How to setup Windows 10 logons to require MFA without third-party software

How to setup Windows 10 logons to require MFA without third-party software

Many people do not realize that you can setup Windows 10 logons to require multi-factor authentication (MFA) with no third-party software. The only requirements are that your PC must support Bluetooth and Bluetooth capable phone (or other Bluetooth device that can be used as your second factor).

The key is some additions that were made by Microsoft to Windows Hello for Business that allows users to configure MFA even if they are not on a domain. To setup MFA using the most common elements (a Windows Hello PIN and a smart phone) all you need to do is to pair your phone to your PC and then configure one group policy setting. Once the group policy setting is “enabled” it defaults to the most common settings (PIN + phone).

First, pair your phone to your computer by going into Settings | Devices and make sure your phone is listed under “Other devices”. If not, add it with the “+ Add Bluetooth or other device” button at the top of the page.

Second, open group policy on your PC by running “gpedit.msc” from the Run or search window. Then under “Local Computer Policy” expand “Computer Configuration” | “Administrative Templates” | “Windows Components” | “Windows Hello for Business”. Double-click on Configure device unlock factors.  Click “Enabled”. The options in the window below should automatically be filled out, but if they’re not here is the configuration for using a PIN as the first factor and a Bluetooth enabled phone as the second factor:

How to setup Windows 10 logons to require MFA without third-party software

  • First unlock factor credential providers:
    {D6886603-9D2F-4EB2-B667-1971041FA96B},{8AF662BF-65A0-4D0A-A540-A338A999D36F},{BEC09223-B018-416D-A0AC-523971B639F5}
  • Second unlock factor credential providers:
    {27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD},{D6886603-9D2F-4EB2-B667-1971041FA96B}
  • Signal rules for device unlock:
    <rule schemaVersion=”1.0″> <signal type=”bluetooth” scenario=”Authentication” classOfDevice=”512″ rssiMin=”-10″ rssiMaxDelta=”-10″/> </rule>

Here is a list of the GUIDs if you want to change the device unlock factors:

  • PIN                                     {D6886603-9D2F-4EB2-B667-1971041FA96B}
  • Fingerprint                     {BEC09223-B018-416D-A0AC-523971B639F5}
  • Facial Recognition       {8AF662BF-65A0-4D0A-A540-A338A999D36F}
  • Trusted Signal               {27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}

In the event you do not have your phone you can click on “Sign-in options” below “Couldn’t verify additional factor. Please use a different sign-in option.” This will allow you to enter your full password (not PIN) to bypass your phone (in this case your two login factors are PIN and full password).

Did you find this helpful?

Share it on social media!

THIS BLOG POST IS BY
Todd is the Chief Technology Officer and has been working in the field of legal IT since the early 1990’s. In his role at Adaptive, Todd functions as our most senior systems engineer. He works closely with our customers on the proper design and scaling of back-end and front-end network upgrades, including both desktop and server virtualization, backup and DR, document management and best practices for ongoing service and support. Specialties: • Technology Strategy & Roadmap • Infrastructure Design & Optimization • Technology Needs Assessments • Disaster Recovery / Business Continuity • Virtualization Design & Implementation

Leave a Comment