Enable Windows Hello for Business FIDO2 Key sign-in without Microsoft Intune

Source LINK

HOWTO: Enable Windows Hello for Business FIDO2 Key sign-in without Microsoft Intune

Reading Time: 4 minutes maybeeWBM's GoldenGate FIDO2 Key

The official Microsoft documentation teaches us that Microsoft Intune is an optional requirement to configure Windows Hello for Business to show the option to display the FIDO security key sign-in method as part of the Sign-in options on the Windows Logon Screen for Azure AD accounts.

However, a method to achieve the same goal without Microsoft Intune is not part of the documentation…

 

Getting ready

To make FIDO Key sign-in work with an Azure AD account, you’ll need to meet the following requirements:

  • You need a compatible FIDO2 security key.
    I choose the above eWBM GoldenGate FIDO2 security key of South Korean origin.
  • The device you’re configuring must run Windows 10 1809, or a newer version of Windows 10.
  • The device you’re configuring needs to be Azure AD-joined.
    This is an Azure AD Free feature.
  • You need local administrator or System privileges on the device.
    This can be easily achieved by assigning the Device administrator role to a person, but requires Azure AD Premium licenses. This can also be achieved using Microsoft Intune, but the entire purpose is to make this work without Microsoft Intune…
  • You need Global administrator privileges in the Azure AD tenant that the device is joined to.
  • The Azure AD tenant the device is joined to must be configured to use the combined security information registration.

 

How to do it

Enabling FIDO2 Security Keys as a sign-in method for Windows Hello for Business requires four steps:

  1. Enabling FIDO2 as an authentication method in Azure AD
  2. Configuring a security key for sign-in for the user account
  3. Configuring the Windows 10 device with the right policy setting (without Intune)
  4. Signing in in with the FIDO2 security key

 

Enabling FIDO2 as an authentication method in Azure AD

Perform these steps to enable FIDO2 security keys as a valid authentication method in Azure Active Directory:

  • Sign in to the Microsoft Azure portal.
  • Open the navigation menu, if it’s not open by default.
  • In the navigation menu, click on Azure Active Directory.
  • In the Azure Active Directory navigation menu, click on Security.
  • In the Security navigation menu, click on Authentication methods.
  • In the Authentication Methods navigation menu, click on Authentication method policy (Preview).
  • In the main pane, click on the FIDO2 Security Key method.
  • In the blade that emerges from the bottom of the Azure portal, enable the ability for people in the Azure AD tenant to use this authentication method by switching from No to Yes in the Enabled field.
  • Make a decision between targeting All users or only selected users in the Target field.
  • Save the configuration by clicking the Save button in the top bar of the blade.

 

Configuring a security key for sign-in for the user account

Perform these steps to configure an actual security key for sign-in for the user account that will use the key as the sign-in method. This can be the same account as used in the previous steps, but the best way to show off the feature is with an account that has no privileges in the Azure AD tenant:

  • Browse to the Microsoft MyProfile portal.
  • Sign in if not already.
  • Click the UPDATE INFO link on the Security Info tile.
  • Perform multi-factor authentication.
  • Register a FIDO2 security key as an additional Azure Multi-Factor Authentication method by clicking Add method
  • Choose Security key from the drop-down list.
  • Choose USB device or NFC device.
  • Click Next.
  • Create or enter a PIN for the security key.
  • Perform the required gesture for the key, either biometric or touch.
  • Returning to the combined registration experience, provide a meaningful name for the security key to easily identify it.
  • Click Next.
  • Click Done.
  • Close the browser.

 

Configuring the Windows 10 device with the right policy setting

Perform these steps to configure the Windows 10 device:

  • Sign in to the device with an account that has local administrator privileges.
  • Open the Registry Editor (regedit.exe)
  • Navigate to the following registry location:HKLM\SOFTWARE\Microsoft\Policies\PassportForWork\SecurityKey

Note:
If the PassportForWork and SecurityKey registry keys don’t exist, create them.

  • Create a new DWORD (32-bit) value, named UseSecurityKeyForSignIn.
  • Provide 1 as the data for the new value.

The UseSecurityKeyForSignIn Registry value

  • Close the Registry Editor.
  • Restart the device.

 

Signing in with the FIDO2 security key

  1. On the Windows login screen, click the Sign-in options text.
  2. Select the FIDO security key option.
  3. Insert the pre-configured security key.
  4. Enter the PIN and/or
    perform the required gesture for the key, either biometric or touch.

 

Concluding

The above steps show how to configure Windows Hello for Business to show the option to display the FIDO security key sign-in method as part of the Sign-in options on the Windows Logon Screen for Azure AD accounts without using Microsoft Intune.

Security Now – uBlock Origin to the rescue

 

Everyone is annoyed by the pervasive cookie permission
banners which compliance with the European Union’s GDPR
has forced upon the world. I recently realized that I had
become similarly annoyed by another increasingly
pervasive website feature, which is the proactive offer to
sign into whatever website I may be briefly visiting…

Security Now 996: BIMI (up Scotty)

Chrome 122 New V8 security setting

Chrome address bar: chrome://settings/content/v8

Default is to Sites can use the V8 optimizer

Set to Don’t allow sites to use the V8 optimizer

Can add Customized behaviors for specific sites if trouble occurs with a specific site

From Chrome Enterprise and Education release notes
Last updated on: February 16, 2024

New V8 security setting back to top
Chrome 122 adds a new setting on chrome://settings/security to disable the V8 JIT optimizers, to reduce the attack surface of Chrome browser. This behavior continues to be controlled by the DefaultJavaScriptJitSetting enterprise policy, and the associated JavaScriptJitAllowedForSites and JavaScriptJitBlockedForSites policies. The setting is integrated into Site Settings. The enterprise policies have been available since Chrome 93.

Chrome 122 on ChromeOS, LaCrOS, Linux, MacOS, Windows, Fuchsia

V8 JavaScript engine