Forum Discussion
Allow dynamic lock with FIDO key
Hi OliMue,
have you found a solution to this problem in the meantime?
I currently have 2 customers in the healthcare sector who need exactly this solution. Better than LOCK would be LOGOFF....
The staff uses shared computers, until now with a general account. Now everything is being changed to personal accounts and this is causing discontent among the staff. It is tedious and slow to log on, and logging off is not done either.
Therefore, the login is done via FIDO-Key, which caused positive reactions from the staff, but the logout is still the problem....
Regards
Marc
Hi Marc_Gehri,
unfortunately there is still nothing available from Microsoft. We wrote a little tool, that runs as tray icon. It watches for a FIDO key being removed and in that case it locks the screen.
I can't give you the tool, but the most interesting code parts to write the tool yourself, would be these:
private static bool GetIsFidoKeyAvailable()
{
return new ManagementObjectSearcher("SELECT * FROM Win32_PnPEntity WHERE Manufacturer='FIDO'").Get().Cast<object>().Any<object>();
}
this._managementEventWatcher = new ManagementEventWatcher();
WqlEventQuery query = new WqlEventQuery("SELECT * FROM Win32_DeviceChangeEvent");
this._managementEventWatcher.EventArrived += delegate(object s, EventArrivedEventArgs e)
{
var isKeyAvailable = GetIsFidoKeyAvailable();
if(!isKeyAvailable)
{
// ToDo: Lock or log off current user
Process.Start("C:\\WINDOWS\\system32\\rundll32.exe", "user32.dll,LockWorkStation");
}
};
this._managementEventWatcher.Query = query;
this._managementEventWatcher.Start();
Be aware, that we seen (especially when using USB Hubs), that the key sometimes gets announced to be removed, just to come back a few hundred milliseconds later. For this purpose we debounced the log off to wait for 1 sec before really doing so.
- evalguyOct 13, 2023Copper ContributorCan you please post the entire tool somewhere?
- MICOCVIKOJul 01, 2023Copper ContributorCould you please share the tool you created with us? Thank you!
- baukeokkemaApr 06, 2023Copper Contributor
- Vladislav_ShihovDec 05, 2023Copper Contributor
Add-Type @"
using System;
using System.Runtime.InteropServices;
public class PInvokeUser32 {
[DllImport("user32.dll", SetLastError = true)]
public static extern bool LockWorkStation();
}
"@
while ($true) {
$fidoPresent = Get-PnpDevice | Where-Object { $_.HardwareId -match "USB\\VID_1050&PID_0407" -and $_.Status -eq "OK" }
if (-not $fidoPresent) {
[console]::beep(500, 500) # Optional: Beep for debugging
[PInvokeUser32]::LockWorkStation() # Lock the workstation
Start-Sleep -Seconds 10 # Wait for 10 seconds before checking again
}
Start-Sleep -Seconds 5 # Check every 5 seconds
}
Or you can use setting for GPO - Interactive logon: Smart card removal behavior and run this service "Smart Card Removal Policy"
Good luck!
- Marc_GehriNov 07, 2022Copper ContributorHi OliMue
Sorry for the late reply.
Thank you for the info, that reassures me, so I definitely do not have to invest much more time. It remains only to hope on Microsoft that something analogous to SmartCard, also for FIDO is developed.
The solution with the app to check existing hardware works only partially with one of the two customers. NFC is used on some workstations, and the hardware recognition is said not to work. Unfortunately, I am not directly involved...
If I have further information, I will notify you...