Enable FIDO Authentication on Windows 10

How to Enable FIDO Authentication

You can enable FIDO Authentication in one of three ways:

1. Using Intune, as explained here​

2. You can manually create a provisioning package using Windows Configuration Designer (an application that is available in the Microsoft Store

To enable seamless login to Windows 10 based machines using a security key, configuration settings are installed on the PC. The configuration package is installed in the PC at the time of OOBE Setup or from the PC Settings. The configuration package is created using Windows Configuration Designer that is installed from Microsoft Store. You can download this Package at this link or Creating A Provisioning Package

The below section describes the process of the creation of the provisioning package using the configuration designer tool.

  • Launch the Windows Configuration Designer and create a new project.

  • Enter the project name and choose the location to save the project and click on Next.

  • Click on Next in Select Project workflow with the Provisioning package selected.

  • Under “Choose which settings to view and configure” click on All Windows desktop editions and select Next> Finish.

  • Expand Runtime settings > WindowsHelloForBusiness > SecurityKeys and enable “UseSecurityKeyForSignIn”.

  • Select Export > Provisioning package

  • In the Build window, provide a name for the package and click on Next>Next.

  • Provide a location for saving the provisioning package and select Next.

  • Click on Build to create the provisioning package.

  • Save the two files created (ppkg and cat) to an external USB drive to apply them on the Windows 10 PCs

Windows Configuration Disigner

Adding Provisioning Package

  • Insert the USB drive with the provisioning package to a PC/Laptop and navigate Settings > Accounts > Access work or school > Add or remove a provisioning package

  • Click on “Add a package”

  • Choose the method “Removable Media> Select the package and click on Add”.

  • Click on “Yes, add it” when prompted. Under Packages, the added package is displayed.

Once the provisioning package is added in the Windows 10 PCs, it is recommended to restart the PC. By following the above steps, the admin has successfully configured Azure AD and the Windows 10 PCs to enable passwordless sign-in.

Adding Provisioning Package

Note that you have to choose All Windows desktop editions, if you choose All Windows editions, the setting isn’t available.

3. You can enable the FIDO credential provider by adding the following Registry Setting:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\SecurityKey]

"UseSecurityKeyForSignin"=dword:00000001

Copy the text above to a new text file, call it something.reg, double-click it and accept the warning.