So, I will preface this by stating that all accounts in my environment are covered by MFA and multiple configured conditional access policies in Entra to use the Authenticator app or receive a text code to log in, if not connecting from a 'Trusted location'.

However, I am looking to get definitive proof of what is accepted from an auditor in regards to client computers logging into their desktop. I already have Windows Hello for Business deployed to all users that are in scope for CUI. The thing that is driving me nuts is that before I worked here, the company was testing Windows Hello and allowed any user to enable it and set it up. When doing this, they also forced users to put in a second factor, so the user would be putting in their biometric + PIN/password to log into Windows.

The problem is, this was without having any enforcement of a TPM chip involved, so when I came in a switched everything over to Windows Hello for Business and required a TPM chip, we had to upgrade some of the computers.

Now for the part that I would love to change is the need for forcing PIN/password after using biometrics. For one, the PIN and biometric are tied together using the TPM to Azure, so when using biometric + PIN, you are essentially giving the same factor twice. It is set up like this because this is the way it was before, and I can't seem to get people to understand the workings of Windows Hello for Business with the requirement of a TPM. I've asked a 3rd party contractor that we work with if WHfB with TPM is considered MFA, and he confirmed that this is correct. However, I am still stuck battling the philosophy of "this is how it was before", and was hoping that there was some kind of evidence that shows that biometric/Yubikey + TPM definitively checks the box.