How to setup Windows 10 logons to require MFA without third-party software

How to setup Windows 10 logons to require MFA without third-party software

Many people do not realize that you can setup Windows 10 logons to require multi-factor authentication (MFA) with no third-party software. The only requirements are that your PC must support Bluetooth and Bluetooth capable phone (or other Bluetooth device that can be used as your second factor).

The key is some additions that were made by Microsoft to Windows Hello for Business that allows users to configure MFA even if they are not on a domain. To setup MFA using the most common elements (a Windows Hello PIN and a smart phone) all you need to do is to pair your phone to your PC and then configure one group policy setting. Once the group policy setting is “enabled” it defaults to the most common settings (PIN + phone).

First, pair your phone to your computer by going into Settings | Devices and make sure your phone is listed under “Other devices”. If not, add it with the “+ Add Bluetooth or other device” button at the top of the page.

Second, open group policy on your PC by running “gpedit.msc” from the Run or search window. Then under “Local Computer Policy” expand “Computer Configuration” | “Administrative Templates” | “Windows Components” | “Windows Hello for Business”. Double-click on Configure device unlock factors.  Click “Enabled”. The options in the window below should automatically be filled out, but if they’re not here is the configuration for using a PIN as the first factor and a Bluetooth enabled phone as the second factor:

How to setup Windows 10 logons to require MFA without third-party software

  • First unlock factor credential providers:
    {D6886603-9D2F-4EB2-B667-1971041FA96B},{8AF662BF-65A0-4D0A-A540-A338A999D36F},{BEC09223-B018-416D-A0AC-523971B639F5}
  • Second unlock factor credential providers:
    {27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD},{D6886603-9D2F-4EB2-B667-1971041FA96B}
  • Signal rules for device unlock:
    <rule schemaVersion=”1.0″> <signal type=”bluetooth” scenario=”Authentication” classOfDevice=”512″ rssiMin=”-10″ rssiMaxDelta=”-10″/> </rule>

Here is a list of the GUIDs if you want to change the device unlock factors:

  • PIN                                     {D6886603-9D2F-4EB2-B667-1971041FA96B}
  • Fingerprint                     {BEC09223-B018-416D-A0AC-523971B639F5}
  • Facial Recognition       {8AF662BF-65A0-4D0A-A540-A338A999D36F}
  • Trusted Signal               {27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}

In the event you do not have your phone you can click on “Sign-in options” below “Couldn’t verify additional factor. Please use a different sign-in option.” This will allow you to enter your full password (not PIN) to bypass your phone (in this case your two login factors are PIN and full password).

Did you find this helpful?

Share it on social media!

THIS BLOG POST IS BY
Todd received his MBA from Villanova University and his B.S. in Electrical Engineering from Penn State. Prior to joining Adaptive Solutions as Director of Datacenter Operations in January 2008, Todd worked for his own consulting firm for the last ten years providing technical expertise for a variety of large and mid-sized corporate clients including General Motors (Saturn Division) in Delaware. Todd assumed the role of Chief Technology Officer in December of 2012. In his current role with Adaptive Solutions, Todd helps to set best practices and technology standards for the company. Todd also has a wide range of expertise, including VDI, virtualization, and numerous Microsoft technologies, as well as document management. Todd maintains numerous Microsoft Engineer certifications and is considered an expert in the field of server and desktop virtualization.

Leave a Comment