The easiest way to do it is using this PowerShell snippet.
HKLM\SOFTWARE\Microsoft\Policies\PassportForWork\SecurityKey If a more targeted rollout is desired, a “Configuration Profile” of the type “Identity protection” must be created and assigned to the corresponding devices.įor a quick test, the necessary configuration can also be enabled via registry value. This setting applies to all supported Windows 10 devices in the company. This setting can be enabled in the “ Windows enrollment area using the Windows Hello for Business menu item. If Intune is used for client management, the necessary key SecurityKey/UseSecurityKeyForSignin of the PassportForWork configuration service provider can be distributed starting from Windows 1903. In order that the sign-in to Windows can also be carried out using a security key, this must first be enabled.
Windows thus directly promotes another method for password-free sign-in. With this PIN, the private key for the sign-in can be unlocked in the TPM chip of the laptop. The user must assign a PIN that is only valid on this device.
If no other settings are supplied by Intune, Windows 10 will directly enable Windows Hello for Business for the sign-in after the successful installation. If a Bluetooth based FIDO2 key is used, it must be connected by cable in this phase. After the successful sign-in, the computer is connected to the Azure AD (Azure AD Join) and enrolled in Intune if configured. When setting up Windows using the out-of-box experience, select “Setup for an Organization” and then the option “Sign-in with Security Key” is directly available in the Windows 10 20H2 version used here. *At the end of this blog I present a method with which a deployment is also possible via TAP using preview features of Autopilot and Intune. Now the setup of the Privileged Admin Workstation (PAW) can be performed. Unfortunately, the use of the Temporary Access Pass is not possible* during the initial setup of Windows using the out-of-box experience or Autopilot. This initial sign-in had to be performed on an already set up device due to restrictions during Windows 10 enrollment. The administrator account we use for passwordless sign-in has now performed its initial sign-in and registered a FIDO2 security key for permanent log-in. PowerShell administration without a password.Windows 10 device onboarding and Windows Hello for Business.
0 kommentar(er)
