none
When transitioning students from Convenience PIN to Windows Hello for Business, how do we meet the verification requirement?

    Question

  • Hi everyone,

    I'm Murray, and I work for a school that extensively uses Surface devices and biometric logons. For years, this has been accomplished using Windows Hello (Convenience PIN), however we have finally managed to get everything up and running for Windows Hello for Business. The big question now becomes, while it's trivial to ask staff to go through the joint MFA/SSPR setup and switch to WHfB, what are schools meant to do for student devices? If trying to move to a password-less future, and continue the massive enthusiasm towards facial recognition as a substitute for logon credentials, it seems a little off that we would require students to set up an alternate email that itself has another password to manage.

    Here's the bigger issue: Students aren't allowed to bring mobile phones to school, and they obviously don't have office phones, so verifying with phone isn't an option. Furthermore, as the users of the current Windows Hello can be as young as eight years old, they mostly likely don't have phones, and they are also not old enough to create personal emails (usually limited to at least 13 years old). However, there doesn't appear to be a way to otherwise bypass the verification requirement when setting up WHfB. Any ideas how we can make this work?

    Thanks

    Murray

    Thursday, March 14, 2019 1:47 AM

All replies

  • I will second this request. I have the same problem and have been asking for solution for almost 2 years. There needs to be a solution for students and schools.

    Brian Hoyt

    Thursday, March 14, 2019 3:36 PM
  • Hello HSICT

    We agree you have a unique requirement . For someone who is underage (less than 13) and is not supposed to have an email or mobile phone , it certainly does not give an option . however the requirements are designed from a security perspective and I am not sure how this can be leveraged in scenario of students less than 13 . Please give me some time and I will try to reach out to engineering internally and try to find an answer for you. 

    Thank you . 


    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!!

    Thursday, March 14, 2019 9:47 PM
    Moderator
  • In my environment they have an email address, many kids below 13 do in schools. However that isn't a verification option and further at that point in process there would be no way for them to access the email to get a code if it is sent. Even if there was a way to bulk verify for students or preferably disable verification for student users.

    Brian Hoyt

    Thursday, March 14, 2019 11:42 PM
  • Hi,

    I'm not sure we're talking about a unique requirement, to be honest: This is an issue that will directly impact most EDU customers. The issue is, Domain use of "Convenience PIN" is going to be deprecated according to the link below, and all of our users currently have this enabled. The answer, again according to this link (and others), is to move to Windows Hello for Business in order to continue using biometric logons. 

    Link: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-faq

    Now, when I talk about lack of access to phones and emails, please note that I'm talking about personal (not School) emails, etc. Obviously, as an Office 365/AAD site, all our users identities and Exchange Online mailboxes, however that obviously can't be used as the verification source: As Brian correctly points out, it would also pose an issue in cases where you can't access the email in order to get verification codes. 

    The clear answer, we need another verification factor for students. Worst case, respect my available SSPR verification options and allow students to set up questions and answers in order to complete the setup... and perhaps even let IT Admins pre-fill those for students to bypass the initial verification process. Or, as Brian also said... allow students to bypass the verification process during the initial configuration of WHfB, because why would that actually be needed?

    Eagerly awaiting some answers on this. Lots of Schools may be oblivious to the existence of Windows Hello, and many others might not have devices that aren't Windows Hello compatible... but a significant amount of the rest are currently using Convenience PIN, and a solution will be needed before that option is deprecated.

    Thank you.

    Friday, March 15, 2019 4:23 AM
  • Yeah, there needs to be a smart alternative for users that do't have access to phones or secondary email addresses. Like I said above, this might seem like a "unique requirement" now, but as more Schools get Windows Hello-enabled devices, and the existing option is deprecated, this will become a much bigger issue.
    Friday, March 15, 2019 4:25 AM
  • At my school (and I am pretty sure Murray's) we have had Hello devices since they essentially launched with the Surface Pro 4 almost 4 years ago. This isn't really a "new" problem. Just as more of us make the transition it is becoming bigger pain point.

    Brian Hoyt


    • Edited by HoytB Friday, March 15, 2019 5:34 PM
    Friday, March 15, 2019 5:34 PM