HOWTO: Enable Windows Hello for Business FIDO2 Key sign-in without Microsoft Intune

eWBM's GoldenGate FIDO2 Key

The official Microsoft documentation teaches us that Microsoft Intune is an optional requirement to configure Windows Hello for Business to show the option to display the FIDO security key sign-in method as part of the Sign-in options on the Windows Logon Screen for Azure AD accounts.

However, a method to achieve the same goal without Microsoft Intune is not part of the documentation…

 

Getting ready

To make FIDO Key sign-in work with an Azure AD account, you’ll need to meet the following requirements:

  • You need a compatible FIDO2 security key.
    I choose the above eWBM GoldenGate FIDO2 security key of South Korean origin.
  • The device you’re configuring must run Windows 10 1809, or a newer version of Windows 10.
  • The device you’re configuring needs to be Azure AD-joined.
    This is an Azure AD Free feature.
  • You need local administrator or System privileges on the device.
    This can be easily achieved by assigning the Device administrator role to a person, but requires Azure AD Premium licenses. This can also be achieved using Microsoft Intune, but the entire purpose is to make this work without Microsoft Intune…
  • You need Global administrator privileges in the Azure AD tenant that the device is joined to.
  • The Azure AD tenant the device is joined to must be configured to use the combined security information registration.

 

How to do it

Enabling FIDO2 Security Keys as a sign-in method for Windows Hello for Business requires four steps:

  1. Enabling FIDO2 as an authentication method in Azure AD
  2. Configuring a security key for sign-in for the user account
  3. Configuring the Windows 10 device with the right policy setting (without Intune)
  4. Signing in in with the FIDO2 security key

 

Enabling FIDO2 as an authentication method in Azure AD

Perform these steps to enable FIDO2 security keys as a valid authentication method in Azure Active Directory:

  • Sign in to the Microsoft Azure portal.
  • Open the navigation menu, if it’s not open by default.
  • In the navigation menu, click on Azure Active Directory.
  • In the Azure Active Directory navigation menu, click on Security.
  • In the Security navigation menu, click on Authentication methods.
  • In the Authentication Methods navigation menu, click on Authentication method policy (Preview).
  • In the main pane, click on the FIDO2 Security Key method.
  • In the blade that emerges from the bottom of the Azure portal, enable the ability for people in the Azure AD tenant to use this authentication method by switching from No to Yes in the Enabled field.
  • Make a decision between targeting All users or only selected users in the Target field.
  • Save the configuration by clicking the Save button in the top bar of the blade.

 

Configuring a security key for sign-in for the user account

Perform these steps to configure an actual security key for sign-in for the user account that will use the key as the sign-in method. This can be the same account as used in the previous steps, but the best way to show off the feature is with an account that has no privileges in the Azure AD tenant:

  • Browse to the Microsoft MyProfile portal.
  • Sign in if not already.
  • Click the UPDATE INFO link on the Security Info tile.
  • Perform multi-factor authentication.
  • Register a FIDO2 security key as an additional Azure Multi-Factor Authentication method by clicking Add method
  • Choose Security key from the drop-down list.
  • Choose USB device or NFC device.
  • Click Next.
  • Create or enter a PIN for the security key.
  • Perform the required gesture for the key, either biometric or touch.
  • Returning to the combined registration experience, provide a meaningful name for the security key to easily identify it.
  • Click Next.
  • Click Done.
  • Close the browser.

 

Configuring the Windows 10 device with the right policy setting

Perform these steps to configure the Windows 10 device:

  • Sign in to the device with an account that has local administrator privileges.
  • Open the Registry Editor (regedit.exe)
  • Navigate to the following registry location:HKLM\SOFTWARE\Microsoft\Policies\PassportForWork\SecurityKey

Note:
If the PassportForWork and SecurityKey registry keys don't exist, create them.

  • Create a new DWORD (32-bit) value, named UseSecurityKeyForSignIn.
  • Provide 1 as the data for the new value.

The UseSecurityKeyForSignIn Registry value

  • Close the Registry Editor.
  • Restart the device.

 

Signing in with the FIDO2 security key

  1. On the Windows login screen, click the Sign-in options text.
  2. Select the FIDO security key option.
  3. Insert the pre-configured security key.
  4. Enter the PIN and/or
    perform the required gesture for the key, either biometric or touch.

 

Concluding

The above steps show how to configure Windows Hello for Business to show the option to display the FIDO security key sign-in method as part of the Sign-in options on the Windows Logon Screen for Azure AD accounts without using Microsoft Intune.

Further reading

Windows Hello for Business Overview
Enable passwordless security key sign in (preview)
Passwordless authentication options

4 Responses to HOWTO: Enable Windows Hello for Business FIDO2 Key sign-in without Microsoft Intune

  1.  

    Sander, do you know a way to enforce the fido key to be inserted? It is still possible to use only pin without fido if we select the pin provider on sign in screen

  2.  

    hi, thanks for the complete write up! I didn't look into the Azure ecosistem yet since i dont have a business.
    I was wondering if this is something i can setup for personal use at no cost or the use of Azure ecosystem just to login into Windows without using any other feature they offer would require a fee to be paid?

    • Hi Marco,

      Yes, you can do this with a Microsoft Account (formerly known as a Windows Live ID) on devices running Windows 10 version 1809, and newer versions of Windows 10.
      If you don't have a Microsoft Account, you can create one with a *@hotmail.com or *@outlook.com e-mail address for free.

       
  3.  

    Hi Sander,

    Thanks for this great description. To follow up on Marco's previous comment, I am interested in setting up a FIDO2 sign-in for personal use based only on my Microsoft account. Following the steps above I never actually got a new "security key" option in the windows login screen.

    What I did was to set up a security key under "Windows Hello and security keys" in account.microsoft.com/security/ of my personal hotmail account.

    The security key (yubico 5 NFC and Google Titan) works fine when logging in online, but does not work for my windows sign-in. Could you briefly explain where I could have gone wrong?

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.