Three ways of enabling security key sign-in on Windows 10 & Windows 11

Many times there are several viable approaches to achieving the same goal. Without further ado then, here are three ways of enabling security key sign-in in Windows 10 & 11!

Background and Scope

Over the course of the last year or so I have had to configure FIDO2 security key sign-in support on a number of occasions. Differing circumstances have had me try a few variations of achieving this task (the client-side task) and for the greater good of all, these are listed here in an easy to follow fashion complete with screen shots.

Note that most (all) of these approaches do the same thing: they set a registry key. Which approach you use is really up to the circumstances (you configure one or multiple machines) as well as preference 🤓

Also, “server-side” configuration (Azure) is out of scope for the time being.

Prerequisites

The following prerequisites must be met to successfully follow these instructions:

• Computer is Azure-joined (verify with command: dsregcmd /status )
• You have local administrator privilege on the machine

Enable security key sign-in with Group Policy

1. Press the Windows key and type gpedit
2. Select Run as administrator
3. Select Yes when prompted to run the app in elevated mode
4. Navigate to Computer Configuration > Administrative Templates > System > Logon
5. Double-click on Turn on security key sign-in and select Enabled followed by OK
6. Close the Group Policy Editor and reboot to apply changes.

Navigate to Computer Configuration > Administrative Templates > System > Logon.

Enable the setting and click (Apply) OK.

⚠️ ️If the above GPO is not available you may be running a Windows Server with an earlier version of the CredentialProviders.admx file. Not to worry, I’m here to help! I have created an auxiliary ADMX that you can add to your domain controller to get this control even on older Windows Server. You will find it here.

Enable security key sign-in by editing registry

Below are a few alternative approaches to editing the registry (the GPO approach also edits the registry by the way). Pick one!

Using Command Prompt

1. Press the Windows key and type cmd
2. Select Run as administrator
3. Select Yes when prompted to run the app in elevated mode
4. Provide the following input and press Enter

REG ADD "HKLM\SOFTWARE\policies\Microsoft\FIDO" /v EnableFIDODeviceLogon /t REG_DWORD /d 1 /f

5. Type “exit” to close the Command Prompt

6. Reboot to apply changes.

Make sure you run the Command Prompt as administrator.

Security key login is now enabled.

Using Registry Editor

1. Press the Windows key and type regedit
2. Again, select Run as administrator
3. Select Yes when prompted to run the app in elevated mode
4. In Registry Editor, navigate to HKEY_LOCAL_MACHINE > SOFTWARE > Policies > Microsoft > FIDO
5. Create (or Edit) a key of REG_DWORD type and name “EnableFIDODeviceLogon” with value of 1 (see image)
6. Close the Registry Editor and reboot to apply changes.

Make sure you run the Registry Editor as administrator.

Create or Edit registry key directly.

Using a ready-made registry key

Finally here is a lazy (and trusting) way of applying the required setting by simply double-clicking a ready-made registry key. Use at your own peril ⚠️️

1. Download this file
2. Double-click on the file
3. Select Yes and then Yes followed by OK to apply the settings
4. Reboot to apply changes.

Enable security key sign-in with Endpoint Manager

Microsoft Endpoint Manger AKA Intune can be used to easily enable security key sign-in for managed devices.

1. Open a browser and navigate to Microsoft Intune
2. Login as administrator
3. Click on Devices in the panel left hand side
4. Next, navigate to Windows and Windows Enrollment
5. Click on Windows Hello for Business
6. Scroll down and set ‘Use security keys for sign-in’ to Enabled
7. Click Save and then close the panel.

Navigate to Windows Hello for Business and enable security key support.

Enable security key sign-in with a provisioning package

A provisioning package can apply various client-side settings without the use of MDM. One such setting is security key sign-in.

For your benefit a ready-made package can be found here. You can also merge this package into a new project. Use at your own peril ⚠️

Note: To create or edit a package you will need the Windows Configuration Designer app found here.

With the Windows Configuration Designer installed:

1. Press the Windows key and type Windows Configuration...
2. Again, select Run as administrator
3. Select Yes when prompted to run the app in elevated mode
4. Select File > New project from the top menu
5. Provide a project name, set a path and select Next
6. Click Next again and then select All Windows desktop editions (note!) followed by Next
7. Select Finish (or import my package here and then click Finish)
8. Now, expand Runtime settings > WindowsHelloForBusiness > SecurityKeys > UseSecurityKeyForSignIn
9. Set UseSecurityKeyForSignIn to Enabled
10. Next, select Export > Provisioning package from the top menu
11. Verify attributes (increment version if you are making changes) and select Next
12. If you have signing certificate add it and then click Next
13. Change or confirm output directory and and click Next
14. Select Build
15. To apply the package on a machine double-click on it and select Yes, add it.

Note: for instructions on adding packages during machine build, see this document.

Make sure you run the Configuration Designer as administrator.

Click File (top) to start a new project.

Provide basic project details.

Click Next.

Make sure you select the second option here or you will not be able to toggle security key support!

Click Finish to proceed.

Enable security key sign-in. If option is not visible then you selected incorrect project scope (step 6).

Verify versioning and click Next.

If you have a signing certificate in HSM, use it. If not click Next.

Confirm (or change) output directory.

If everything still looks good, click Build.

All done!

Applying the package.