Recently I’ve been testing out FIDO2-based passwordless sign-in for Azure AD. The process of enabling combined registration alongside the FIDO2 authentication mehtod didn’t cause any problems. In a matter of minutes I could sign in to Azure AD using my Yubikey and Microsoft Edge.
The goal of the deployment however was to be able to sign in to my Windows 10 machine. According to Micosoft the following steps needed to be performed. And from what I could tell the pre-requisites were met:
- Windows 10 1903
- Computer joined to Azure AD
- Account with managed authentication (no ADFS).
I followed the instructions under “Enable security keys for Windows sign in” -> “Enable credential provider via Intune” and allowed some time for the changes to replicate. The next day the option to sign in using a FIDO2 key was nowhere to be found.
When following the Microsoft documentation I assumed the section “Enable targeted Intune deployment” was an alternative to “Enable credential provider via Intune”. This doesn’t appear to be the case, in my experience both are required.
Preventing the Yubikey from appearing as a smart card
With the default configuration a YubiKey will show up as both a security key and smart card on the Windows 10 sign in screen. This doensn’t cause any issues but it may be a bit confusing to some users. The solution is to download the YubiKey Manager and disabling the PIV interface in the settings.