Allow dynamic lock with FIDO key

Copper Contributor

Within Windows 11 (and 10) you can configure various options to log into the system. One possibility is the usage of a physical security key. I really like this option, especially in conjunction with a FIDO key including a fingerprint sensor like the YubiKey Bio or the T2F2BIO key, which allows really password-less log in.

 

Unfortunately it is not possible to configure the system to automatically lock the system by removing the key. So whenever I leave the desk I have to remove the key AND lock the screen. Within windows there is an option of "dynamic lock" which can be used in conjunction with a bluetooth device to track the users presence, but it would be great if we could also use the presence of the connected FIDO key as a detector for presence of the user.

7 Replies

Hi @OliMue,
have you found a solution to this problem in the meantime?
I currently have 2 customers in the healthcare sector who need exactly this solution. Better than LOCK would be LOGOFF....
The staff uses shared computers, until now with a general account. Now everything is being changed to personal accounts and this is causing discontent among the staff. It is tedious and slow to log on, and logging off is not done either.
Therefore, the login is done via FIDO-Key, which caused positive reactions from the staff, but the logout is still the problem....

Regards

Marc

Hi @Marc_Gehri

 

unfortunately there is still nothing available from Microsoft. We wrote a little tool, that runs as tray icon. It watches for a FIDO key being removed and in that case it locks the screen.

 

I can't give you the tool, but the most interesting code parts to write the tool yourself, would be these:

private static bool GetIsFidoKeyAvailable()
{
    return new ManagementObjectSearcher("SELECT * FROM Win32_PnPEntity WHERE Manufacturer='FIDO'").Get().Cast<object>().Any<object>();
}
this._managementEventWatcher = new ManagementEventWatcher();
WqlEventQuery query = new WqlEventQuery("SELECT * FROM Win32_DeviceChangeEvent");
this._managementEventWatcher.EventArrived += delegate(object s, EventArrivedEventArgs e)
{
	var isKeyAvailable = GetIsFidoKeyAvailable();

    if(!isKeyAvailable)
    {
	    // ToDo: Lock or log off current user
        Process.Start("C:\\WINDOWS\\system32\\rundll32.exe", "user32.dll,LockWorkStation");
	}
};
this._managementEventWatcher.Query = query;
this._managementEventWatcher.Start();

 

Be aware, that we seen (especially when using USB Hubs), that the key sometimes gets announced to be removed, just to come back a few hundred milliseconds later. For this purpose we debounced the log off to wait for 1 sec before really doing so.

 

Hi @OliMue

Sorry for the late reply.
Thank you for the info, that reassures me, so I definitely do not have to invest much more time. It remains only to hope on Microsoft that something analogous to SmartCard, also for FIDO is developed.
The solution with the app to check existing hardware works only partially with one of the two customers. NFC is used on some workstations, and the hardware recognition is said not to work. Unfortunately, I am not directly involved...

If I have further information, I will notify you...

Hello @OliMue ,

 

Could you please share the tool you created with us? Thank you! 

Could you please share the tool you created with us? Thank you!
Can you please post the entire tool somewhere?

Add-Type @"
using System;
using System.Runtime.InteropServices;

public class PInvokeUser32 {
[DllImport("user32.dll", SetLastError = true)]
public static extern bool LockWorkStation();
}
"@

while ($true) {
$fidoPresent = Get-PnpDevice | Where-Object { $_.HardwareId -match "USB\\VID_1050&PID_0407" -and $_.Status -eq "OK" }

if (-not $fidoPresent) {
[console]::beep(500, 500) # Optional: Beep for debugging
[PInvokeUser32]::LockWorkStation() # Lock the workstation
Start-Sleep -Seconds 10 # Wait for 10 seconds before checking again
}

Start-Sleep -Seconds 5 # Check every 5 seconds
}

Or you can use setting for GPO - Interactive logon: Smart card removal behavior and run this service "Smart Card Removal Policy"

Good luck!