Skip to main content

Enabling FIDO2 Logon using Intune

Create a Device configuration profile

Option 1: Settings Catalog

  • Sign in to the Microsoft Intune admin center.
  • Browse to Devices > Windows > Configuration profiles > Create new policy.
  • Configure the New Policy with the following settings:
    • Platform: Windows 10 and later
    • Profile type: Setting catalog
    • Name: Security Keys for Windows Sign-In
    • Description: Enables FIDO Security Keys to be used during Windows Sign In
  • Under Configuration settings, click Add settings, select Windows Hello For Business, and add:
    • Use Security Key For Sign-in
  • Assign the policy to the groups that should support TruU login.
Once configured, deploy to test group and validate your FIDO2 setup before rolling out to users.

Option 2: OMA-URI method

  • To target specific device groups, use the following custom settings via Intune:
    • Platform: Windows 10 and later
    • Profile type: Template and select Custom
    • Name: Security Keys for Windows Sign-In
    • Description: Enables FIDO Security Keys to be used during Windows Sign In
  • In the Configuration Settings tab, click Add and enter the following:
    • Name: Turn on FIDO Security Keys for Windows Sign-In
    • Description: (Optional)
    • OMA-URI: ./Device/Vendor/MSFT/PassportForWork/SecurityKey/UseSecurityKeyForSignin
    • Data Type: Integer
    • Value: 1
  • Assign the policy to the groups that should support TruU login.
Once configured, deploy to test group and validate your FIDO2 setup before rolling out to users.

Enable FIDO2 Logon using Group Policy

  • Open the Group Policy Management Console.
  • Locate the policy you want to apply as a GPO to your Windows clients.
  • Edit the policy, navigate to the Computer Configuration tab, then go to Administrative Templates > System > Logon, and select Turn on Security Key Sign-in.
  • Setting this policy to Enabled allows users to sign in using security keys.
  • Setting this policy to Disabled or Not Configured disables security key sign-in for users.
Some older servers may not have the CredentialProviders.admx GPO template installed. This template is included with newer versions of Windows Server and Windows 10 (version 20H1 and later). If the template is missing, use the registry key method below.

Enable FIDO2 logon manually using a Registry Key

  • To enable security key sign-in using a registry key, deploy the following to all your Windows clients using your preferred deployment tool:
REG ADD "HKLM\SOFTWARE\policies\Microsoft\FIDO" /v EnableFIDODeviceLogon /t REG_DWORD /d 1 /f
Once configured, deploy to test group and validate your FIDO2 setup before rolling out to users.

Validate FIDO2 Enablement

After deploying the policy, verify that FIDO2 sign-in is available on the device. On the Windows sign-in screen, click the username and select Sign-in options. The FIDO2 security key option should appear as shown below.
Image
Registry Key validation: For Entra only joined device: Validate by checking the registry key below to ensure UseSecuirtyKeyforSigin is set to 1
Image
For Hybrid Joined device: Validate by checking the registry key below to ensure EnableFIDODeviceLogon is set to 1
Image