Is MFA for Windows login even possible without a 3rd party MFA service?

old.reddit.com / @/u/fergy80, https://old.reddit.com/user/fergy80

I'm experimenting with creating a NIST 800-171 process for our org and I can't seem to find any way to get MFA to function for Windows 11 login to an endpoint, e.g., employee laptop.

What I have tried:

  1. Use Windows Hello and enforce TPM and (PIN or Biometric). This works, but the user can bypass it at the login screen and just use their username and AAD password without being asked for AAD MFA. See this link that pretty much summarizes what I see.

  2. Using AAD MFA, but it seems that Microsoft allows you to use this for everything except Windows login to the endpoint. We have it working to enforce MFA for Autopilot OOBE, but it doesn't seem possible to use after that.

I realize I could do something like Cisco Duo, and I may have to go down that road, but I want to make sure that there isn't something obvious that I'm not seeing before I start adding 3rd party solutions.

Do I have to solve this with a 3rd party MFA service?

(I understand there are strong opinions on if Windows Hello for Business is sufficient MFA, but I hope we don't have to debate that here.)

submitted by /u/fergy80
[link] [comments]

published 10 months ago


Previous

WhatsApp and Meeting NIST 800-171 level 2 requirements
published 10 months ago

Next

Customer messing up their data at rest CUI protection?
published 10 months ago
See all items from the same source