Configuring Windows Hello for Business dynamic lock

The last few weeks – before my vacation – were all around Windows Hello for Business. And especially around unlocking devices by using Windows Hello for Business functionalities. This week, however, is a little different. This week is around the automatic lock functionality of Windows Hello for Business. That functionality is Windows Hello for Business dynamic lock. Dynamic lock enables organizations to automatically lock devices when users step away from their device. That automatic lock can be achieved by using the bluetooth signal of a paired phone. The device will automatically lock when the signal of that paired phone falls below the configured minimum value. Of course, automatically locking the device doesn’t prevent users from forgetting to lock their device, but it does prevent the …

Read more

Configuring Windows Hello for Business multi-factor unlock

This week continues the journey through Windows Hello for Business. The last weeks were all about requiring the use of Windows Hello for Business, while this week is all about requiring the use of something extra with Windows Hello for Business. That something extra is a second unlock factor. By default, Windows requires the use of a single authentication factor to verify the identity of a user and to unlock the device. And even though the construction of Windows Hello for Business can be considered multi-factor authentication, as it combines something that you have (e.g. a device with a hardware TPM) with something that you know (e.g. a PIN) or with something that you are (e.g. a fingerprint), the unlock factor of the device with …

Read more

Excluding the password credential provider

This week is a follow up on the post of last week. In that post there was a reference to the option to completely exclude the password credential provider to force the user in to using Windows Hello for Business. This week is all about that option to exclude the password credential provider – and basically any other credential provider – from use during authentication. Credential providers are the primary mechanism for authenticating users in Windows and to verify their identity. Those credential providers are shown as different small tiles to the user as different options to authenticate in Windows. With Windows 10 and later, credential providers are also used for authenticating users in apps, websites, and more. By installation default, Windows already provides a …

Read more

Requiring the use of Windows Hello for Business for interactive logons

This week is all about Windows Hello for Business. Windows Hello for Business provides a really convenient and user-friendly method to authenticate in Windows, as it enables users to verify their identity by using a gesture (face, fingerprint or PIN). More importantly, however, Windows Hello for Business is also an important step in the transition to a passwordless environment, as it replaces the need for the traditional username-password authentication with a strong two-factor authentication on Windows devices. By default, Windows Hello for Business will be an additional method to get authenticated in Windows. When working towards a passwordless environment, it’s important to also take further actions for Windows devices, by preventing the use of the traditional username-password and by requiring the use of Windows Hello …

Read more

Enable PIN reset from the login screen

This week I’m going for an end-user experience focused blog post. This week is all about the PIN reset option on the login screen. In other words, the I forgot my PIN option. Starting with Windows 10, version 1709, it’s now possible to enable the I forgot my PIN option from the login screen. When using Windows Hello for Business, which can be configured during the Windows enrollment, by using Microsoft Intune, the PIN is the fallback mechanism when it’s not possible to authenticate with biometrics. In other words, the PIN is really important. In this post I’ll provide the required configuration to provide the user with the I forgot my PIN option from the login screen. I’ll do that by assuming that the user …

Read more