Add MFA support to Secure the Windows 10 logon
Creating a way to secure the Logon to a Windows 10 workstation with MFA would then remove much of the complexity required to secure all the applications installed upon it (such as DA etc).
This would need to have the ability to store offline logins somehow which is possible with RSA SecurID.
It would and the final touches to a really great solution.
For requiring additional factors with Windows Hello for Business, please see – https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock
For why PIN is better than a password, please see https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password
For Authenticator app sign in to Azure AD, please see https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-phone-sign-in
As always, other feedback is welcome
We need Azure MFA/Authenticator app for MFA at Windows 10 logon. Support for Windows Server domain joined PCs too. There are requirements that some organizations MUST require MFA for device authentication, and WHfB doesn't classify as MFA for the device. Duo Security offers exactly what we're after, but as we've standardized everything in our org on Azure MFA/Authenticator, it's painful that we have to deploy a new service to satisfy a security factor we can do otherwise. The ability to do true MFA with a push notification is desparately needed.
And don't tell me WHfB is MFA... the thing you're logging into cannot be the "thing I have" as part of MFA.
The ability to do Azure MFA at the local Windows 10 logon level is needed!
This is BAD NEWS that Microsoft Authenticator doesn't work with Windows 10 Login.
This is MUCH needed for business customers!
I spent time with tier-1 tech support and even they didn't know the answer and expected it to work. I found this site myself.
Taking a look at DUO....
I can't believe that Microsoft does not offer MFA for local log-ins. This feature request should be at the top of the list.
Jarrod Johnston commented
The documentation regarding the LACK of ability to secure Windows local logins using Azure MFA is quite frustrating. Even the links posted by the Admin above does NOT indicate Azure MFA is not supported MFA software for Windows login. Please update documentation on the Azure MFA pages that Windows Login protection is NOT possible. As someone stated below, MS lack of clarity is a huge time waste as the documentation is ambiguous and does not clearly state the limitation.
For anyone finding this, please be aware, Azure MFA does NOT work with Windows Logins under any circumstance or configuration or workaround. If you wish to do MFA at the desktop, you need to choose another 3rd party tool.
Mary Kay Cassidy commented
The fact that MFA is not available at login for Windows 10 devices is really disappointing. I just spent the majority of a work week trying to make this work because Microsoft's documentation was very deceiving and unclear about MFA functionality. We are in a hybrid Azure AD environment and in MS's Authentication guide is clearly states under Prerequisites what is necessary in Hybrid AD. It even states that using Conditional access policies you can prevent sign-ins from unknown locations and insecure devices. I could have saved a minimum of 20 - 30 hours if MS's documentation had been clear and concise regarding when/where MFA is available. I am EXTREMELY dissatisfied with this complete lack of appropriate and straightforward documentation.
I cannot tell you how disappointed I am with Microsoft for not creating a straight forward way to easily integrate their MFA with Windows Logon. It's really a glaring mistake and is driving customers to use 3rd party solutions (DUO, OneLogin, etc...) which do this easily. It took us 15 minutes to set up DUO with AD and another 15 to integrate it with Microsoft Conditional Access to get a complete top to bottom solution up and running. 30 minutes total.
Microsoft has to do a better job integrating their Cloud MFA solution with their on premise infrastructure. How is it that DUO can do this but MS can't?
I wholeheartedly agree that businesses need the option to protect Windows 10 logins with MFA. By not offering this option, Microsoft is driving their customers to use a competitor's solution, as well as causing inconvenience and arguably a security risk for IT departments to have to manage multiple authentication services. If I have to use DUO to secure my Windows workstation logins, and MS Azure MFA to secure my applications and services, that's 2 sets of admin credentials instead of one, which means an increased risk of losing track of those credentials. Not to mention the increased cost of licenses, and the increased strain on time/effort/expertise to have to support the various services involved. If you can trigger the MFA prompt upon the Azure Intune MDM enrollment attempt, then it should be straight forward to trigger the same prompt for EVERY Windows login attempt. I truly cannot understand why there is no check box, or configuration policy that allows me to set this up.
Babulu Sahu commented
We want this feature desperately. It is a common requirement now, Why Microsoft taking so much of time to develop the Functionality.
All we are asking for is to get the feature that is already available for personal consumers, why do we as Azure AD paid customer deserve to have less features?
Paul M. Kochie commented
I'd like Pin + Microsoft Soft Authenticator App on my Cell. My computers are Hybrid joined. My Azure AD account requires MF when I access on-line resources but not when I login to my computer.
+1 for this. WHFB is not the correct solution. With Conditional Access and a Hybrid Azure AD Joined device, I can do a lot with device compliance and protecting apps and data and identity, but somehow still cannot properly protect on-premise access without investing in a 3rd party solution.
Microsoft must generate a solution to activate MFA at the login of computers connected to a domain, be they Windows, Mac or Linux.
A helpful reminder here that if you follow advice to turn on Windows Hello in an environment that doesn’t support it, you’ll never be able to turn it off again unless you fully erase your device.
Abou Alzahab, Abdul Jalil commented
We can have something close or even better to ManageEngin solution:
+1 For MFA on windows login. Much needed in our organization. Please add to the top of the list for feature requests
Andy Wright commented
We are looking for a sulution to this. 3rd party or opensource arent really an option when we use Intu ne and AAD for everything else
Sharique Ahmed commented
+1 to Justin King
Justin King commented
I'm surprised that there seems to be no traction here.
There are lots of legacy systems that are simply not going away in the next 10 years, so it seems pretty clear that we might want to at least force MFA on a Windows server host to protect said system. Providers like Duo and Centrify have done this for years ... yet Microsoft doesn't feel the need to handle this native?
Andy B commented
The ability to MFA login into windows workstations & servers, along with offline 2nd factors (e.g. RSA key)is critical for us.
The Windows Hello option is not a valid solution here. The "PIN is better than password" article suggestion misses the point entirely.