How to setup Windows 10 logons to require MFA without third-party software
Many people do not realize that you can setup Windows 10 logons to require multi-factor authentication (MFA) with no third-party software. The only requirements are that your PC must support Bluetooth and Bluetooth capable phone (or other Bluetooth device that can be used as your second factor).
The key is some additions that were made by Microsoft to Windows Hello for Business that allows users to configure MFA even if they are not on a domain. To setup MFA using the most common elements (a Windows Hello PIN and a smart phone) all you need to do is to pair your phone to your PC and then configure one group policy setting. Once the group policy setting is “enabled” it defaults to the most common settings (PIN + phone).
First, pair your phone to your computer by going into Settings | Devices and make sure your phone is listed under “Other devices”. If not, add it with the “+ Add Bluetooth or other device” button at the top of the page.
Second, open group policy on your PC by running “gpedit.msc” from the Run or search window. Then under “Local Computer Policy” expand “Computer Configuration” | “Administrative Templates” | “Windows Components” | “Windows Hello for Business”. Double-click on Configure device unlock factors. Click “Enabled”. The options in the window below should automatically be filled out, but if they’re not here is the configuration for using a PIN as the first factor and a Bluetooth enabled phone as the second factor:
Here is a list of the GUIDs if you want to change the device unlock factors:
In the event you do not have your phone you can click on “Sign-in options” below “Couldn’t verify additional factor. Please use a different sign-in option.” This will allow you to enter your full password (not PIN) to bypass your phone (in this case your two login factors are PIN and full password).
Stay in the Know
Subscribe to our newsletter for the latest news about legal, risk, and compliance issues.