Windows 10 Multi-Factor Authentication (MFA) is a security system that requires more than one method of authentication from independent categories of credentials to verify the user’s identity for a login or other transaction. MFA provides additional protection against brute force and other password based attacks. Three common MFA options available in Windows 10 include:
- Picture Password
- Windows Hello (Biometric support for facial, iris, fingerprint recognition, companion device, etc.)
Active Directory Integration
All three of the MFA options in scope for this briefing can be enabled and disabled through Active Directory Group Policies.
Dependencies & Prerequisites
In order to implement Device Guard, the following capabilities need to be present:
|Picture Password||Windows 8 or newer||The PC must be running Windows 8, 8.1 or 10. Of course Windows 8 is no longer in mainstream support.|
|Picture Password||Touch Interface||The device must support a touch interface|
|PIN||TPM||The Trusted Platform Module is required to store the PIN and password hashes.|
|Windows Hello||PIN enabled||Windows Hello requires that PIN access be enabled.|
|Windows Hello Facial Recognition||Supported Camera||Windows Hello facial recognition requires a supported camera. Currently the Intel RealSense 3D camera is one the most common supported. Over time other cameras will also be supported|
|Windows Hello Fingerprint||Supported Fingerprint Reader||Windows Hello fingerprint recognition requires a supported fingerprint reader.|
|Windows Hello Companion Device||Supported Companion Device||Use an authenticator app on a companion device such as a mobile phone or wearable to authorize access|
Windows 10 MFA integrates with Microsoft Passport and with Active Directory to provide seamless authentication through a number of common use cases.
The Microsoft MFA options considered for this briefing are typically intended to act as a substitute for regular password authentication. Here will be scenarios where the password will still be required however for the majority of use cases, the password may not be required if the end user is using one of the described MFA options.
Microsoft MFA solutions addressed are designed to strike a balance between security and ease of use. Most users report that using a MFA is convenient enough that they do not feel it is an undue burden.
|MFA Option||Functionality Description|
|Picture Password||They user must correctly reproduce three gestures on an image of his/her choosing. Gestures can include, shapes, lines, and spots.|
|PIN||They user must correctly enter a PIN (complexity controlled through GPO).|
|Hello Facial Recognition||The device camera constantly looks for the users face. Once detected, the device unlocks itself.|
|Hello Finger Print Recognition||The user must place a digit with a registered finger print on the devices finger print reader. If it matches a registered print, the user is granted access to the device with the account with which the print is registered.|
|Hello Companion Device||The user is prompted to authorize access on a companion device either with a PIN, Push, or biometric prompt|
If the user fails one of the authentication methods, they will need to use a password to unlock the device.
All of the MFA solutions considered can be deployed using GPO with minimal impact on current end user login methods. Once enabled, additional options are regularly becoming available.
All of the addressed solutions consider the device as one of the authentication factors. Pins, Picture passwords, and biometric signatures are not stored or managed centrally. They will need to be managed on a per device basis.
It is recommended that end user training take place to ensure that staff understand the additional authentication options and any additional precautions that might be required to safeguard the additional factors.
Consider integrating with Azure Active Directory for more advance Conditional Access options
Issues and Caveats
There are known issues and methods to bypass some of the Microsoft MFA options addressed.
|MFA Option||Known Issues|
|Picture Password||Users must take care to avoid others from watching them while they enter a picture password. This may not be ideal for crowded environments. Additionally, users must take care to clean the device screen regularly to avoid leaving smudges that simplify guessing to reproduce the picture password.|
|PIN||Users must take care to avoid others from watching them while they enter a PIN. This may not be ideal for crowded environments. Additionally, users must take care to clean the device screen regularly to avoid leaving smudges that simplify reproducing the PIN.|
|Hello Facial Recognition||User can inadvertently unlock a device if they enter the camera’s field of view. An unsuspecting user may also be “tricked” into unlocking a device by somebody who quickly “flashes” the device in front of them.
Hello Facial Recognition relies on infrared scanning of features and cannot be “fooled” by photographs or even identical twins.
|Hello Finger Print Recognition||There are know issues with false negatives based on changes to digits based on injury or environmental conditions (cold, heat, humidity, etc.)|
This is a graphic that Microsoft used at Ignite to help illustrate the different journeys that organizations might take to get to modern management. Here’s a quick post on the last item in the table – the co-management path. Now that the key prerequisites for co-management have become available (SCCM 1710 and Windows 10 1709) have been out for a while, organizations that are considering co-management are looking at the management scenarios that are available to them. There is some new infrastructure that needs to be configured and there are a lot of good posts on those prerequisites like this one from the Microsoft Document Library so rather than focus on the technical details, I’d like to explore some of the management decisions that you might need to address:
- Co-management does not require a hybrid infrastructure of SCCM connected to Intune. It actually requires each platform to run in standalone mode. That means that if you have a hybrid environment, you will need to migrate to a standalone Intune model.
- Not all workloads are available in both platforms so you will need to choose what makes sense to move from SCCM to Intune. For instance, Win32 application management is easier in SCCM and most organizations already have an established release management process around it. Compliance policies on the other hand are often better suited to be managed with Intune as it provides a richer experience and more advanced controls for things like Device compliance policies, Resource access policies, and Windows Update policies.
- In other cases, the workload may not be available to be migrated to Intune or may not be an easy transition. Examples include Endpoint protection and Operating System Deployments. If you have a requirement for upgrading Windows 7 devices to Windows 10, SCCM is still the best option.
- Are you going to start with Intune managed devices and then add the SCCM client or are you going to start with SCCM Managed devices and enroll them into Intune?
- Ho do you want to address non-Windows 10 devices?
As exciting as new technology is, there is always value in understanding your use case scenarios and requirements before embarking on any new initiative. As a friend of mine constantly reminds me, “Businesses don’t care about the use of innovative technology but the innovative use of technology”.
Microsoft announced on February 1st that they will be adding another six months to the supprot of Windows 10 version 1607, 1703, and 1709.
|Release||Release Date||End of Support||End of Additional Servicing for Enterprise & Education|
|Windows 10 1511||November 10, 2015||October 10, 2017||April 10, 2018|
|Windows 10 1607||August 2, 2016||April 10, 2018||October 9, 2018|
|Windows 10 1703||April 5, 2017||October 9, 2018||April 9, 2019|
|Windows 10 1709||October 17, 2017||April 9, 2019||October 9, 2019|
Up to this point Microsoft has offered 18 months of support for each Windows 10 release. This extension seems a direct repsonse from enterprise customers struggling to keep pace with the rapid release cycle and short support windows associated with Windows as a Service.
Windows as a Service isnto only new for customers. It’s new for Microsoft as well. As they figure out how fast customers can ingest all of the innovatiosn comign out of Redmond, we’ll see the release cycles stabailze and balance update frequency with upgrade readiness.
For organizations that are having trouble transitioning engineerg efforts traditional associated with operating system updates to a more operational model, tools like Intune and SCCM can help accelerate the transion. I’ll be writng a few pieces in the future on how to take advantage of these types of tools to simplify Windows 10 update management.
As organizations move to modern management to be more agile in the way they manage multiple types of devices and cloud based services, the legacy management models associated with traditional PC management can lead to multiple consoles for managing different types of devices and services. At Microsoft Ignite this year, a hybrid approach called “Co-management” was announced. to bring organizations closer to modern management while still maintaining traditional management methods. In the past it has been difficult to use more than one management platform for the same device. Windows 10 1709 opens the doo this co-management by allowing devices to be managed simultaneously with SCCM 1710 and with Intune. What are the benefits of co-management? Here’s a few that come to mind.
- Manage devices where they live. Use SCCM to manage devices that are primarily on premise and use Intune to manage the same device when it is roaming.
- Transition workloads to Intune as you are ready
- Add modern management functionality to traditionally managed devices. Consider device compliance policies, resource access policies, Conditional access, selective wipe, factory reset etc.
- Single pane of glass for consolidated views of all devices such as mobile phones, tablets, Macs, PCs.
- Transition Windows 10 devices to Intune while managing legacy (Windows 7) devices with SCCM until they are upgraded or lifecycled.
- Self-provisioning of devices by end users
- Simplified BYOD scenarios
- Enhanced mobile workforce management
So, is this the best of both worlds? Nto really. Microsoft views this as a transitional step on the journey to modern management. Nonetheless I’m excited about the new opportunities for organizations to deliver a better user experience.
As organizations upgrade to Windows 10 there are many opportunities for security and performance improvements. Many of these enhancements rely of functionality that is only available with UEFI firmware as it is required for secure boot which is often a prerequisite for enhanced security features such as Device Guard and Credential Guard. Since Windows 7 did/does not support UEFI, most organizations will need to convert device firmware to UEFI as part of the Windows 10 upgrade. As upgrading to Windows 10 can be a long process, organizations have looked to tools like SCCM and MDT to automate and accelerate the process. Often time performing zero touch installations of hours or through self-service. Converting Bios to UEFI as part of the process ahs been problematic as each device may have different methods for converting and it typically requires visiting the device since the change happens in the before the operating system loads.
Microsoft has just made this problem a little easier to manage. SCCM 1702 introduces the ability to include UEFI conversion as part of a Task Sequence if the device supports it. I’m looking forward to accelerating many Windows 10 migrations with this functionality.