> ## Documentation Index
> Fetch the complete documentation index at: https://docs.truu.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Enable FIDO2 security key sign-in for Windows

> This is a step-by-step guide as to how to enable FIDO2 security Key sign-in for Windows

# Enable FIDO2 security key sign-in for Windows

### Option One: Enable with Group Policy

* On the **domain controller**, open the **Group Policy Management Console**.

<img src="https://mintcdn.com/truu-2/jMF4bYA9yOA_2TKv/images/docs/25679d42211e3e835c9775e1ab2649001360f5bac68159ef871fff0840bab45e-51.png?fit=max&auto=format&n=jMF4bYA9yOA_2TKv&q=85&s=07798ee904d9851168bf77bf71278ee9" alt="" width="1300" height="616" data-path="images/docs/25679d42211e3e835c9775e1ab2649001360f5bac68159ef871fff0840bab45e-51.png" />

* Locate the policy you want to apply as a GPO to your Windows clients.
* Edit the policy, navigate to the **Computer Configuration** tab, then go to\*\* Administrative Templates > System > Logon\*\*, and select **Turn on Security Key Sign-in**.

<img src="https://mintcdn.com/truu-2/E6hYbyLPrBHWbQ3m/images/docs/d1dc8e1b031dc58ff2adb4d4220a8ba6a6eaad15d31240f7879f079eae23cc25-61.png?fit=max&auto=format&n=E6hYbyLPrBHWbQ3m&q=85&s=acacb279584c3e2e3725f51eeb1e232d" alt="" width="1924" height="869" data-path="images/docs/d1dc8e1b031dc58ff2adb4d4220a8ba6a6eaad15d31240f7879f079eae23cc25-61.png" />

<img src="https://mintcdn.com/truu-2/E6hYbyLPrBHWbQ3m/images/docs/ce0641916ea11af43352213ce844bb8a48dcdd1de1c5b7a4a43f7f4d6c31e3dd-62.png?fit=max&auto=format&n=E6hYbyLPrBHWbQ3m&q=85&s=6afc8aaddbbc1197ef1fb62da1b98114" alt="" width="1918" height="892" data-path="images/docs/ce0641916ea11af43352213ce844bb8a48dcdd1de1c5b7a4a43f7f4d6c31e3dd-62.png" />

* Setting this policy to **Enabled** allows users to sign in using security keys.
* Setting this policy to **Disabled** or Not Configured disables security key sign-in for users.

<img src="https://mintcdn.com/truu-2/jMF4bYA9yOA_2TKv/images/docs/43c148c23397d4dd7ddc7400f34e184b47f1a6e2017a4e5527f2bb8cf7eac420-63.png?fit=max&auto=format&n=jMF4bYA9yOA_2TKv&q=85&s=4dabed500b4e9b4c009c770e9ff41071" alt="" width="1918" height="880" data-path="images/docs/43c148c23397d4dd7ddc7400f34e184b47f1a6e2017a4e5527f2bb8cf7eac420-63.png" />

**NOTE**: Some older servers may not have the **CredentialProviders.admx** GPO template installed. This template is included with newer versions of Windows Server and Windows 10 (version 20H1 and later). If the GPO is missing from your server, follow **Option Two** below.

### Option Two: Add a Registry Key

* To enable security key sign-in using a registry key, deploy the following registry key to all your Windows clients using your preferred deployment tool.

```
REG ADD "HKLM\SOFTWARE\policies\Microsoft\FIDO" /v EnableFIDODeviceLogon /t REG_DWORD /d 1 /f
```

### Create a Device configuration profile

### Option 1: Settings Catalog

* Sign in to the Microsoft Intune admin center
* Browse to **Devices > Windows > Configuration profiles > Create new policy**.

<img src="https://mintcdn.com/truu-2/rjjBxA7Z_Wk_-34G/images/docs/e6ba90e8a6f5ddbe0594eec6700c3032f7be84a792810f91c1600156931ee193-1.png?fit=max&auto=format&n=rjjBxA7Z_Wk_-34G&q=85&s=67fddaa80c5a9f43e497d348bb8e203e" alt="" width="1922" height="838" data-path="images/docs/e6ba90e8a6f5ddbe0594eec6700c3032f7be84a792810f91c1600156931ee193-1.png" />

* Configure the **New Policy** with the following settings:

  * Platform: **Windows 10 and later**
  * Profile type: **Setting catalog**
  * Name: **Security Keys for Windows Sign-In**
  * Description: **Enables FIDO Security Keys to be used during Windows Sign In**

<img src="https://mintcdn.com/truu-2/ehCBQgFdl_pQd0MN/images/docs/aa605957d4a587e3516af2886ff7026499ba2000b192a0c8c6962d75b80e5cbe-2.png?fit=max&auto=format&n=ehCBQgFdl_pQd0MN&q=85&s=c38e001901e5b1ec72cc09a0099811a3" alt="" width="1918" height="883" data-path="images/docs/aa605957d4a587e3516af2886ff7026499ba2000b192a0c8c6962d75b80e5cbe-2.png" />

<img src="https://mintcdn.com/truu-2/qCK1oWL4jNpZKJ8A/images/docs/8fd8e9086bf303a606c5ffa428123afb68987881a6b8f723695d0936318d420e-3.png?fit=max&auto=format&n=qCK1oWL4jNpZKJ8A&q=85&s=30d9587484a1e8b722aa5d350f97979f" alt="" width="1918" height="876" data-path="images/docs/8fd8e9086bf303a606c5ffa428123afb68987881a6b8f723695d0936318d420e-3.png" />

* Under the **Configuration settings**> click on**Add settings** > Select **Windows Hello For Business** and add below:

  * Use Security Key For Sign-in
  * Allow Use of Biometrics
  * Use Cloud Trust For On-Prem Auth
  * Use Remote Passport
  * Require Security Device

<img src="https://mintcdn.com/truu-2/YlfY4z_3_-uDkBaP/images/docs/5e4a084f889b36adfb7fcb42b95422936c81135c66b13371590b4206316e3709-4.1.png?fit=max&auto=format&n=YlfY4z_3_-uDkBaP&q=85&s=00ff3d585178598349c34b522530961b" alt="" width="1584" height="826" data-path="images/docs/5e4a084f889b36adfb7fcb42b95422936c81135c66b13371590b4206316e3709-4.1.png" />

* Assign the Policy to the Groups that should support TruU login.

### Option 2: OMA-URI method

* To target specific device groups to enable the credential provider, use the following custom settings via Intune:

  * Platform: **Windows 10 and later**
  * Profile type: **Template** and select **Custom**
  * Name: **Security Keys for Windows Sign-In**
  * Description: **Enables FIDO Security Keys to be used during Windows Sign In**

<img src="https://mintcdn.com/truu-2/m22YLP0oXSNG0U3O/images/docs/7aa26eb54d82b89e9ec6255c903d1c3684256abd33be16deec2573445a8a62cf-2.1.png?fit=max&auto=format&n=m22YLP0oXSNG0U3O&q=85&s=5259e71e73c9d7219d0b7b8e2a932bdf" alt="" width="1918" height="885" data-path="images/docs/7aa26eb54d82b89e9ec6255c903d1c3684256abd33be16deec2573445a8a62cf-2.1.png" />

* In the Configuration Settings tab, click on Add and enter the following

  * Name: **Turn on FIDO Security Keys for Windows Sign-In**
  * Description: (Optional)
  * OMA-URI: **./Device/Vendor/MSFT/PassportForWork/SecurityKey/UseSecurityKeyForSignin**
  * Data Type: **Integer**
  * Value: **1**

<img src="https://mintcdn.com/truu-2/rjjBxA7Z_Wk_-34G/images/docs/eab6c8a5109353aa9e24fccea6051a5b5894e685571498abb876dc71e8ad2134-5.png?fit=max&auto=format&n=rjjBxA7Z_Wk_-34G&q=85&s=bb649d830f19f2e0517b71217fbe7935" alt="" width="1918" height="874" data-path="images/docs/eab6c8a5109353aa9e24fccea6051a5b5894e685571498abb876dc71e8ad2134-5.png" />

* Assign the Policy to the Groups that should support TruU login.

***

[Enable Passkey (FIDO2)](/docs/enable-passkey-fido2)

[CyberArk Zero Touch PKI](/docs/venafi-zero-touch-pki)