Add MFA support to Secure the Windows 10 logon
Creating a way to secure the Logon to a Windows 10 workstation with MFA would then remove much of the complexity required to secure all the applications installed upon it (such as DA etc).
This would need to have the ability to store offline logins somehow which is possible with RSA SecurID.
It would and the final touches to a really great solution.
For requiring additional factors with Windows Hello for Business, please see – https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock
For why PIN is better than a password, please see https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password
For Authenticator app sign in to Azure AD, please see https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-phone-sign-in
As always, other feedback is welcome
MFA without using Hello or Biometrics would be great - I'd like to force users to password + mfa if possible on device login
We use MFA for Office 365 via the authenticator app already. I assumed I could enable MFA on my domain computers (was even hoping via group policy), then it would just be a matter of configuring it in Azure and computer logins would start behaving the same way as office 365 logins do now. Would be even better if the computer would just display a QR code that you have to scan with your device. After a short search I end up here and discover that MS are off on a tangent that will probably take a year or two to correct.
Hotmail account do it right with Microsoft Authenticator. Do the same for O365 Business Premium / Azure AD
David Fraley commented
I concur with the vast majority of comments in this thread in that I do not believe that Windows Hello provides true MFA for Windows 10 devices.
If a laptop is stolen, than the stealing party only needs to figure out the "something I know" element (i.e. the PIN code). Our company is in negotiations to do NIST 800-171 vendor audits and we don't plan to accept Windows Hello has MFA for laptops.
Come on Microsoft, your Azure solution is pretty cool, but Windows Hello does not qualify as MFA if the laptop is stolen. The Azure and Windows teams need to get their act together on this issue.
Tim Evers commented
Because we do not have this extra verification and a laptop gets stolen, the attacker only needs the PIN from Windows Hello to access lots of company data. As we automatically log into OneDrive, SharePoint, Outlook, Teams and in Edge.
We would like to use the Microsoft authenticator as extra 2 factor to lower the probability of this.. Now it feels like online working in Office 365 where we have enabled multi factor is better secured than the windows 10 devices.
Rob Czymoch commented
We implemented WHFB and quite frankly its a terrible solution. A pin tied to the TPM is not enough. So you really need to configure additional factors. For example a phone connected via Bluetooth, unreliable because windows 10 is and continues to be terrible at handling Bluetooth connections. So then use bio-metrics. if you have to buy USB finger print scanners it is equally unreliable because Windows 10 is and continues to handle such USB devices poorly. Of course the natural solution is to introduce the use of the Microsoft Authenticator as the additional factor, apparently not a natural solution according to the Windows 10 team that handles this feature.
Louis Henn commented
How MS can think that a PIN is secure beats me. Surely a pin is easier to brute force than a proper policy controlled password? Also using PIN doesn’t authenticate you to legacy on premise resources like file servers. Windows Hello is dumb and should be discontinued and replaced with something much smarter IMHO.
Bjorn L commented
For on-prem AD, WHfB is not an easy or end-user friendly. Have a POC running for the last months, biometrics are not always working and needs to be purchased to our PC desktops. RDP is also used which complicates it further.
Windows 10 + PIN + MFA (Microsoft Authenticator) would awesome. With full RDP support. First then we can adhere to the "new" password best practices.
Michael Schooley commented
When has Microsoft EVER done anything correctly? This one is funny because of the Security & Compliance page in O365 Admin, where they act like they are the one stop shop for government compliance. Whoever is in charge of that for MS better start reading NIST 800-171. Securing the desktops with MFA for users who access sensitive information is imperative.
This is our requirements and I guess it matches at leased 50% of all enterprises.
First login on a device:
Username + PW + MFA
(To set up Biometric configuration)
VDI / remote / fallback login (require internet access):
Username + PW + MFA
[Deleted User] commented
We have MFA setup in Azure and for 365 it works. the win 10 preview build 18348 has the ability to do it with the 'sign in' feature but after sending the auth to the authenticator, it fails to send it to the dc. so PLEASE roll it OUT! We all need this so badly given all of the One Drive etc phishes that 365 Exchange cannot seem to filter
I agree with the others that windows hello is not a good solution for an IT person in an enterprise. Unfortunately a full solution like Duo/Okta is too expensive.
Pierce Radtke commented
Windows Hello - PIN negates MFA authentication. Real world example
An average joe/jane remote user is in public location and uses their PIN to log on to their Workstation.
Hacker/Thief is recording said entry of PIN with a cell phone.
Hacker/Thief user can now steal the workstation and log on with access to everything online w/o the necessity of MFA verification once logged on.
Or (and more likely) an employee of devious intent sets up a spy camera to watch the user enter their PIN while in a "Secure Location" - then while the user is on their Lunch accesses their machine.
Allowing Admins to disable the PIN or enable MFA authentication with the Microsoft Authenticator App would prevent this obvious hole in security.
Azure AD Team: u need to implement something smarter. Hello is a terrible tool. - please go visit and learn how your competitors is doing it "right" i.e DUO. Before u come out with that dumbest solution.
Microsoft MFA needs to provide options for high security organizations in a similar fashion as RSA or Duo to be a competitor. Hello for Business doesn't provide the same complexity or scalability. Only being able to register 10 users is a deal breaker. A simple PIN does not satisfy auditors either.
Brett Spector commented
this is such a no brainer I wish Microsoft would throw us a bone - is it technically really hard or is there another reason why the one thing they haven't applied MFA to is the windows 10 login
Joe Steele-Thurston commented
I there are 2 solid reasons to implement this as a feature:
1) It makes Azure AD Premium licensing to implement MFA more attractive, and puts the Azure AD MFA on par with solutions like Duo (who can already do the thing we're asking Windows 10 to do).
2) It means I only have to implement one MFA solution for all of my things, reducing solution complexity during deployment.
I really hope this is added as a feature in newer versions of Win 10, as this is sort of a deal breaker for deployment as a solution in most organizations that I support. Having this added means I can use this as THE solution. Not having it means I have to use a different solution, which is already going to do the other things this does for the most part.
Unless I absolutely have to, I really don't want to implement multiple-multi-factor solutions. Mainly because it's hard to say ten-times-fast.
Yuri NLD commented
>>> I up vote this idea, because I want to login in to a Windows 10 Azure AD Joined device by using Azure MFA with Conditional Access. <<<
Of course..., we also need a solution when we are offline and need to logon to the device... ;)
I agree with Luke, having the domain joined machine being 1 of the two factors is insane, there should be a standard username, pw, and 2FA code or MS Authenticator push.
Luke Page commented
The Azure AD Teams response is ludicrous. We don't want to make the system even less secure by reverting from username and password to username and pin...
We need to have a Username, password and 2fa code (generated in the same way as the Azure AD web experience). Surely this cannot be that difficult to implement. Windows Hello is not enough if a device does not have a fingerprint or iris scanner.