Additional Factor Configuration
Windows Hello For Business sign-ins on physical devices are protected by “additional factors” by default. This ensures that users are not able to sign in with just the pin code without additional verification.
Two different factors of the list below are required to securely sign in.
- PIN Code (already configured)
- Fingerprint
- Hello (camera facial recognition)
- Connected Bluetooth Mobile phone
PIN, Fingerprint and Hello can be configured in the sign-in options. Follow the steps below.
- Click Start
- Type & click: Sign-In Options
- Click on “Facial Recognition” if it is available, optionally fingerprint or pin can be configured.
- Set-up, and follow instructions
Should Hello or Fingerprint not be available, it is best to connect a mobile phone by bluetooth. Follow the steps below.
- Set the mobile phone to “discover mode”, this can be done in the bluetooth settings
- Click Start
- Type & click: “Bluetooth and other device settings”
- Click “Add device”, wait until the mobile phone is discovered, connect, and complete the pairing.
You can now sign in with PIN and additional factor!
Additional factor not available
In case an additional factor is not available, it’s always possible to sign-in with Microsoft 365 credentials.
Click on Sign-In Options, then the globe, and sign in with M365 credentials.
Additional factor device exclusion
The MFA policy can be excluded per device by adding it to the security group below.
“Baseline – Devices Physical Hello For Business MFA Excluded”.