Bb Multi Unlocker Key V 19.0 74

0 views
Skip to first unread message

Lutero Chaloux

unread,
Jun 28, 2024, 7:25:11 PM6/28/24
to gagetmeser

Windows Hello for Business supports the use of a single credential (PIN and biometrics) for unlocking a device. Therefore, if any of those credentials are compromised (shoulder surfed), an attacker could gain access to the system.

Windows Hello for Business can be configured with multi-factor unlock, by extending Windows Hello with trusted signals. Administrators can configure devices to request a combination of factors and trusted signals to unlock them.

First unlock factor credential provider and Second unlock credential provider are responsible for the bulk of the configuration. Each of these components contains a globally unique identifier (GUID) that represents a different Windows credential provider. With the policy setting enabled, users unlock the device using at least one credential provider from each category before Windows allows the user to proceed to their desktop.

The First unlock factor credential providers and Second unlock factor credential providers portion of the policy setting each contain a comma separated list of credential providers.

Configure a comma separated list of credential provider GUIDs you want to use as first and second unlock factors. While a credential provider can appear in both lists, a credential supported by that provider can only satisfy one of the unlock factors. Listed credential providers don't need to be in any specific order.

For example, if you include the PIN and fingerprint credential providers in both first and second factor lists, a user can use their fingerprint or PIN as the first unlock factor. Whichever factor you use to satisfy the first unlock factor can't be used to satisfy the second unlock factor. Each factor can therefore be used exactly once. The Trusted Signal provider can only be specified as part of the Second unlock factor credential provider list.

The rssiMin attribute value signal indicates the strength needed for the device to be considered "in-range". The default value of -10 enables a user to move about an average size office or cubicle without triggering Windows to lock the device. The rssiMaxDelta has a default value of -10, which instruct Windows to lock the device once the signal strength weakens by more than measurement of 10.

RSSI measurements are relative, and lower as the bluetooth signals between the two paired devices reduces. A measurement of 0 is stronger than -10. A measurement of -10 is stronger than -60, and indicates that the devices are moving further apart from each other.

Microsoft recommends using the default values for this policy setting. Measurements are relative, based on the varying conditions of each environment. Therefore, the same values may produce different results. Test policy settings in each environment prior to broadly deploying the setting. Use the rssiMIN and rssiMaxDelta values from the XML file created by the Group Policy Management Editor or remove both attributes to use the default values.

The IPv4 network prefix represented in Internet standard dotted-decimal notation. A network prefix that uses the Classless Inter-Domain Routing (CIDR) notation is required as part of the network string. A network port must not be present in the network string. A signal element may only contain one ipv4Prefix element. For example:

The IPv4 network gateway represented in Internet standard dotted-decimal notation. A network port or prefix must not be present in the network string. A signal element may only contain one ipv4Gateway element. For example:

The IPv4 DHCP server represented in Internet standard dotted-decimal notation. A network port or prefix must not be present in the network string. A signal element may only contain one ipv4DhcpServer element. For example:

The IPv4 DNS server represented in Internet standard dotted-decimal notation. A network port or prefix must not be present in the network string.The signal element may contain one or more ipv4DnsServer elements.

The IPv6 network prefix represented in IPv6 network using Internet standard hexadecimal encoding. A network prefix in CIDR notation is required as part of the network string. A network port or scope ID must not be present in the network string. A signal element may only contain one ipv6Prefix element. For example:

The IPv6 network gateway represented in Internet standard hexadecimal encoding. An IPv6 scope ID may be present in the network string. A network port or prefix must not be present in the network string. A signal element may only contain one ipv6Gateway element. For example:

The IPv6 DNS server represented in Internet standard hexadecimal encoding. An IPv6 scope ID may be present in the network string. A network port or prefix must not be present in the network string. A signal element may only contain one ipv6DhcpServer element. For example:

The IPv6 DNS server represented in Internet standard hexadecimal encoding. An IPv6 scope ID may be present in the network string. A network port or prefix must not be present in the network string. The signal element may contain one or more ipv6DnsServer elements. For example:

The fully qualified domain name of your organization's internal DNS suffix where any part of the fully qualified domain name in this setting exists in the computer's primary DNS suffix. The signal element may contain one or more dnsSuffix elements. For example:

Contains the thumbprint of the trusted root certificate of the wireless network. You can use any valid trusted root certificate. The value is represented as hexadecimal string, where each byte in the string is separated by a single space. The element is optional. For example:

The following example configures an IpConfig signal type using a dnsSuffix element and a bluetooth signal for phones. The example implies that either the IpConfig or the Bluetooth rule must evaluate to true, for the resulting signal evaluation to be true.

The following example configures the same as example 2 using compounding and elements. The example implies that the IpConfig and the Bluetooth rule must evaluate to true, for the resulting signal evaluation to be true.

To configure a device with group policy, use the Local Group Policy Editor. To configure multiple devices joined to Active Directory, create or edit a group policy object (GPO) and use the following settings:

You should remove all non-Microsoft credential providers to ensure users cannot unlock their devices if they do not have the required factors. The fall back options are to use passwords or smart cards (both of which could be disabled as needed).

My motherboard is a H97 socket with an unlocked (lol...) Haswell CPU. Back in the day I had actually bought the MSI Z97i AC which would've allowed me to overclock the G3258 very impressively. The CPU was a steal back then for the performance it could provide overclocked. Sadly the board arrived malfunctioning and the reseller couldn't stock me another Z97 replacement. I got pretty upset and had to bite the apple ending up with the locked H97 version...

The CPU doesn't support VT-d so no reason to go into the BIOS to deactivate it. VT-x is and has been always enabled. I occasionally run tons of different OSes in VMware. From Windows, to almost every Linux distro, to several BSDs...never had an issue.

I did have Disable Execute Bit enabled though, which I think to remember causing me issues back when I still built hackintoshes. Disabling it didn't make a difference in this situation though. I also changed C-State from Auto to enabled and disabled HEIST. No change in VMware. I'm kinda disappointed by now. It seems nobody can help me here 'cause nobody's facing a similar issue.

I upgraded to 16, and then used the same unlocker as you from BDisp and my macOS 10.15 VM boots up just fine. I also upgraded tools using the ISO file from VMware Fusion 12 and nothing bad seems to have happened.

I can't believe how many people have downloaded MK-Unlocker. I made it by pulling a broken version of Unlocker and putting a few fixes in. It has now been downloaded over 114,000 times. Everything is working for me with Workstation 16. I continue to support a community where Unlocker is very important. Without giving too many details, it is to help people who can't afford a Mac but need macOS to use medical software that greatly improves their lives. I want to keep Unlocker alive. Unfortunately, we are short on people who are really up to speed on how the core of it works. We have been able to make minor fixes and tweaks. We are lucky that it continues to work on Workstation 16, and first reports are it still works with Big Sur. Some others that have contributed are , -projects/unlocker , and myself ( ). Dr. Donk was a significant contributor, but I don't believe he is active anymore. Does anyone know anyone else active with this project, or someone that would like to become active? Without help, it will almost certainly quit working at some point.

VMware Tools are already installed on all my EIGHT VMs, and are latest version possible for each one. (older macOS VMs not being able to run latest VMware Tools, due to the newer minimum system req's it now has)

I don't know. That would have to be something with how VMware is detecting what Tools are installed. We are honestly lucky it still works. The people who actually built the logic in the unlocker tool have dropped out of the project. Those of us working on it now are able to make small tweaks, but not huge changes.

7fc3f7cf58
Reply all
Reply to author
Forward
0 new messages