Using Token2 FIDO2 security keys as the default sign-in option for Windows (Registry modification method)

FIDO2 based Passwordless technology allows users to use a USB key to sign in to Azure AD (Microsoft Entra ID) without using passwords.
Once enabled, the users will be able to sign in to their accounts and log onto their Azure-joined machines using FIDO2 Security keys.
The access is still protected by two factors in this case:
1) having physical access to the security key and
2) PIN or Fingerprint (on devices with biometrics support) configured on the FIDO2 Security keys


The guide below will walk you through the steps required to enable Token2 FIDO2 Security keys as the default sign-in option for Windows. Please note that this guide uses local registry modifications method and does not require Intune. Intune-based method is described here.

Requirements:

• An Azure-joined Computer with Windows 10 - 1903 or higher.
• A Token2 FIDO2 key, and a user with FIDO2 key associated (check this article for instructions on enrolling FIDO2 security keys)
• A local administrator privilege on the machine


Check Azure AD (Microsoft Entra ID) joining status

To check if the devices are Azure AD (Microsoft Entra ID) joined or not, you can open cmd and run dsregcmd /status
If the device is Azure AD (Microsoft Entra ID) joined, the status for AzureAdJoined=Yes



To enable security key sign-in using Group Policy, you can follow these steps:

  • Press the Windows key and type gpedit.
  • Right-click on the result and choose "Run as administrator."
  • When prompted to run the app in elevated mode, select "Yes."
  • Go to Computer Configuration > Administrative Templates > System > Logon.
    Using Token2 FIDO2 security keys as the default sign-in option for Windows (Registry modification method)
  • Double-click on "Turn on security key sign-in" and choose "Enabled." Then click "OK."
    Using Token2 FIDO2 security keys as the default sign-in option for Windows (Registry modification method)
  • Close the Group Policy Editor and restart your computer to apply the changes


The same operation can be achieved using the command below:

REG ADD "HKLM\SOFTWARE\policies\Microsoft\FIDO" /v EnableFIDODeviceLogon /t REG_DWORD /d 1 /f