Reading Time: 4 minutes maybe eWBM's GoldenGate FIDO2 Key

The official Microsoft documentation teaches us that Microsoft Intune is an optional requirement to configure Windows Hello for Business to show the option to display the FIDO security key sign-in method as part of the Sign-in options on the Windows Logon Screen for Azure AD accounts.

However, a method to achieve the same goal without Microsoft Intune is not part of the documentation…

Getting ready

To make FIDO Key sign-in work with an Azure AD account, you’ll need to meet the following requirements:

You need a compatible FIDO2 security key.
I choose the above eWBM GoldenGate FIDO2 security key of South Korean origin.
The device you’re configuring must run Windows 10 1809, or a newer version of Windows 10.
The device you’re configuring needs to be Azure AD-joined.
This is an Azure AD Free feature.
You need local administrator or System privileges on the device.
This can be easily achieved by assigning the Device administrator role to a person, but requires Azure AD Premium licenses. This can also be achieved using Microsoft Intune, but the entire purpose is to make this work without Microsoft Intune…
You need Global administrator privileges in the Azure AD tenant that the device is joined to.
The Azure AD tenant the device is joined to must be configured to use the combined security information registration.

How to do it

Enabling FIDO2 Security Keys as a sign-in method for Windows Hello for Business requires four steps:

Enabling FIDO2 as an authentication method in Azure AD
Configuring a security key for sign-in for the user account
Configuring the Windows 10 device with the right policy setting (without Intune)
Signing in in with the FIDO2 security key

Enabling FIDO2 as an authentication method in Azure AD

Perform these steps to enable FIDO2 security keys as a valid authentication method in Azure Active Directory:

Sign in to the Microsoft Azure portal.
Open the navigation menu, if it’s not open by default.
In the navigation menu, click on Azure Active Directory.
In the Azure Active Directory navigation menu, click on Security.
In the Security navigation menu, click on Authentication methods.
In the Authentication Methods navigation menu, click on Authentication method policy (Preview).
In the main pane, click on the FIDO2 Security Key method.
In the blade that emerges from the bottom of the Azure portal, enable the ability for people in the Azure AD tenant to use this authentication method by switching from No to Yes in the Enabled field.
Make a decision between targeting All users or only selected users in the Target field.
Save the configuration by clicking the Save button in the top bar of the blade.

Configuring a security key for sign-in for the user account

Perform these steps to configure an actual security key for sign-in for the user account that will use the key as the sign-in method. This can be the same account as used in the previous steps, but the best way to show off the feature is with an account that has no privileges in the Azure AD tenant:

Browse to the Microsoft MyProfile portal.
Sign in if not already.
Click the UPDATE INFO link on the Security Info tile.
Perform multi-factor authentication.
Register a FIDO2 security key as an additional Azure Multi-Factor Authentication method by clicking Add method
Choose Security key from the drop-down list.
Choose USB device or NFC device.
Click Next.
Create or enter a PIN for the security key.
Perform the required gesture for the key, either biometric or touch.
Returning to the combined registration experience, provide a meaningful name for the security key to easily identify it.
Click Next.
Click Done.
Close the browser.

Configuring the Windows 10 device with the right policy setting

Perform these steps to configure the Windows 10 device:

Sign in to the device with an account that has local administrator privileges.
Open the Registry Editor (regedit.exe)
Navigate to the following registry location:HKLM\SOFTWARE\Microsoft\Policies\PassportForWork\SecurityKey

Note:
If the PassportForWork and SecurityKey registry keys don’t exist, create them.

Create a new DWORD (32-bit) value, named UseSecurityKeyForSignIn.
Provide 1 as the data for the new value.

Close the Registry Editor.
Restart the device.

Signing in with the FIDO2 security key

On the Windows login screen, click the Sign-in options text.
Select the FIDO security key option.
Insert the pre-configured security key.
Enter the PIN and/or
perform the required gesture for the key, either biometric or touch.

Concluding

The above steps show how to configure Windows Hello for Business to show the option to display the FIDO security key sign-in method as part of the Sign-in options on the Windows Logon Screen for Azure AD accounts without using Microsoft Intune.

When to charge Apple devices

Appears that it may be best to charge your Apple device daily at a routine cadence using a charging mechanism detailed in the specifications of the device.

Reference:

When to charge your iPhone or iPad by Lawrence Finch.

Apple Watch battery

Find Chrome profile path

Go to address “chrome://version/” in Chrome address bar. Profile Path will be displayed in addition to other Chrome details.

Security Now – uBlock Origin to the rescue

Everyone is annoyed by the pervasive cookie permission
banners which compliance with the European Union’s GDPR
has forced upon the world. I recently realized that I had
become similarly annoyed by another increasingly
pervasive website feature, which is the proactive offer to
sign into whatever website I may be briefly visiting…

Security Now 996: BIMI (up Scotty)

Chrome 122 New V8 security setting

Chrome address bar: chrome://settings/content/v8

Default is to Sites can use the V8 optimizer

Set to Don’t allow sites to use the V8 optimizer

Can add Customized behaviors for specific sites if trouble occurs with a specific site

From Chrome Enterprise and Education release notes
Last updated on: February 16, 2024

New V8 security setting back to top
Chrome 122 adds a new setting on chrome://settings/security to disable the V8 JIT optimizers, to reduce the attack surface of Chrome browser. This behavior continues to be controlled by the DefaultJavaScriptJitSetting enterprise policy, and the associated JavaScriptJitAllowedForSites and JavaScriptJitBlockedForSites policies. The setting is integrated into Site Settings. The enterprise policies have been available since Chrome 93.

Chrome 122 on ChromeOS, LaCrOS, Linux, MacOS, Windows, Fuchsia

V8 JavaScript engine

Nice cookie banner

Discovered nice cookie banner at the Security Now website.

Also, nice details on cookies at What are cookies?

Thanks Microsoft Teams, but it is October!?!?

Received this popup today on my Windows Desktop from the Teams malware:

Thanks, but it is October 13th. WTF?!?!

Azure Arc Setup – Thanks Microsoft

Azure Arc Setup is now on my servers and I don’t remember asking or installing it!!!

Good take here by C:Amie (not) Com!

Start menu item:

System tray/notification area item:

Hard reset of Chrome user settings

Chrome reset
Close all chrome.exe instnaces
Go to folder %USERPROFILE%\AppData\Local\Google\Chrome
Rename folder User Data to User Data.old
Launch Chrome

Chrome cache folder: %USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\Cache

Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

Bring back old school context menu for Windows 11

command prompt or modern terminal

reg.exe add “HKCU\Software\Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}\InprocServer32” /f /ve

Computer\HKEY_CURRENT_USER\Software\Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}\InprocServer32

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

cdbackslash.com

Enable Windows Hello for Business FIDO2 Key sign-in without Microsoft Intune

HOWTO: Enable Windows Hello for Business FIDO2 Key sign-in without Microsoft Intune