Log in to Windows 10 with a Yubikey
Windows 10 login with Yubikey
Are you looking for a way to login on Windows 10 with a Yubikey? It it possible and look no further, this article will explain how. Yubikey is a secure and convenient way to access your computer on Azure Active Directory.
A Yubikey is a small, physical security key that supports the FIDO2 standard and can be used to authenticate your login on Windows 10. It provides an extra layer of security by requiring a physical device, in addition to a password, to access your computer. In this article, we will guide you on how to set up and use a Yubikey for Windows 10 login on Azure Active Directory.
Requirements to login with a Yubikey
In order to successfully log in to Windows 10 with a Yubikey on Azure Active Directory, there are several requirements that must be met. These include:
- A FIDO2 compatible Security Key – I am using a YubiKey 5 in my case
- Windows 10 1809 or never
- To be managed “joined” to Azure Active Directory
- Enable FIDO2 Security Key as an authentication method in Azure Active Directory
- Allow Security Key to be used with a Device Manager Policy
Step 1: YubiKey setup
Go to https://myprofile.microsoft.com and configure your key. Configure your PIN and give it a meaningful name to be able to remember which key it is.
Step 2: Make sure you are running 1809 or never
Get-WmiObject -Class win32_operationgsystem | Select BuildNumber
Step 3: Check if the machine is Azure AD joined
dsregcmd /status
Step 4: Enable FIDO2 Security Key in Azure AD
Log into Azure as a Global Administrator and navigate to:
- Azure Active Directory
- Security
- Authentication methods
- FIDO2 Security Key
Set Enable to Yes and and target either All users or Select users. I would recommend you use an Azure Active Directory group first to get started. Do not forget to Save your settings!
Step 5: Authorise Security Keys into Microsoft Endpoint Manager
You can enable this globally, but we will rather do it with a policy. It is cleaner and a better practice than applying all settings to everyone without targeting the right users and machines. For this, navigate to:
- Devices (left)
- Windows (under By platform)
- Configuration profiles (under Windows policies)
- Create profile
- Platform: Windows 10 and later
- Profile type: Templates
- Identity protection
- Create
- Give it a name and a description and Next
- Configure Windows Hello for Business: Not configure
- Use security keys for sign-in: Enable
- Next
- Scope tags: as you usually do for your builds and Next
- Assignments: Add all devices and/or target specific devices with a group
- Next and Create
You should not be able to force a policy update or wait and have the key in your Sign-in options. Insert your key, you will be prompt for your PIN and to touch the key. That’s it!
Conclusion
In conclusion, logging in to Windows 10 with a Yubikey on Azure Active Directory is a secure and convenient way to access your computer. By following the steps outlined in this article, you can set up and use a Yubikey for Windows 10 login on Azure Active Directory.
Keep in mind that the requirements for this process include a FIDO2 compatible security key, Windows 10 version 1809 or newer, being managed and joined to Azure Active Directory, enabling FIDO2 Security Key as an authentication method in Azure Active Directory, and allowing the security key to be used with a Device Manager Policy.
With these in place, you can enjoy the added security and ease of access provided by using a Yubikey for your Windows 10 login.
