Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, January 22, 2019 5:04 PM
Hello,
We are implementing Windows Hello for Business for MFA in our domain. The reason for doing this (aside from the added security) is a vendor requirement and therefore an audit point. Is there a way to show an auditor that Windows Hello for Business is in use, enforced and cannot be circumvented? I know that the TPM on the device where the user enrolls becomes one method (something you have) and therefore a PIN or Fingerprint (something you are/know) count as the second factor. the trouble with that is it is difficult to show an auditor that you are using MFA when a finger swipe logs you in. Are there any events/ logs/ settings/ registry entries that would help?
All replies (6)
Friday, January 25, 2019 8:58 AM ✅Answered
Hi,
The Configure device unlock factorspolicy setting is located under Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business. Also Multi-factor unlock writes events to event log under Application and Services Logs\Microsoft\Windows\HelloForBusinesswith the category name Device Unlock. Let’s assume the situation: When the auditor come to a computer, the computer owner sign in the system with his/her PIN or Fingerprint or Facial Recognition. Then with checking the policy and event logs, we find the Windows Hello for Business(MFA) is configurated correctly and enabled to apply. And in the event logs, we can find corresponding entry for this sign in action(Unlock attempt). I guess this should be enough to prove that the Windows Hello for Business is actually in effect. Not sure about your deploy mode, but I suspect this should be appropriate for environments who are using MFA.
You can check following link for more details: /en-us/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock
If there is anything else we can do for you, please feel free to post in the forum. Thank you for choosing Microsoft.
Best regards,
Zoe Mo
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Thursday, January 24, 2019 9:28 AM
Hi,
As an administrator in an enterprise or educational organization, you can create policies to manage Windows Hello for Business use on Windows 10-based devices that connect to your organization.
Windows Hello for Business, which is configured by Group Policy or mobile device management (MDM) policy, uses key-based or certificate-based authentication. Which mode are your organization using to deploy the Windows Hello for Business? The Cloud Only Deployments, Hybrid Deployments or On-premises Deployments mode? For different deploy mode, policies & configurations may have some differences, you can check them on the devices to audit if Windows Hello for Business is in use, enforced and cannot be circumvented.
For more details, you can check following link for reference: /en-us/windows/security/identity-protection/hello-for-business/hello-deployment-guide
If there is anything else we can do for you, please feel free to post in the forum. Thank you for choosing Microsoft.
Best regards,
Zoe Mo
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Thursday, January 24, 2019 3:09 PM
We are enforcing the Windows Hello for Business (WHB) through group policy. The trouble we run into is while we can show that the group policy is configured and applied, how do we show an auditor that it is actually in effect?
Wednesday, January 30, 2019 1:40 AM
Hi,
What is your current situation? Have you solved the problem? Please remember to mark the replies as answers if they help, any other questions please feel free to post back. Thank you for choosing Microsoft.
Best regards,
Zoe Mo
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Wednesday, January 30, 2019 2:18 PM
That's what we were looking for, thanks!
Thursday, January 31, 2019 1:31 AM
Hi,
You are welcome! I am glad to hear that your issue was successfully resolved.
As always, if there is any question in future, we warmly welcome you to post in this partner forum again. We are happy to assist you!
Best regards,
Zoe Mo
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].