none
Windows 10 - Force Windows PIN and Hello

    Question

  • Hi,

    I have a Direct Access environment where clients can connect to our internal network.  However this is not secure enough, so I want to restrict our Windows 10 clients to Windows Hello plus a PIN to authenticate with AD.

    I've implemented the Group Policy for the client but it is allowing a regular authentication also.  Is there anyway of forcing 2 factor and not just a password?

    Thanks.

    Tuesday, May 10, 2016 8:40 AM

Answers

  • I achieved this with the following:

    In group policy for the DA client OU add the CLSID below into Computer Configuration -> Administrative Templates -> System -> Logon > Exclude Credentials provider.

    {60b78e88-ead8-445c-9cfd-0b87f74ea6cd}

    This enforces Hello and prevents a user adding their AD credentials.  They must have enrolled before adding the client into the OU which locks this down.

    • Marked as answer by MattRW Friday, June 17, 2016 11:21 AM
    Friday, June 17, 2016 11:21 AM

All replies

  • Hi,
    You may consider Microsoft Passport which is a two-factor authentication (2FA) system that combines a PIN or biometrics (via Windows Hello) with encrypted keys from a user’s device to provide two-factor authentication.
    Biometric authentication feature helps strengthen authentication and helps to guard against potential spoofing through fingerprint matching and facial recognition.
    You could see more details from:
    Convenient two-factor authentication with Microsoft Passport and Windows Hello
    https://blogs.windows.com/buildingapps/2016/01/26/convenient-two-factor-authentication-with-microsoft-passport-and-windows-hello/
    Windows Hello biometrics in the enterprise
    https://technet.microsoft.com/en-us/itpro/windows/keep-secure/windows-hello-in-enterprise

    Regards,
    Wendy


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, May 11, 2016 1:50 AM
    Moderator
  • Hi Wendy,

    I have implemented 2 factory authentication via group policy - Windows Passport.  It allows a user to authenticate with their face.  However I can bypass this and just enter my AD Credentials also.  By doing that, I have not 2 factor authenticated.  So the problem is how I can enforce Windows Hello / Passport.  Personally I don't see it is possible which is a shame as DA is great product but will probably struggle with PCI and other standards.

    Cheers Matt.

    Friday, May 13, 2016 8:42 AM
  • Hi,
    Have you followed the blog as I suggested as above to enable Windows Passport? If not, please have a try.

    In addition, since the issue is more related to Windows10, I suggest that you could also post your questions in Windows10 forum:
    https://social.technet.microsoft.com/forums/en-us/home?forum=win10itprogeneral
    The reason why we recommend posting appropriately is you will get the most qualified pool of respondents, and other partners who read the forums regularly can either share their knowledge or learn from your interaction with us. Thank you for your understanding.

    Regards,
    Wendy


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, May 16, 2016 2:00 AM
    Moderator
  • I achieved this with the following:

    In group policy for the DA client OU add the CLSID below into Computer Configuration -> Administrative Templates -> System -> Logon > Exclude Credentials provider.

    {60b78e88-ead8-445c-9cfd-0b87f74ea6cd}

    This enforces Hello and prevents a user adding their AD credentials.  They must have enrolled before adding the client into the OU which locks this down.

    • Marked as answer by MattRW Friday, June 17, 2016 11:21 AM
    Friday, June 17, 2016 11:21 AM
  • I have a question concerning your solution.  We have a similar situation and issue.  Not being able to force WHfB on VPN users.  We have tried your solution and it works well.  However our question is, what happens when a user has to change their password or if they are using the PIN only part of WHfB and they forget their PIN?
    Monday, August 07, 2017 7:40 PM
  • I have the same problem, same questions, and not sure I like this solution (but will test for sure). Microsoft needs to allow something like Azure MFA to integrate with the Windows 10 login. With Azure MFA you have texting, push notification, or the fail safe of answering the questions you fill out when you register your account. I don't see the point of enabling Windows Passport/WHfB if someone can still steal your password and just skirt the system to login.

    I will say though that we went through a PCI audit, and I do believe (everyone can interpret PCI differently - I know) that WHfB w/ MFA does check the MFA box for PCI. They just require you prove you are who you say you are, which WHfB w/ MFA does. If written company policy says you have to use WHfB w/ MFA then entering your password is not PCI or company compliant. The fact you can still enter it is not an issue for PCI though because you have policy to back that up.

    • Edited by KevinK6 Tuesday, August 14, 2018 12:59 PM
    Tuesday, August 14, 2018 12:53 PM