One Command – Download and Usage
From an Elevated (Run as Administrator) PowerShell prompt
iwr -useb https://christitus.com/win | iex
SOURCE: https://christitus.com/windows-tool/
Enable Windows Hello for Business FIDO2 Key sign-in without Microsoft Intune
HOWTO: Enable Windows Hello for Business FIDO2 Key sign-in without Microsoft Intune
Reading Time: 4 minutes maybe
The official Microsoft documentation teaches us that Microsoft Intune is an optional requirement to configure Windows Hello for Business to show the option to display the FIDO security key sign-in method as part of the Sign-in options on the Windows Logon Screen for Azure AD accounts.
However, a method to achieve the same goal without Microsoft Intune is not part of the documentation…
Getting ready
To make FIDO Key sign-in work with an Azure AD account, you’ll need to meet the following requirements:
- You need a compatible FIDO2 security key.
I choose the above eWBM GoldenGate FIDO2 security key of South Korean origin. - The device you’re configuring must run Windows 10 1809, or a newer version of Windows 10.
- The device you’re configuring needs to be Azure AD-joined.
This is an Azure AD Free feature. - You need local administrator or System privileges on the device.
This can be easily achieved by assigning the Device administrator role to a person, but requires Azure AD Premium licenses. This can also be achieved using Microsoft Intune, but the entire purpose is to make this work without Microsoft Intune… - You need Global administrator privileges in the Azure AD tenant that the device is joined to.
- The Azure AD tenant the device is joined to must be configured to use the combined security information registration.
How to do it
Enabling FIDO2 Security Keys as a sign-in method for Windows Hello for Business requires four steps:
- Enabling FIDO2 as an authentication method in Azure AD
- Configuring a security key for sign-in for the user account
- Configuring the Windows 10 device with the right policy setting (without Intune)
- Signing in in with the FIDO2 security key
Enabling FIDO2 as an authentication method in Azure AD
Perform these steps to enable FIDO2 security keys as a valid authentication method in Azure Active Directory:
- Sign in to the Microsoft Azure portal.
- Open the navigation menu, if it’s not open by default.
- In the navigation menu, click on Azure Active Directory.
- In the Azure Active Directory navigation menu, click on Security.
- In the Security navigation menu, click on Authentication methods.
- In the Authentication Methods navigation menu, click on Authentication method policy (Preview).
- In the main pane, click on the FIDO2 Security Key method.
- In the blade that emerges from the bottom of the Azure portal, enable the ability for people in the Azure AD tenant to use this authentication method by switching from No to Yes in the Enabled field.
- Make a decision between targeting All users or only selected users in the Target field.
- Save the configuration by clicking the Save button in the top bar of the blade.
Configuring a security key for sign-in for the user account
Perform these steps to configure an actual security key for sign-in for the user account that will use the key as the sign-in method. This can be the same account as used in the previous steps, but the best way to show off the feature is with an account that has no privileges in the Azure AD tenant:
- Browse to the Microsoft MyProfile portal.
- Sign in if not already.
- Click the UPDATE INFO link on the Security Info tile.
- Perform multi-factor authentication.
- Register a FIDO2 security key as an additional Azure Multi-Factor Authentication method by clicking Add method
- Choose Security key from the drop-down list.
- Choose USB device or NFC device.
- Click Next.
- Create or enter a PIN for the security key.
- Perform the required gesture for the key, either biometric or touch.
- Returning to the combined registration experience, provide a meaningful name for the security key to easily identify it.
- Click Next.
- Click Done.
- Close the browser.
Configuring the Windows 10 device with the right policy setting
Perform these steps to configure the Windows 10 device:
- Sign in to the device with an account that has local administrator privileges.
- Open the Registry Editor (regedit.exe)
- Navigate to the following registry location:HKLM\SOFTWARE\Microsoft\Policies\PassportForWork\SecurityKey
Note:
If the PassportForWork and SecurityKey registry keys don’t exist, create them.
- Create a new DWORD (32-bit) value, named UseSecurityKeyForSignIn.
- Provide 1 as the data for the new value.
- Close the Registry Editor.
- Restart the device.
Signing in with the FIDO2 security key
- On the Windows login screen, click the Sign-in options text.
- Select the FIDO security key option.
- Insert the pre-configured security key.
- Enter the PIN and/or
perform the required gesture for the key, either biometric or touch.
Concluding
The above steps show how to configure Windows Hello for Business to show the option to display the FIDO security key sign-in method as part of the Sign-in options on the Windows Logon Screen for Azure AD accounts without using Microsoft Intune.
When to charge Apple devices
Appears that it may be best to charge your Apple device daily at a routine cadence using a charging mechanism detailed in the specifications of the device.
Reference:
When to charge your iPhone or iPad by Lawrence Finch.
Find Chrome profile path
Go to address “chrome://version/” in Chrome address bar. Profile Path will be displayed in addition to other Chrome details.
Security Now – uBlock Origin to the rescue
Everyone is annoyed by the pervasive cookie permission
banners which compliance with the European Union’s GDPR
has forced upon the world. I recently realized that I had
become similarly annoyed by another increasingly
pervasive website feature, which is the proactive offer to
sign into whatever website I may be briefly visiting…
Chrome 122 New V8 security setting
Chrome address bar: chrome://settings/content/v8
Default is to Sites can use the V8 optimizer
Set to Don’t allow sites to use the V8 optimizer
Can add Customized behaviors for specific sites if trouble occurs with a specific site
From Chrome Enterprise and Education release notes
Last updated on: February 16, 2024
New V8 security setting back to top
Chrome 122 adds a new setting on chrome://settings/security to disable the V8 JIT optimizers, to reduce the attack surface of Chrome browser. This behavior continues to be controlled by the DefaultJavaScriptJitSetting enterprise policy, and the associated JavaScriptJitAllowedForSites and JavaScriptJitBlockedForSites policies. The setting is integrated into Site Settings. The enterprise policies have been available since Chrome 93.
Chrome 122 on ChromeOS, LaCrOS, Linux, MacOS, Windows, Fuchsia
Nice cookie banner
Discovered nice cookie banner at the Security Now website.
Also, nice details on cookies at What are cookies?
Thanks Microsoft Teams, but it is October!?!?
Received this popup today on my Windows Desktop from the Teams malware:
Thanks, but it is October 13th. WTF?!?!
Azure Arc Setup – Thanks Microsoft
Azure Arc Setup is now on my servers and I don’t remember asking or installing it!!!
Good take here by C:Amie (not) Com!
Start menu item:
System tray/notification area item:
Hard reset of Chrome user settings
Chrome reset
Close all chrome.exe instnaces
Go to folder %USERPROFILE%\AppData\Local\Google\Chrome
Rename folder User Data to User Data.old
Launch Chrome
Chrome cache folder: %USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\Cache
Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders