Is Windows 2 factor authentication Hello?

More and more companies are using Windows Hello to allow their users to login or unlock their Windows 10 devices, because using a PIN or Facial Recognition is more secure than a password.
But there are situations when using a PIN code isn`t that secure as it seems. When you are working at a Starbucks where someone watched you entering your PIN and waits for you to leave your laptop unmanaged for a few seconds, it is very easy for that person to unlock your laptop. A solution for this is requiring a second factor to unlock your device; Windows Hello Multifactor Device Unlock.

With Multifactor Device Unlock the user unlocks his device by using two credential providers. This can be a combination of PIN, Facial recognition, Fingerprint or Trusted Signal. A trusted signal can be a trusted network for example or a phone connected via Bluetooth.
In this blogpost we use PIN or a biomatric gesture as first unlock factor and a trusted network or a phone with Bluetooth as second unlock factor. As fallback we can use PIN as second factor (if the PIN is not used as first factor) or the user can authenticate using the password.

How does this look like for the user:

1. User authenticates with PIN or biomatric gesture as first unlock factor
2. Windows Hello verifies the first factor. First factor passed.
3. Windows Hello checks the device is connected with a trusted network. Second factor passed, user is logged on.
4. If the device is not connected to a trusted network, Windows Hello checks for the Bluetooth connected phone. Second factor passed, user is logged on.
5. If Windows Hello doesn`t detect the phone, the user is allowed to use the PIN (if not already used as first factor) or use the password.

Configuration

Pre-requisites:
Windows Hello for Business enabled
Windows 10 1709 or later (1803 when using Intune to configure this)
(Azure) AD
Bluetooth capable device (optional)

To get Multifactor Device Unlock configured we can use Policy CSP PassportForWork which can be found here.
Using the node DeviceUnlock of this policy we can set the first and second unlock credential providers and the unlock plugins.
In GroupA we configure the first unlock credential provider, in GroupB the second credential provider and in Plugins we configure the unlock signals.

The credential providers are set using there GUID.

The credential provider and the related GUIDs:
Facial Recognition: {8AF662BF-65A0-4D0A-A540-A338A999D36F}
PIN: {D6886603-9D2F-4EB2-B667-1971041FA96B}
Fingerprint: {BEC09223-B018-416D-A0AC-523971B639F5}
Trusted Signal: {27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}

Because we use Bluetooth as one of the trusted signals, we also need to set the corresponding classofDevice attribute. The default attribute is Phone, but there are multiple possible values.

Available classofDevices values:
Miscellaneous: 0
Computer: 256
Phone: 512
LAN/Network Access Point: 768
Audio/Video: 1024
Peripheral: 1280
Imaging: 1536
Wearable: 1792
Toy: 2048
Health: 2304
Uncategorized: 7936

Now that we have the required information, it`s time to set the Intune policies.

1. Open the Device Management portal and click Device Configuration– Profiles;
2. On the Profiles tab click Create Profile and provide the required information;
   Name: Provide the preferred name of the policy
   Description: Provide a description (Optional)
   Platform: Windows 10 and later
   Profile type: Custom
3. On the Custom OMA-URI Settings tab click Add to open the Add Row tab. On the Add Row tab provide the following information and click OK;
   Name: Provide the preferred name of row
   Description: Provide a description (Optional)
   OMA-URI: ./Device/Vendor/MSFT/PassportForWork/DeviceUnlock/GroupA
   Data type: String
   Value: {8AF662BF-65A0-4D0A-A540-A338A999D36F},{D6886603-9D2F-4EB2-B667-1971041FA96B},{BEC09223-B018-416D-A0AC-523971B639F5}

1. Click Add again to add the second row.
2. On the Add Row tab provide the following information and click OK;
   Name: Provide the preferred name of row
   Description: Provide a description (Optional)
   OMA-URI: ./Device/Vendor/MSFT/PassportForWork/DeviceUnlock/GroupB
   Data type: String
   Value: {27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD},{D6886603-9D2F-4EB2-B667-1971041FA96B}

1. Click Add to add the third row.
2. On the Add Row tab provide the following information and click OK;
   Name: Provide the preferred name of row
   Description: Provide a description (Optional)
   OMA-URI: ./Device/Vendor/MSFT/PassportForWork/DeviceUnlock/Plugins
   Data type: String
   Value: see printscreen below

To see all the options you have when configuring Trusted Signals, like the different options for ipconfig have a look at this Microsoft doc.

User-experience

Now let`s have a look at the user experience.
When I`m at the office and connected to the corporate (trusted) network with Gateway 192.168.10.1 and DNSsuffix interchange.nl, I only need to authenticate once. With my PIN, facial recognition or fingerprint.
When I`m not at the office, but my Bluetooth phone is connected to my laptop, I only need to authenticate once.

But when I`m not at the office and my phone is not connected to my laptop, I need to authenticate a second time.
As you can see in this picture it first tries to verify my network.

And after the network verification fails, it tries to verify my phone.

When both network and phone failed to verify, it shows me a message:
Cannot verify additional factor. Use another sign-in option.
I can click on Sign-in options, to pick another sign-in option to authenticate a second time.

That`s all to further secure your Windows 10 devices using Windows Hello for Business!

Is Windows 2 a hello factor?

Does Windows MFA count Hello?

Is Windows biometric for Hello?

What is Windows Hello instead of CVC?