If you’re using the Windows 10 Insider Preview programme and you’re at least on build 16251, you’re able to use your iPhone or Android device (no Windows Phone) to unlock your computer. All you need is a compatible and paired phone, a group policy setting and some magic numbers. It is Insider Preview functionality, so it may change drastically before it’s released througout in the production builds. enough said, let’s gooo!
First you need a phone that’s paired with your computer. Just ask Cortana to open up the bluetooth settings, or go to:
No other requirements are in place other than being iPhone or Android and having a decent bluetooth stack (sorry Windows Phone). Next open up gpedit.msc on your computer:
If you’re not familiar with this tool, let me just warn you to be careful, you may get undesired behaviour of your machine if you edit the wrong policies. Now navigate to the following location:
Computer Configuration \ Administrative Templates \ Windows Components \ Windows Hello for Business
In the right pane, double-click “Configure device unlock factors” (in my case it’s already configured) :
Now configure it as follows:
Details of these settings are:
|Factor ID||Factor explaination|
Last but not least, fill in the following value in the Signals rules field:
<rule schemaVersion="1.0"> <signal type="bluetooth" scenario="Authentication" classOfDevice="512" rssiMin="-10" rssiMaxDelta="-10"/> </rule>
Now reboot and you’ll get an additional step verying you’re phone’s presence, pretty cool huh?
- Q: Can I differentiate between multiple paired phones?
- A: No, not yet at least and it’s unknown whether or not Microsoft will ever implement this functionality
- Q: Can I lock my computer when I turn off bluetooth (i.e.: when I walk away?)?
- A: There is a dynamic lock policy present for WHFB, but it doesn’t seem to do anything. Perhaps reserved for future uses?
- Q: What if my phone runs out of juice?
- A: You still have the option to unlock your computer using a different-style login, such as a password for your account
- Q: What accounts are susceptible for signals unlock?
- A: The policy setting is computer-based, but the bluetooth device pair is per-user. So only users with a paired bluetooth device may use this functionality. There is no user setting equivalent, so this is the only possible behaviour.
- Q: What if I have no paired phone, but this setting is configured?
- A: This functionality only works for accounts with additional signals. If your account doesn’t have a paired phone (anymore) it will still keep waiting for a paired phone. You can however use a different sign-in option (such as a password).
- Q: Are there any other device signals I can use?
- A: Currently, there are some, but an (encrypted) USB drive is not one of them. Bluetooth is probably your best choice.
- Q: It feels pretty secure, am I right?
- A: Yes, it is PRETTY secure. However remember it’s not phone-specific, basically any bluetooth device/phone will unlock your device (if the pin is guessed).. Please don’t use your kid’s birthday 🙂