This can be done via GPO if you know the GUID for each provider. All providers have the option to enable or disable. This can be done by blocking credential providers. The next stage is to lock down the Windows clients so they can only login with a FIDO key and nothing else. You will be prompt to enter the FIDO security key pin and touch the key. To use the key, insert it into the USB port and click on the USB icon on the login screen. Now once the configuration has been pushed out by Intune, the devices will have a new login option. Device/Vendor/MSFT/PassportForWork/SecurityKey/UseSecurityKeyForSigninĪssignment: Assign to All Users and All Devices Name: Turn on FIDO Security Key for Windows Sign-Inĭescription: Turn on FIDO Security Key for Windows Sign-In
This will allow Windows Hello to perform logins via the phone or security key. Enable both Allow phone sign-in and Use security key for sign-in.Select Windows enrollment, then Windows Hello for Business.Select Microsoft Intune, then Device enrollment.To enabling security keys for sign-in in Intune I assume that AzureAD and users are all set up.
In this post, I will give over how to enable secure login to Windows 10 using Intune. I have already gone over the process to enable AzureAD in part 1 and 2. In this section I will go over the configuration for locking down a Windows 10 device. I use the keys to protect my AzureAD login, GitHub and a few other places as well. The keys can be used on a number of different sites as well. FIDO keys provide you with a hardware-based authentication device.
0 kommentar(er)
