available will provision using software.
Minimum PIN length: you don’t want the end users to create too easy PINs, so we set a minimum to 6
Maximum PIN length: 127 is the maximum number of PIN length
Lowercase letters in PIN – allowed: if you want complex PINs you can also set this to Required
Uppercase letters in PIN – allowed: same as for lowercase
Special characters in PIN – Allowed: same as for lowercase and uppercase, can be set to Required for complex PINs
PIN expiration (days): the time period after which your end users will have to choose a new PIN
Remember PIN history: they can’t use that same PIN they provided x last times
Allow bio metric authentication – Yes: if you want your end users to login with face or fingerprint you’ll have to choose Yes, they still will have to provide a PIN also in case bio metric authentication doesn’t work
Allow phone sign-in: If allowed, users with Azure Active Directory joined desktops may use a portable, registered device as a companion for desktop authentication. The companion device must be configured with a Windows Hello for Business PIN
Use security keys for sign-in: this is about logging in with security keys – FIDO2 keys. I’ll talk about this in a later blog post.

Enabling this profile will make your end users go through the Windows Hello for Business registration process in which they will choose or set up (facial recognition – fingerprint + PIN)

2. Windows Hello for Business Multi factor unlock explained

Requirements:

Windows Hello for Business deployment (Hybrid or On-premises)
Azure AD joined device (Cloud and Hybrid deployments)
Hybrid Azure AD joined (Hybrid deployments)
Domain Joined (on-premises deployments)
Windows 10, version 1709
Bluetooth, Bluetooth capable phone – optional

Windows, today, natively only supports the use of a single credential (password, PIN, fingerprint, face, etc.) for unlocking a device. Therefore, if any of those credentials are compromised (shoulder surfed), an attacker could gain access to the system. Windows 10 offers Multi-factor device unlock by extending Windows Hello with trusted signals, administrators can configure Windows 10 to request a combination of factors and trusted signals to unlock their devices. Which organisations can take advantage of Multi-factor unlock? Those who:

Have expressed that PINs alone do not meet their security needs.
Want to prevent Information Workers from sharing credentials.
Want their organisations to comply with regulatory two-factor authentication policy.
Want to retain the familiar Windows sign-in user experience and not settle for a custom solution.

How it works: First unlock factor credential provider and Second unlock credential provider are responsible for the bulk of the configuration. Each of these components contains a globally unique identifier (GUID) that represents a different Windows credential provider. With the policy setting enabled, users unlock the device using at least one credential provider from each category before Windows allows the user to proceed to their desktop. The policy setting has three components:

First unlock factor credential provider
Second unlock factor credential provider
Signal rules for device unlock

Unlock factors: The First unlock factor credential providers and Second unlock factor credential providers portion of the policy setting each contain a comma separated list of credential providers. Supported credential providers include:

Credential Provider	GUID
PIN	{D6886603-9D2F-4EB2-B667-1971041FA96B}
Fingerprint	{BEC09223-B018-416D-A0AC-523971B639F5}
Facial Recognition	{8AF662BF-65A0-4D0A-A540-A338A999D36F}
Trusted Signal (Phone proximity, Network location)	{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}

The default credential providers for the First unlock factor credential provider include:

PIN
Fingerprint
Facial Recognition

The default credential providers for the Second unlock factor credential provider include:

Trusted Signal
PIN

Configure a comma separated list of credential provider GUIDs you want to use as first and second unlock factors. While a credential provider can appear in both lists, remember that a credential supported by that provider can only satisfy one of the unlock factors. Listed credential providers do not need to be in any specific order.

For example, if you include the PIN and fingerprint credential providers in both first and second factor lists, a user can use their fingerprint or PIN as the first unlock factor. However, whichever factor they used to satisfy the first unlock factor cannot be used to satisfy the second unlock factor. Each factor can therefore be used exactly once. The Trusted Signal provider can only be specified as part of the Second unlock factor credential provider list.

Bluetooth signal rules:

You define the Bluetooth signal with additional attribute in the signal element. The Bluetooth configuration does not use any other elements. You can end the signal element with short ending tag “/>”.

Attribute	Value	Required
type	“bluetooth”	yes
scenario	“Authentication”	yes
classOfDevice	“number“	no
rssiMin	“number“	no
rssiMaxDelta	“number“	no

The classofDevice attribute defaults Phones and uses the values from the following table

Description	Value
Miscellaneous	0
Computer	256
Phone	512
LAN/Network Access Point	768
Audio/Video	1024
Peripheral	1280
Imaging	1536
Wearable	1792
Toy	2048
Health	2304
Uncategorized	7936

3. Windows Hello for Business Multi factor configuration in MEM (Intune)

Now in my setup I want my face as first unlock factor, my smartphone as second and we also have a PIN setup just in case (alternative second factor).

Let’s go over my setup:

Devices – Configuration profiles – Custom profile – with three custom OMA-URI’s configured:

First OMA-URI setting:

Name: “Windows Hello Multifactor Unlock – First Unlock Factor”
OMA-URI: “./Device/Vendor/MSFT/PassportForWork/DeviceUnlock/GroupA”
Data type: String
Value: “{8AF662BF-65A0-4D0A-A540-A338A999D36F},{D6886603-9D2F-4EB2-B667-1971041FA96B}”

So explained: my first factor choice is Facial Recognition, but if it fails I can also give in my PIN

Second OMA-URI setting:

Name: “Windows Hello Multifactor Unlock – Second Unlock Factor”
OMA-URI: “./Device/Vendor/MSFT/PassportForWork/DeviceUnlock/GroupB”
Data type: String
Value: “{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD},{D6886603-9D2F-4EB2-B667-1971041FA96B}”

Again explained: my second factor choice is a trusted signal, and as a backup here I also provided my PIN.

Third OMA-URI setting:

Name: “Windows Hello Multifactor Unlock – Unlock Signals Rules”
OMA-URI: “./Device/Vendor/MSFT/PassportForWork/DeviceUnlock/Plugins”
Data type: String
Value: “<rule schemaVersion=”1.0″> <signal type=”bluetooth” scenario=”Authentication” classOfDevice=”512″ rssiMin=”-10″ rssiMaxDelta=”-10″/> </rule>”

Explained: we choose Bluetooth as type, scenario is authentication and the classofdevice is 512, which stands for Phone. If you are creative you can also link your Bluetooth headset, smartwatch, …

Good to know: you can choose multiple things for trusted signal such as network location (ip) – headset – …

Deploy this configuration profile to your correct group.

4. Pairing the smartphone

There is one final step we have to do, pairing the smartphone, otherwise our multi factor unlock won’t work.

Click on Start and then Settings, choose Devices
Select Add Bluetooth or other device
In the Add a device wizard select Bluetooth
Done!

Now that we have successfully paired our Bluetooth smartphone, we are ready to try out Windows Hello for Business Multi-Factor Unlock. Lock your device, sign in with your first factor (facial recognition), then make sure your smartphone is connected or enter your PIN as second factor.