Forum Discussion
Windows Hello for Business and Bitlocker - By-design Security/Factor Authentication Issue
markrwdn I understand your gutfeeling. Let me try to take some of that away:
1. Originally, BitLocker allowed from 4 to 20 characters for a PIN. Windows Hello has its own PIN for logon, which can be 4 to 127 characters. Both BitLocker and Windows Hello use the TPM to prevent PIN brute-force attacks.
2. Keep in mind: physical access to the device is already a breach. You should have other methods in place in case a device is stolen or lost (remote wipe) When I lose my MasterCard, an honest finder "just" has to guess my PIN to steal all my money. Same thing...
3. Using a PIN in WHfB is not multi-factor authentication. It's to replace your password. https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password
4. Bitlocker and WHfB rely on TPM and have anti-hammering to lock the device when somone tries to spoof the PIN.
markrwdn I understand your gutfeeling. Let me try to take some of that away:
1. Originally, BitLocker allowed from 4 to 20 characters for a PIN. Windows Hello has its own PIN for logon, which can be 4 to 127 characters. Both BitLocker and Windows Hello use the TPM to prevent PIN brute-force attacks.
2. Keep in mind: physical access to the device is already a breach. You should have other methods in place in case a device is stolen or lost (remote wipe) When I lose my MasterCard, an honest finder "just" has to guess my PIN to steal all my money. Same thing...
3. Using a PIN in WHfB is not multi-factor authentication. It's to replace your password. https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password
4. Bitlocker and WHfB rely on TPM and have anti-hammering to lock the device when somone tries to spoof the PIN.
JanBakkerOrphaned I'm looking for support documentation that discusses the affects of Bitlocker implementation, updates, changes and removal from enrolled Windows HfB users (enterprise level)
