Add MFA support to Secure the Windows 10 logon
Creating a way to secure the Logon to a Windows 10 workstation with MFA would then remove much of the complexity required to secure all the applications installed upon it (such as DA etc).
This would need to have the ability to store offline logins somehow which is possible with RSA SecurID.
It would and the final touches to a really great solution.
For requiring additional factors with Windows Hello for Business, please see – https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock
For why PIN is better than a password, please see https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password
For Authenticator app sign in to Azure AD, please see https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-phone-sign-in
As always, other feedback is welcome
Andy Wright commented
We are looking for a sulution to this. 3rd party or opensource arent really an option when we use Intu ne and AAD for everything else
Sharique Ahmed commented
+1 to Justin King
Justin King commented
I'm surprised that there seems to be no traction here.
There are lots of legacy systems that are simply not going away in the next 10 years, so it seems pretty clear that we might want to at least force MFA on a Windows server host to protect said system. Providers like Duo and Centrify have done this for years ... yet Microsoft doesn't feel the need to handle this native?
Andy B commented
The ability to MFA login into windows workstations & servers, along with offline 2nd factors (e.g. RSA key)is critical for us.
The Windows Hello option is not a valid solution here. The "PIN is better than password" article suggestion misses the point entirely.
Extremely important to our org if you want us to consider buying an MS ERP.
Microsoft got it wrong by believing that organizations are only interested in MFA at the application and not the device. We aren't using Azure MFA/WHFB until this feature is available. Like most have said here, that is not true MFA.
Anthony R Berger commented
I agree that this should be a priority for MS as they become very serious about business applications and products. I just purchased Microsoft E3 plans because the MS Rep said, oh yeah, this handles MFA for Windows Login and now I am like WTF, scammed by the rep to a feature that doesn't even exist? Come on.....
WHFB sucks... We need real MFA.
Brian Perkinson commented
Please complete the engineering for MFA for Windows login. This type of security is available from 3rd parties, like Duo. MFA is no longer a luxury for our environment, it is a requirement.
Come on guys, this is 2019. I want to see MFA available from Microsoft, for Windows login. Other companies like ESET are already offering it. You're losing ground here.
Also looking for this
Troy Ridgley commented
The problem with WHFB is that it leaves a gaping hole in security for any corporation which requires 2 factor for every single interactive login AND Passwords which expire every 30 days.
Why? Because unless you disable the password credential OR set policy to require WHFB for interactive logon, the user can simply select the key/password credential and get signed in with username and password. This is not acceptable.
Unless you disable passwords for user accounts, WHFB is nothing more than a convenience auth similar to the convenience PIN they had in the first place. Implementing policy to require WHFB does stop password use for interactive login, but it breaks the built-in capability to effectively handle expired password scenarios. Users must change their password using a device without WHFB, Azure SSPR, go through a very clunky process for Windows to finally recognize that the password is expired in the first place.
When your password expires, you try your fingerprint, it works, then validates your second factor, then you get an error "Something happened and your PIN isn't available. Choose another sign-in option and set up your PIN again by going to Settings > Accounts > Sign-in Options
Next you must select the password credential and this time it lets you enter your password, and finally you get a notice that your password must be changed.
The users are going to have a fit with this. It is not user friendly but at this point it seems we have no choice
The reason I am asking for MFA as a factor is because we have regulatory requirements to keep passwords with a 30 day expiration and we already leverage MFA for VDI Azure O365 cloud, etc. Why not use it here as well?
Just chiming in to agree on previous comments "The ability to require a user to approve the sign in via the microsoft Authenticator app is the goal of this request. You already have this with terminal services, porting this to windows 10 should be requisite."
I have bought M365 E3 security suite to get MFA for Radius and Office MFA conditional support for enhanced security and feel that inclusion of AD joined computers into this solution should be added. I only purchased add on license because it was cheaper that DUO. Please don't make me drop licenses to migrate to DUO if you can't provide a unified enterprise solution that can be centrally managed utilizing Azure MFA..... My EA is set to expire next year and my continued use of MS licenses will be reduced dramatically, instead of expanded dramatically, at renewal if product is not enhanced for desired functionality. MS Authentication with code support at login would be great as it would accommodate "offline" laptop users... DUO does this already...
1. Create agent that can be deployed to workstations that adds support for Azure MFA management or add through OS update / patches / whatever
2. Make available GPO to manage configuration of agent to add desired Azure MFA support to login process. That way we can target computers that we want to enable functionality. Provide options in agent config, through GPO, that would allow options to: white list based off networks, utilize local AD if available as fallback, or designated local account exception to require MFA... Just trying to add options folks may want for configuration.
Heck, if you are worried about Windows Hello branding, just call this an additional enhancement to Windows Hello for Azure MFA cloud enhanced security support.....lol
Just a Thought.......
The ability to require a user to approve the sign in via the microsoft Authenticator app is the goal of this request. You already have this with terminal services, porting this to windows 10 should be requisite.
Thorsten, try the following steps:
Using Group Policy settings.
If you are on Windows 10 Pro edition, you can change the group policy settings to disable PIN sign-in option for all users.
Open the Run dialog box by pressing the Windows key and the R key together.
Type GPEDIT.MSC and hit the Enter key.
Go to Computer Configuration -> Administrative Templates -> System -> Logon.
On the right side, double click on Turn on PIN sign-in and select Disabled.
Similarly, disable the other Windows Hello options if any.
Exit the Group Policy Editor and reboot the computer.
We want to prevent that Users can logon to Windows without using Windows Hello or MFA. And we want to implement that with a native Microsoft solution not a third party application.
Zackary Catton commented
Our users hate having to now remember a pin AND their password, not to mention they are asked to change both of them regularly. The default number of days to change each is different so it effectively doubles the amount of disruption the password changes cause. Lots don't have TPM chips or cameras or fingerprint scanners. Just make it an option for the natural login screen to do MFA please. Allow admins to restrict by computer with GPO/Intune if a computer requires it to login so we do not defeat the purpose of MFA and let them deal with just the one password and one form of additional verification on a phone or security key/card.
The "additional factors" option for WHfB seems to be for hybrid environments only, is a solution for cloud only in the works?
MFA without using Hello or Biometrics would be great - I'd like to force users to password + mfa if possible on device login
We use MFA for Office 365 via the authenticator app already. I assumed I could enable MFA on my domain computers (was even hoping via group policy), then it would just be a matter of configuring it in Azure and computer logins would start behaving the same way as office 365 logins do now. Would be even better if the computer would just display a QR code that you have to scan with your device. After a short search I end up here and discover that MS are off on a tangent that will probably take a year or two to correct.