The official Microsoft documentation teaches us that Microsoft Intune is an optional requirement to configure Windows Hello for Business to show the option to display the FIDO security key sign-in method as part of the Sign-in options on the Windows Logon Screen for Azure AD accounts.
However, a method to achieve the same goal without Microsoft Intune is not part of the documentation…
To make FIDO Key sign-in work with an Azure AD account, you’ll need to meet the following requirements:
- You need a compatible FIDO2 security key.
I choose the above eWBM GoldenGate FIDO2 security key of South Korean origin.
- The device you’re configuring must run Windows 10 1809, or a newer version of Windows 10.
- The device you’re configuring needs to be Azure AD-joined.
This is an Azure AD Free feature.
- You need local administrator or System privileges on the device.
This can be easily achieved by assigning the Device administrator role to a person, but requires Azure AD Premium licenses. This can also be achieved using Microsoft Intune, but the entire purpose is to make this work without Microsoft Intune…
- You need Global administrator privileges in the Azure AD tenant that the device is joined to.
- The Azure AD tenant the device is joined to must be configured to use the combined security information registration.
How to do it
Enabling FIDO2 Security Keys as a sign-in method for Windows Hello for Business requires four steps:
- Enabling FIDO2 as an authentication method in Azure AD
- Configuring a security key for sign-in for the user account
- Configuring the Windows 10 device with the right policy setting (without Intune)
- Signing in in with the FIDO2 security key
Enabling FIDO2 as an authentication method in Azure AD
Perform these steps to enable FIDO2 security keys as a valid authentication method in Azure Active Directory:
- Sign in to the Microsoft Azure portal.
- Open the navigation menu, if it’s not open by default.
- In the navigation menu, click on Azure Active Directory.
- In the Azure Active Directory navigation menu, click on Security.
- In the Security navigation menu, click on Authentication methods.
- In the Authentication Methods navigation menu, click on Authentication method policy (Preview).
- In the main pane, click on the FIDO2 Security Key method.
- In the blade that emerges from the bottom of the Azure portal, enable the ability for people in the Azure AD tenant to use this authentication method by switching from No to Yes in the Enabled field.
- Make a decision between targeting All users or only selected users in the Target field.
- Save the configuration by clicking the Save button in the top bar of the blade.
Configuring a security key for sign-in for the user account
Perform these steps to configure an actual security key for sign-in for the user account that will use the key as the sign-in method. This can be the same account as used in the previous steps, but the best way to show off the feature is with an account that has no privileges in the Azure AD tenant:
- Browse to the Microsoft MyProfile portal.
- Sign in if not already.
- Click the UPDATE INFO link on the Security Info tile.
- Perform multi-factor authentication.
- Register a FIDO2 security key as an additional Azure Multi-Factor Authentication method by clicking Add method
- Choose Security key from the drop-down list.
- Choose USB device or NFC device.
- Click Next.
- Create or enter a PIN for the security key.
- Perform the required gesture for the key, either biometric or touch.
- Returning to the combined registration experience, provide a meaningful name for the security key to easily identify it.
- Click Next.
- Click Done.
- Close the browser.
Configuring the Windows 10 device with the right policy setting
Perform these steps to configure the Windows 10 device:
- Sign in to the device with an account that has local administrator privileges.
- Open the Registry Editor (regedit.exe)
- Navigate to the following registry location:HKLM\SOFTWARE\Microsoft\Policies\PassportForWork\SecurityKey
If the PassportForWork and SecurityKey registry keys don't exist, create them.
- Create a new DWORD (32-bit) value, named UseSecurityKeyForSignIn.
- Provide 1 as the data for the new value.
- Close the Registry Editor.
- Restart the device.
Signing in with the FIDO2 security key
- On the Windows login screen, click the Sign-in options text.
- Select the FIDO security key option.
- Insert the pre-configured security key.
- Enter the PIN and/or
perform the required gesture for the key, either biometric or touch.
The above steps show how to configure Windows Hello for Business to show the option to display the FIDO security key sign-in method as part of the Sign-in options on the Windows Logon Screen for Azure AD accounts without using Microsoft Intune.