You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 8 Next »

We need to enable the the security keys as a sign-in option for our Windows 10 devices in Microsoft Intune. In Intune this can be done by enabling this as part of a tenant wide Windows Hello for Business (WHfB) setting or by deploying an Identity Protection configuration policy.

Using this first option is a tenant wide setting for all users.

Open a browser to sign-in to the Microsoft Intune portal.

 

  • Click Windows Hello for Business
  • Set Configre Windows Hello for Business to Enabled
  • Set Use Security keys for sign-in to Enabled

  • Click Save


The same can be accomplished by using an Identity Protection configuration policy. The advantage of using a configuration policy is you can assign it to a group of users instead of all users.

  • Browse to Devices – Windows – Configuration profiles

  • Click Create profile

  • Give the policy a Name
  • Enter a Description (optional)
  • Choose Windows 10 and later as Platform
  • Choose Identity protection as Profile type
  • On the Settings tab set Use security keys for sign-in to Enable
  • Click OK
  • Click Create

  • Click Assignments to assign the policy to the security group of choice


Enable combined security information registration

The next step is to enable combined security information registration. The feature needs to be enabled from the Azure (AD) Portal.

  • Sign-in to the Azure AD portal
  • Browse to Azure Active Directory – User settings

  • Click Manage user feature preview settings

  • Select All to switch on the features for all users
  • Click Save


Enable FIDO2 security keys as Authentication methode

The third step is to enable FIDO2 security keys as Authentication method in Azure Active Directory.

  • In the Azure AD Portal browse to Azure Active Directory

  

  • Browse to Security – Authentication methods

  • Click FIDO2 Security Keys

  • Set Enable to Yes
  • Leave Target set to All or switch to Select users and select a security group
  • Click Save

In above screen we also have the option to block Self-service setup of the security keys and a Key restrictions policy. If you want to block specific security keys or only allow specific security keys, you need the AAGuid of an security key. Those for the security keys of Yubico can be found here.





  • No labels