Forum Discussion

markrwdn's avatar
markrwdn
Copper Contributor
May 27, 2020
Solved

Windows Hello for Business and Bitlocker - By-design Security/Factor Authentication Issue

To clarify my scenario, I'm looking to distribute 100 Laptops to users in a few months. I like Windows Hello for Business's biometrics functionality with TPM chips; I'm sure users would love its abil...
Intune
mobile device management (mdm)
Windows Hello for Business
  • JanBakkerOrphaned's avatar
    JanBakkerOrphaned
    May 29, 2020

    markrwdn I understand your gutfeeling. Let me try to take some of that away:

     

    1. Originally, BitLocker allowed from 4 to 20 characters for a PIN. Windows Hello has its own PIN for logon, which can be 4 to 127 characters. Both BitLocker and Windows Hello use the TPM to prevent PIN brute-force attacks.

     

    2. Keep in mind: physical access to the device is already a breach. You should have other methods in place in case a device is stolen or lost (remote wipe) When I lose my MasterCard, an honest finder "just" has to guess my PIN to steal all my money. Same thing... 

    3. Using a PIN in WHfB is not multi-factor authentication. It's to replace your password. https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password

    4. Bitlocker and WHfB rely on TPM  and have anti-hammering to lock the device when somone tries to spoof the PIN. 

     

JanBakkerOrphaned's avatar
JanBakkerOrphaned
Iron Contributor
May 29, 2020

markrwdn I understand your gutfeeling. Let me try to take some of that away:

 

1. Originally, BitLocker allowed from 4 to 20 characters for a PIN. Windows Hello has its own PIN for logon, which can be 4 to 127 characters. Both BitLocker and Windows Hello use the TPM to prevent PIN brute-force attacks.

 

2. Keep in mind: physical access to the device is already a breach. You should have other methods in place in case a device is stolen or lost (remote wipe) When I lose my MasterCard, an honest finder "just" has to guess my PIN to steal all my money. Same thing... 

3. Using a PIN in WHfB is not multi-factor authentication. It's to replace your password. https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password

4. Bitlocker and WHfB rely on TPM  and have anti-hammering to lock the device when somone tries to spoof the PIN. 

 

ThatGirlDiana's avatar
ThatGirlDiana
Copper Contributor
Aug 10, 2022

JanBakkerOrphaned I'm looking for support documentation that discusses the affects of Bitlocker implementation, updates, changes and removal from enrolled Windows HfB users (enterprise level)

Resources