Satisfying CMMC – Level 3 - IA.3.083 MFA requirement with Windows Hello for Business

Published Feb 12 2021 10:58 AM 9,087 Views

The Cybersecurity Maturity Model Certification (CMMC) is a set of certification standards produced by the United States Department of Defense and intended to serve as a verification mechanism to ensure that companies bidding on defense contracts have appropriate levels of cybersecurity practices and processes in place. The CMMC is a unified standard for implementing cybersecurity across the defense industrial base (DIB). The CMMC is the DoD's response to significant compromises of sensitive defense information located on contractors' information systems. 


Of particular interest is the following requirement: 


CMMC – Level 3 - IA.3.083 (NIST 800-171r2 3.5.3) - Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.  


  • Local Access - Access to an organizational information system by a user (or process acting on behalf of a user) communicating through a direct connection without the use of a network. 
  • Network Access - Access to an information system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, Internet). 
  • Privileged User - A user that is authorized (and therefore, trusted) to perform security-relevant functions that ordinary users are not authorized to perform. 


Breaking down the above requirement means the following: 


  • All users are required MFA for network/remote access.  
  • Only privileged users are required MFA for local access (if regular user accounts have administrative rights only on their computers, they are not considered a “privileged account” and as such do not require MFA authentication for local access). 


Why Windows Hello for Business is a viable MFA authenticator 


Windows Hello for Business provides authentication methods intended to replace passwords, which can be difficult to remember and easily compromised. The Windows Hello provisioning process creates a cryptographic key pair bound to the Trusted Platform Module (TPM) and combines it with additional information to authenticate users. The additional information the user supplies is the activation factor for Windows Hello for Business and can be a PIN value (“something you know”) or, if the system has the necessary hardware, biometric information, such as fingerprint or facial recognition (“something you are”). The TPM constitutes the “something you have” factor for the purpose of MFALearn more about How Windows Hello for Business uses the TPM.  


The idea of TPM as a valid “something you have” factor is not new, and addressed by NIST 800-63B Section back in December 2017 (as captured in the errata) where TPM is recognized as a hardware cryptographic authenticator. Multi-factor cryptographic device authenticators use tamper-resistant hardware to encapsulate one or more secret keys unique to the authenticator and accessible only through the input of an additional factor, either a memorized secret or a biometric. The authenticator operates by using a private key that was unlocked by the additional factor to sign a challenge nonce presented through a direct computer interface (e.g., a USB port). Alternatively, the authenticator could be a suitably secure processor integrated with the user endpoint itself (e.g., a hardware TPM). 


Configuring Windows Hello in a way that adheres to NIST guidance


Now that we unveiled the mystery behind CMMC – Level 3 - IA.3.083 requirement and explained why Windows Hello for Business is viable MFA authenticator, let us make sure it is configured in a way that adheres to NIST guidance and provides the required strength: 


  • To adhere to NIST 800-63B Section requirementof activation factor (PIN) at least 8 characters long, configure minimum PIN length setting for PIN Complexity to be at least 8 characters (no complexity rules are required, PIN can be digits only). 
  • Make sure Windows Hello for Business cryptographic key are protected using a tamper-resistant hardware by enabling use a hardware security device setting for Windows Hello for Business. 
  • For securing privileged access, restrict privileged users to only access from secure workstations and require MFA for sign-in: 


For those who still do not accept TPM as “something you have” factor for local accesses (sign-in to the endpoint) or for those seeking additional risk mitigationan alternative option is using FIDO2 keys or smart cards. 



Please note that the information cutoff date for this post is February 12, 2021 and that as of the date of this writing, CMMC developments and guidance are in progress. Additionally, as of the date of this writing, the CMMC Accreditation Body (CMMC AB) has not formalized guidance for Cloud Service Providers. As a result, the information herein, including our CMMC related offerings, is provisional and may be enhanced to align with future guidance from the DoD and CMMC AB. Microsoft is closely tracking developments related to the CMMC.


Additional resources  

Achieving National Institute of Standards and Technology Authenticator Assurance Levels with the Mic... 


About the author 

@Ehud_Itshaki  is a Principal Program Manager in the Azure Active Directory Customer Success Team. Currently he is focused on regulatory issues for highly regulated industries and Government. Areas of focus include but are not limited to NIST, FedRAMP, DoD SRG, CMMC, CJIS, IRS 1075, EPCS, etc.  


Thank you @Ehud_Itshaki for Sharing with the Community! 
Great Blogpost :cool:

New Contributor

Great article. Thanks @Ehud_Itshaki 

Occasional Contributor

Thanks for this well-written article!


Allow me one correction please:

  • To adhere to NIST 800-63B Section requirementof activation factor (PIN) at least 8 characters long, configure minimum PIN length Group Policy setting for PIN Complexity to be at least 8 characters (no complexity rules are required, PIN can be digits only). 

The correct section is ;)

Frequent Contributor

Useful article for anyone concerned about the validity of WHfB in the enterprise.  Especially when you can reduce worries about shoulder surfing using multi-factor unlock.  Are there any plans to make WHfB multi-factor unlock configurable through a native Intune interface rather than custom OMA-URIs? :)

Senior Member

For a Desktop Admin that needs to support thousands of pc's enrolling WH4B on each individual pc is not efficient. As the article mentions, security keys could be an alternative here. However they have Unsupported Scenario's such as Run As, as well as Virtual Machines. That leaves a significant gap, that especially for these admins is very relevant.

What is the Microsoft recommendation for such a scenario?

Senior Member

How do you prevent that people use a simple to guess PIN such as 12345678 or the birthday such as 01031950?
Now someone could lose (or steal) a laptop, the person that finds it can logon with the simple to guess PIN and still get access to network resources.

Senior Member

In addition to my above question on easy to guess PIN's, this is actually recommended by NIST as described in the Appendix:

"Users’ password choices are very predictable, so attackers are likely to guess passwords that have been successful in the past. These include dictionary words and passwords from previous breaches, such as the “Password1!” example above. For this reason, it is recommended that passwords chosen by users be compared against a “black list” of unacceptable passwords. This list should include passwords from previous breach corpuses, dictionary words, and specific words (such as the name of the service itself) that users are likely to choose. Since user choice of passwords will also be governed by a minimum length requirement, this dictionary need only include entries meeting that requirement.'

New Contributor

@Richard_van_Nuland You can configure complexity/length requirements on WHfB PINs using Intune: Windows Hello for Business settings in Microsoft Intune - Azure | Microsoft Docs

Senior Member

@rheidorn I know, but even with all options turned on that doesn't prevent people to use easy to guess passwords. Depending on the length Spring2021! or MakeAmericaGreatAgain2020! would meet the complexity policy, but they are still not secure. There should really be something similar as the banned password list that is available in Azure AD or a lookup in the 'have I been pwned' database.

Since my original post I also figured out this FAQ that describes that simple PINs are not allowed: Windows Hello for Business Frequently Asked Questions (FAQ) - Microsoft 365 Security | Microsoft Doc...

Senior Member

Don't forget about this article: Why a PIN is better than a password (Windows 10) - Microsoft 365 Security | Microsoft Docs

A PIN is not your Password.  A PIN requires the device to be in your possession in addition to knowing the simple/complex password.  While you can make the PIN as complex as you would like do not forget about this key requirement.


As discussed in the past few posts, you can implement the idea of complex PINs and remove the simple PINs: Windows Hello for Business Frequently Asked Questions (FAQ) - Microsoft 365 Security | Microsoft Doc...

But again, do not confuse this PIN for a password and asking to compare this PIN to a blacklist.  There is no need, as the PIN never leaves the workstation, it simply unlocks a private key to a certificate.


Also, at the end of the day, even having your PIN + device, the "unauthorized individual" still does not know your password. Report your missing device to your IT admins as soon as possible and it is no longer an entry point.


In addition, for those looking for something even stronger than just a PIN + device, Multi-Factor Unlock may be what you are looking for: Multi-factor Unlock - Microsoft 365 Security | Microsoft Docs. But, this does add additional complexity.


Hopefully this helps with any confusion.

Version history
Last update:
‎Feb 25 2021 08:04 AM
Updated by: