View Source

Enable security keys for Windows sign-in

We need to enable the the security keys as a sign-in option for our Windows 10 devices in Microsoft Intune. In Intune this can be done by enabling this as part of a tenant wide Windows Hello for Business (WHfB) setting or by deploying an Identity Protection configuration policy.

Using this first option is a tenant wide setting for all users.

Open a browser to sign-in to the Microsoft Intune portal.

Sign-in to the Device Management Portal
Browse to Devices – Windows – Windows Enrollment

Click Windows Hello for Business
Set Configre Windows Hello for Business to Enabled
Set Use Security keys for sign-in to Enabled

Click Save

The same can be accomplished by using an Identity Protection configuration policy. The advantage of using a configuration policy is you can assign it to a group of users instead of all users.

Browse to Devices – Windows – Configuration profiles

Click Create profile

Give the policy a Name
Enter a Description (optional)
Choose Windows 10 and later as Platform
Choose Identity protection as Profile type
On the Settings tab set Use security keys for sign-in to Enable
Click OK
Click Create

Click Assignments to assign the policy to the security group of choice

SafeKey > Enable security keys for Windows sign-in > image2020-1-9_12-50-48.png

Enable combined security information registration

The next step is to enable combined security information registration. The feature needs to be enabled from the Azure (AD) Portal.

Sign-in to the Azure AD portal
Browse to Azure Active Directory – User settings

Click Manage user feature preview settings

SafeKey > Enable security keys for Windows sign-in > image2020-1-9_14-17-1.png

Select All to switch on the features for all users
Click Save

Enable FIDO2 security keys as Authentication methode

The third step is to enable FIDO2 security keys as Authentication method in Azure Active Directory.

In the Azure AD Portal browse to Azure Active Directory

Browse to Security – Authentication methods

Click FIDO2 Security Keys

Set Enable to Yes
Leave Target set to All or switch to Select users and select a security group
Click Save

In above screen we also have the option to block Self-service setup of the security keys and a Key restrictions policy. If you want to block specific security keys or only allow specific security keys, you need the AAGuid of an security key. Those for the security keys of Yubico can be found here.