In today’s digital world, security is more important than ever. Passwords alone no longer provide sufficient protection against data loss and unauthorized access. This is where Windows Hello for Business comes into play. This modern authentication method from Microsoft enables companies to authenticate their employees more securely using biometric data such as facial recognition or fingerprints, along with additional unlock factors like PIN codes or trusted signals. Furthermore, Windows Hello for Business supports multi-factor unlock, combining several authentication factors to make device access even more secure. This multi-factor unlock offers a significant security advantage by integrating multiple layers of protection, thereby significantly reducing the risk of security breaches.

This article provides a step-by-step guide for setting up Windows Hello for Business with multi-factor unlock using Microsoft Intune. The example configuration utilizes biometric data and trusted signals from the corporate network to enhance security while simultaneously improving user convenience.

Prerequisites and Licensing

To set up Windows Hello for Business multi-factor unlock, the following prerequisites must be met:

Operating System
Windows 10 Pro or higher, with the latest build and fully patched
Windows 11 Pro or higher, with the latest build and fully patched

TPM
Trusted Platform Modul (TPM)

Hardware for Biometric Authentication
Fingerprint scanner and/or camera for facial recognition

User Authentication
Users have set up a PIN as well as facial recognition and/or fingerprint for Windows Hello for Business.

Device Registration
The devices are managed with Microsoft Intune.

License
This guide uses Microsoft Intune for configuration and rollout, and therefore requires at least Microsoft Intune P1 or higher.
An overview of Microsoft 365 license packages with their features can be accessed at https://m365maps.com/.

Enabling Windows Hello for Business Multi-Factor Unlock

The configuration of Windows Hello for Business is managed through a policy in the Microsoft Intune admin center (https://intune.microsoft.com).

Create a New Policy for Windows Hello for Business.

Devices > Manage devices > Configuration > Policies > Create > New Policy

Select Platform Windows 10 and later (1), Profile typ Settings catalog (2), then create policy by clicking Create (3).

Name the configuration profile (e.g., WCP_WHfB) and click Next.

Select Add settings (1), set the filter to Windows Hello for Business (2) and choose Windows Hello for Business (3).

Enable the following settings for Windows Hello for Business with multi-factor unlock. Additional settings can be added and customized according to your specific requirements.

  1. Allow Use of Biometrics: True
  2. Require Security Device: True
  3. Group A: GUIDs of the allowed credential providers for the first unlock factor (comma-separated list)
  4. Group B: GUIDs of the allowed credential providers for the second unlock factor (comma-separated list)
  5. Device Unlock Plugins: trusted signal

In our example, the following credential providers are allowed for the first unlock factor (Group A (3), comma-separated list):

  • PIN {D6886603-9D2F-4EB2-B667-1971041FA96B}
  • Fingerprint {BEC09223-B018-416D-A0AC-523971B639F5}
  • Facial Recognition {8AF662BF-65A0-4D0A-A540-A338A999D36F}

For the second unlock factor, the following credential providers are allowed (Group B (4), comma-separated list):

  • Trusted Signal {27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}
  • PIN {D6886603-9D2F-4EB2-B667-1971041FA96B}
  • Fingerprint {BEC09223-B018-416D-A0AC-523971B639F5}
  • Facial Recognition {8AF662BF-65A0-4D0A-A540-A338A999D36F}

For the Device Unlock Plugins (5), a trusted signal from the corporate network is configured. This ensures that the second factor is automatically recognized, and the user only needs to successfully complete the first unlock factor within the corporate network.
IPv4 Gateway: 192.168.125.2
DNS Suffix: int.cloudcoffee.ch

A detailed list and description of all credential providers can be found in the following article on Microsoft Learn: Multi-factor unlock | Microsoft Learn

Create scope tags according to individual needs.

The assignment to devices can be customized here according to your specific needs.

The settings will be displayed for review once more, and the policy will be created by clicking Create.

After synchronizing the configuration profile with the device, a restart of the device is required.

Functionality Check

The above step-by-step guide configures the following user experience for login behavior.

Device Inside the Corporate Network

The device is connected to the corporate network. The following credential providers are available for first unlock factor:

  • PIN
  • Fingerprint
  • Facial Recognition
  • Password

If the password login should not be displayed, please refer to the configuration tips section.

Since the device connects to the corporate network, it meets the requirements for the second unlock factor through the trusted signal of the IPv4 gateway (192.168.125.2) and the DNS suffix (int.cloudcoffee.ch). The second unlock factor is thus recognized and authenticated without user interaction.

Device Outside the Corporate Network

The device is not connected to the corporate network. The following credential providers are available for first unlock factor:

  • PIN
  • Fingerprint
  • Facial Recognition
  • Password

If the password login should not be displayed, please refer to the configuration tips section.

The device does not detect a trusted signal and therefore prompts for authentication with a second unlock factor. The second unlock factor must be different from the first unlock factor used for this login.

  • PIN
  • Fingerprint
  • Facial Recognition
  • Password

Configuration Tips

Enable Passwordless User Interface

This setting hides the password prompt in the authentication options of the Windows login and prompts the user to sign-in with Windows Hello for Business. However, login with username and password remains possible for RDP connections and UAC prompts (run as administrator).

If necessary, sing-in can still be performed using the Other User option with a password.

Create the necessary policy for the passwordless experience as follows:

Devices > Manage devices > Configuration > Policies > Create > New Policy

Select Platform Windows 10 and later (1), Profile typ Settings catalog (2), then create policy by clicking Create (3).

Name the configuration profile (e.g., WCP_Passwordless_Experience) and click Next.

Select Add settings (1), Authentication (2) and Enable Passwordless Experience (3). Choose Enabled. The Passwordless experience will be enabled on Windows (4).

Create scope tags according to individual needs.

The assignment to devices can be customized here according to your specific needs.

The settings will be displayed for review once more, and the policy will be created by clicking Create.

Excluding the password credential provider

By excluding the password credential provider, users can no longer log in with a password. Instead, Windows Hello for Business must be used. This change also affects RDP connections and UAC prompts (run as administrator), which will no longer allow signin with username and password.

Sign-in options passwordless experience

Sign-in with a password using the Other User option is no longer possible.

Create the necessary policy to exclude credential providers as follows:

Devices > Manage devices > Configuration > Policies > Create > New Policy

Select Platform Windows 10 and later (1), Profile typ Settings catalog (2), then create policy by clicking Create (3).

Name the configuration profile (e.g., WCP_Exclude_Credential_Provider) and click Next.

Select Add settings (1), Administrative Templates > System > Logon (2), enable Exclude credential providers (3). Enter {60b78e88-ead8-445c-9cfd-0b87f74ea6cd} in the field Exclude the following credential providers (4).

Create scope tags according to individual needs.

The assignment to devices can be customized here according to your specific needs.

The settings will be displayed for review once more, and the policy will be created by clicking Create.

Troubleshooting

Configuration Policy Conflict

Windows Hello for Business is enabled by default in every Microsoft tenant. To avoid conflicts during the rollout of multi-factor unlock settings, it must be ensured that this default policy is set to not configured.

Devices > Device onboarding > Enrollment > Entrollment options > Windows Hello for Business

Set options Configure Windows Hello for Business and Use security keys for sign-in to Not configured.

Click here to enable Windows Hello for Business.

WHfB Entrollment options

Follow me on LinkedIn to always stay updated on my recent posts.

Follow on LinkedIn

Was this post helpful to you? Show your enthusiasm with the delightful aroma of a freshly brewed coffee for me!

Buy me a coffee