> ## Documentation Index
> Fetch the complete documentation index at: https://docs.truu.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Hybird Joined / Entra Joined - FIDO2

<Info>
  For prerequisites, config file requirements, and firewall rules, see [TruU Authentication Modalities](/docs/truu-authentication-modalities).
</Info>

**System Requirements**

* Windows 11 version 24H1 or later

<Note>
  If you are using a directory other than Entra ID, you need the **Entra ID FIDO2 Enrollment Adapter**. This adapter lets TruU verify that a FIDO2 security key has been registered with Entra ID using an OAuth client and mapping attributes. It is required for Windows Authenticator version 24.2 or later in FIDO2 mode. If you are using Entra ID as your directory, this is not needed.

  [Entra ID FIDO2 Enrollment Adapter Guide](https://docs.truu.ai/docs/entra-id-fido2-enrollment-adapter)
</Note>

## Enable FIDO2 Security Keys in Entra ID

1. Sign in to Microsoft Entra ID (Azure AD)
2. Go to **Security** > **Authentication Methods**

<img src="https://mintcdn.com/truu-2/YlfY4z_3_-uDkBaP/images/docs/6769cb7-image.png?fit=max&auto=format&n=YlfY4z_3_-uDkBaP&q=85&s=6b3c6b464d3f6c740abae07177440915" alt="" width="1330" height="970" data-path="images/docs/6769cb7-image.png" />

<img src="https://mintcdn.com/truu-2/m22YLP0oXSNG0U3O/images/docs/7db6d25-image.png?fit=max&auto=format&n=m22YLP0oXSNG0U3O&q=85&s=9d2c2e09c55dd5556b3a55412e24153b" alt="" width="1330" height="970" data-path="images/docs/7db6d25-image.png" />

3. Click **FIDO2 Security Keys**, enable it for all users or a selected group, then click **Save**

<Info>
  If FIDO2 Security Keys are already enabled, proceed to **Configure FIDO2 security key settings** below.
</Info>

<img src="https://mintcdn.com/truu-2/qCK1oWL4jNpZKJ8A/images/docs/9dbe510-image.png?fit=max&auto=format&n=qCK1oWL4jNpZKJ8A&q=85&s=48cb765929ec8c47203ceda44ce2987b" alt="" width="1330" height="970" data-path="images/docs/9dbe510-image.png" />

<img src="https://mintcdn.com/truu-2/qCK1oWL4jNpZKJ8A/images/docs/9b82e38-image.png?fit=max&auto=format&n=qCK1oWL4jNpZKJ8A&q=85&s=a1c906f6ff8106160506afc37a469ecc" alt="" width="1315" height="459" data-path="images/docs/9b82e38-image.png" />

## Configure FIDO2 Security Key Settings

1. Go to the **Configure** tab and set the following:
   * **Allow self-service set up:** Yes
     * **Enforce attestation:** No
     <Info>
       Attestation verifies hardware manufacturing processes to prevent rogue hardware. TruU is a software-based (virtualized) solution that runs on Microsoft-verified hardware and does not require hardware attestation.
     </Info>
     * **Enforce key restrictions:** No
       <img src="https://mintcdn.com/truu-2/E6hYbyLPrBHWbQ3m/images/docs/cd9db40-image.png?fit=max&auto=format&n=E6hYbyLPrBHWbQ3m&q=85&s=7f06f65b6ea4f6e06b95f552cbefe371" alt="" width="1063" height="494" data-path="images/docs/cd9db40-image.png" />
     2. Click **Save**
     ## Enable FIDO2 Login via Group Policy
     Follow the steps in [Enable TruU FIDO2 Login using Windows](https://docs.truu.ai/docs/enable-truu-fido2-login-using-windows).
