Windows MFA Monitor

Problem Overview

Security gaps often arise when users overlook or disable multi-factor authentication on Windows devices. This monitor proactively identifies missing MFA configurations, helping IT teams address vulnerabilities before they escalate.

Description

This script runs every hour to evaluate key MFA-related security features on Windows workstations, such as Windows Hello for Business, biometric services, PIN enforcement, Secure Logon, and Azure AD join status. If it detects that fewer than two factors are enabled, it generates an alert signaling the device is not MFA-compliant. Once MFA is enabled or corrected, the alert automatically resolves without manual intervention.

Preview

Use Cases

• Confirming Windows devices meet organizational MFA standards
• Monitoring newly onboarded endpoints for MFA compliance
• Automating proactive remediation processes for non-compliant devices
• Integrating with broader security policies and compliance audits

Recommendations

• Test Thoroughly: Always test this script in a controlled environment before deploying it across production devices.
• Pair with Automations: Create a follow-up automation that notifies end users or instructs them to enable MFA once the monitor generates an alert.
• Configure Policies: Ensure Windows Hello for Business, biometric, and PIN policies align with your organization’s security requirements.
• Set Clear Thresholds: Adjust the acceptable number of enabled factors in the script if your environment has unique compliance standards.

FAQ

• What if a device isn’t Azure AD joined?
  ‍The monitor still checks other MFA-related settings. An Azure AD join is just one factor; not having it enabled won’t automatically fail compliance if other factors are present.

• Why does the alert automatically resolve?
  ‍Once the monitor finds at least two active MFA factors, it reports a success state, which triggers the resolution of the previously raised alert.

• Will this script work in all Windows environments?
  ‍We cannot guarantee compatibility with every setup. Variables like OS versions, registry paths, and group policies may affect performance, so thorough testing is essential.

• How can I further customize this monitor?
  ‍You can adjust registry checks, modify the minimum required factors, or integrate additional MFA-related checks to align with your organization’s security policies.

• Where can I share feedback or improvements?
  ‍We welcome community contributions and feedback through our Level Library at https://level.io/library. This shared space helps everyone benefit from collective insights and solutions.