> ## Documentation Index
> Fetch the complete documentation index at: https://docs.truu.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Enable FIDO2 security key sign-in for Windows

> Step-by-step guide to enabling FIDO2 security key sign-in for Windows using Intune or Group Policy.

## Enabling FIDO2 Logon using Intune

### Create a Device configuration profile

### Option 1: Settings Catalog

* Sign in to the Microsoft Intune admin center.
* Browse to **Devices > Windows > Configuration profiles > Create new policy**.

<img src="https://mintcdn.com/truu-2/rjjBxA7Z_Wk_-34G/images/docs/e6ba90e8a6f5ddbe0594eec6700c3032f7be84a792810f91c1600156931ee193-1.png?fit=max&auto=format&n=rjjBxA7Z_Wk_-34G&q=85&s=67fddaa80c5a9f43e497d348bb8e203e" alt="" width="1922" height="838" data-path="images/docs/e6ba90e8a6f5ddbe0594eec6700c3032f7be84a792810f91c1600156931ee193-1.png" />

* Configure the **New Policy** with the following settings:
  * Platform: **Windows 10 and later**
  * Profile type: **Setting catalog**
  * Name: **Security Keys for Windows Sign-In**
  * Description: **Enables FIDO Security Keys to be used during Windows Sign In**

<img src="https://mintcdn.com/truu-2/ehCBQgFdl_pQd0MN/images/docs/aa605957d4a587e3516af2886ff7026499ba2000b192a0c8c6962d75b80e5cbe-2.png?fit=max&auto=format&n=ehCBQgFdl_pQd0MN&q=85&s=c38e001901e5b1ec72cc09a0099811a3" alt="" width="1918" height="883" data-path="images/docs/aa605957d4a587e3516af2886ff7026499ba2000b192a0c8c6962d75b80e5cbe-2.png" />

<img src="https://mintcdn.com/truu-2/qCK1oWL4jNpZKJ8A/images/docs/8fd8e9086bf303a606c5ffa428123afb68987881a6b8f723695d0936318d420e-3.png?fit=max&auto=format&n=qCK1oWL4jNpZKJ8A&q=85&s=30d9587484a1e8b722aa5d350f97979f" alt="" width="1918" height="876" data-path="images/docs/8fd8e9086bf303a606c5ffa428123afb68987881a6b8f723695d0936318d420e-3.png" />

* Under **Configuration settings**, click **Add settings**, select **Windows Hello For Business**, and add:
  * Use Security Key For Sign-in
* Assign the policy to the groups that should support TruU login.

<Note>
  Once configured, deploy to test group and [validate your FIDO2 setup](#validate-fido2-enablement) before rolling out to users.
</Note>

### Option 2: OMA-URI method

* To target specific device groups, use the following custom settings via Intune:
  * Platform: **Windows 10 and later**
  * Profile type: **Template** and select **Custom**
  * Name: **Security Keys for Windows Sign-In**
  * Description: **Enables FIDO Security Keys to be used during Windows Sign In**

<img src="https://mintcdn.com/truu-2/m22YLP0oXSNG0U3O/images/docs/7aa26eb54d82b89e9ec6255c903d1c3684256abd33be16deec2573445a8a62cf-2.1.png?fit=max&auto=format&n=m22YLP0oXSNG0U3O&q=85&s=5259e71e73c9d7219d0b7b8e2a932bdf" alt="" width="1918" height="885" data-path="images/docs/7aa26eb54d82b89e9ec6255c903d1c3684256abd33be16deec2573445a8a62cf-2.1.png" />

* In the **Configuration Settings** tab, click **Add** and enter the following:
  * Name: **Turn on FIDO Security Keys for Windows Sign-In**
  * Description: (Optional)
  * OMA-URI: **./Device/Vendor/MSFT/PassportForWork/SecurityKey/UseSecurityKeyForSignin**
  * Data Type: **Integer**
  * Value: **1**

<img src="https://mintcdn.com/truu-2/rjjBxA7Z_Wk_-34G/images/docs/eab6c8a5109353aa9e24fccea6051a5b5894e685571498abb876dc71e8ad2134-5.png?fit=max&auto=format&n=rjjBxA7Z_Wk_-34G&q=85&s=bb649d830f19f2e0517b71217fbe7935" alt="" width="1918" height="874" data-path="images/docs/eab6c8a5109353aa9e24fccea6051a5b5894e685571498abb876dc71e8ad2134-5.png" />

* Assign the policy to the groups that should support TruU login.

<Note>
  Once configured, deploy to test group and [validate your FIDO2 setup](#validate-fido2-enablement) before rolling out to users.
</Note>

## Enable FIDO2 Logon using Group Policy

* Open the **Group Policy Management Console**.

<img src="https://mintcdn.com/truu-2/jMF4bYA9yOA_2TKv/images/docs/25679d42211e3e835c9775e1ab2649001360f5bac68159ef871fff0840bab45e-51.png?fit=max&auto=format&n=jMF4bYA9yOA_2TKv&q=85&s=07798ee904d9851168bf77bf71278ee9" alt="" width="1300" height="616" data-path="images/docs/25679d42211e3e835c9775e1ab2649001360f5bac68159ef871fff0840bab45e-51.png" />

* Locate the policy you want to apply as a GPO to your Windows clients.
* Edit the policy, navigate to the **Computer Configuration** tab, then go to **Administrative Templates > System > Logon**, and select **Turn on Security Key Sign-in**.

<img src="https://mintcdn.com/truu-2/E6hYbyLPrBHWbQ3m/images/docs/d1dc8e1b031dc58ff2adb4d4220a8ba6a6eaad15d31240f7879f079eae23cc25-61.png?fit=max&auto=format&n=E6hYbyLPrBHWbQ3m&q=85&s=acacb279584c3e2e3725f51eeb1e232d" alt="" width="1924" height="869" data-path="images/docs/d1dc8e1b031dc58ff2adb4d4220a8ba6a6eaad15d31240f7879f079eae23cc25-61.png" />

<img src="https://mintcdn.com/truu-2/E6hYbyLPrBHWbQ3m/images/docs/ce0641916ea11af43352213ce844bb8a48dcdd1de1c5b7a4a43f7f4d6c31e3dd-62.png?fit=max&auto=format&n=E6hYbyLPrBHWbQ3m&q=85&s=6afc8aaddbbc1197ef1fb62da1b98114" alt="" width="1918" height="892" data-path="images/docs/ce0641916ea11af43352213ce844bb8a48dcdd1de1c5b7a4a43f7f4d6c31e3dd-62.png" />

* Setting this policy to **Enabled** allows users to sign in using security keys.
* Setting this policy to **Disabled** or **Not Configured** disables security key sign-in for users.

<img src="https://mintcdn.com/truu-2/jMF4bYA9yOA_2TKv/images/docs/43c148c23397d4dd7ddc7400f34e184b47f1a6e2017a4e5527f2bb8cf7eac420-63.png?fit=max&auto=format&n=jMF4bYA9yOA_2TKv&q=85&s=4dabed500b4e9b4c009c770e9ff41071" alt="" width="1918" height="880" data-path="images/docs/43c148c23397d4dd7ddc7400f34e184b47f1a6e2017a4e5527f2bb8cf7eac420-63.png" />

<Warning>
  Some older servers may not have the **CredentialProviders.admx** GPO template installed. This template is included with newer versions of Windows Server and Windows 10 (version 20H1 and later). If the template is missing, use the registry key method below.
</Warning>

### Enable FIDO2 logon manually using a Registry Key

* To enable security key sign-in using a registry key, deploy the following to all your Windows clients using your preferred deployment tool:

```text theme={null}
REG ADD "HKLM\SOFTWARE\policies\Microsoft\FIDO" /v EnableFIDODeviceLogon /t REG_DWORD /d 1 /f
```

<Note>
  Once configured, deploy to test group and [validate your FIDO2 setup](#validate-fido2-enablement) before rolling out to users.
</Note>

### Validate FIDO2 Enablement

After deploying the policy, verify that FIDO2 sign-in is available on the device. On the Windows sign-in screen, click the username and select **Sign-in options**. The FIDO2 security key option should appear as shown below.

<Frame>
  <img src="https://mintcdn.com/truu-2/XwDlsudNyqMarZPS/images/image-141.png?fit=max&auto=format&n=XwDlsudNyqMarZPS&q=85&s=76d988e6f1ae0c2f05b0d7964adbc4c4" alt="Image" width="2666" height="634" data-path="images/image-141.png" />
</Frame>

Registry Key validation:

For Entra only joined device: Validate by checking the registry key below to ensure *UseSecuirtyKeyforSigin* is set to 1

<Frame>
  <img src="https://mintcdn.com/truu-2/XwDlsudNyqMarZPS/images/image-142.png?fit=max&auto=format&n=XwDlsudNyqMarZPS&q=85&s=1a32ecbac663e0f7dc7aaf932da4e85e" alt="Image" width="2666" height="634" data-path="images/image-142.png" />
</Frame>

For Hybrid Joined device: Validate by checking the registry key below to ensure *EnableFIDODeviceLogon* is set to 1

<Frame>
  <img src="https://mintcdn.com/truu-2/XwDlsudNyqMarZPS/images/image-143.png?fit=max&auto=format&n=XwDlsudNyqMarZPS&q=85&s=30c631356293971c837f2a335c92ec4a" alt="Image" width="2486" height="654" data-path="images/image-143.png" />
</Frame>
