In addition to my previous tutorial (FIDO2 passwordless authentication in Azure AD) I will explain how to enable FIDO2 passwordless sign-in on Windows 10 version 1903 as well.

What you’ll need:

  • Enabled FIDO2 authentication in your Azure AD tenant, preferably by following my previous tutorial.
  • A valid Intune license.
  • A valid Azure AD user account which is FIDO2-enabled and licensed for Intune.
  • A valid Azure AD user account with Global Administrator privileges.
  • Windows 10 version 1903 or higher, which is enrolled in Intune.
Note! If you don’t use Intune, you can also use a provisioning package to enable FIDO2-based passwordless authentication in Windows 10 version 1903. Check the official documentation.

Steps

  1. Sign in to the Azure Portal (portal.azure.com) and go to the Intune blade.

  2. Navigate to Manage > All devices and make sure your Win10 device is enrolled to Intune and compliant, as shown below. If it’s not, you’ll need to enroll your device to Intune first.

    Intune added device

  3. From the Intune blade, navigate to Device configuration. Then click Profiles.
    Create a new profile by clicking + Create profile.

    Create Intune device profile

  4. Give it a name and clear description. Make sure to configure the following settings:

    Platform: Windows 10 and later
    Profile type: Custom

    Then, click Settings and Add.

    Create profile


  5. Make sure to complete the form with following settings:

    FIDO2 profile settings

    Name and description: FIDO2 for Windows Sign-In (or comparable description)
    OMA-URI: ./Device/Vendor/MSFT/PassportForWork/SecurityKey/UseSecurityKeyForSignin
    Data type: Integer
    Value: 1

  6. Save the properties and go to Assignments. Set the assignment scope to the desired group of people or devices on which you would like to enable this feature.

    In my case, I’ve assigned the profile to all users & all devices since I’m using a demo tenant.
    Don’t forget to click Save.

    Select assignment scope

  7. Make sure your Windows 10 device is powered on. You can monitor the assignment progress by switching to the Device status panel. Take a look at column Deployment status.

    At first, you will find the status is Pending. After a few minutes it should switch to Succeeded automatically.

    Deployment pending

  8. You’re now ready to test the sign-in process. A new button (usb key as shown below) should appear.

    Windows 10 FIDO2 sign-in
  9. That’s it, you’re done 🙂 .

I hope you’ve enjoyed my tutorial and I would like to know if it was helpful for you.
Feedback and suggestions are always very welcome. Have a nice day!