How to integrate Windows Hello with FIDO2 keys: requirements, deployment, and management

Passwordless authentication is no longer a promise: it's a reality that you can deploy today on Windows 10 and Windows 11 FIDO2 security keys and Windows Hello for Business. In this article, we outline, step-by-step, how to enable security key sign-in on Microsoft Enter ID (formerly Azure AD)-joined devices and hybrid PCs, as well as covering user key registration, PIN/biometric management, and unsupported scenarios.

Beyond the theory, we include real implementation challenges (remote support, RDP, key assignment, PIN requirement), practical recommendations and compatibility notes in iOS and macOS. If you want to deploy FIDO2 wisely, here's everything you need to avoid surprises and achieve a smooth experience.

What is FIDO2 and how does it fit with Windows Hello?

FIDO2 is an open standard for passwordless authentication that relies on asymmetric cryptography. It consists of two parts: WebAuthn (browser API defined by W3C) and CTAP2 (protocol between client and authenticator, defined by FIDO Alliance). Security keys can be USB, NFC or integrated reader, and the authenticator can be embedded (Windows Hello) or an external device.

When you register a key, the client generates a pair of public/private key; the public one is stored in the service (Relying Party) and the private one remains secure on your device or on the key hardware. Upon login, the server sends a challenge and the authenticator returns a signature valid only for the authorized domain thanks to RP ID, which blocks phishing and the use of credentials on fake sites.

In Microsoft environments, this mode is integrated with Windows Hello for business and with Microsoft Sign In ID, allowing access to devices and apps in the cloud without a password. Passkeys can be device-bound or synchronized within the provider's ecosystem; Windows Hello acts as the local authenticator, and FIDO2 keys act as cross-platform external authenticators.

Prerequisites and unsupported scenarios

Before you begin, confirm that your organization has the method activated and that you use a supported browserTo register and use security keys, Microsoft requires Windows 10 May 2019 Update or later, and devices approved by your organization (the key must be FIDO2 and supported by Microsoft).

These are the unsupported scenarios relevant when planning the deployment:

• Sign in or unlock Windows with a access key in Microsoft Authenticator (passkey on mobile) instead of a physical FIDO2 key for device logon.
• Environments only Domain-joined AD DS (pure on-prem) no layer Enter ID.
• Uses such as RDP, VDI, and Citrix that rely on a key other than the WebAuthn redirect.
• S/MIME signatures with the FIDO2 security key (not supported).
• Operations “Run as” with a security key (not supported).
• Login to servers with a security key (not supported).
• Use Without connection- If you don't sign in with your key while online, you won't be able to use it to sign in or unlock offline.
• Keys with multiple Login ID accounts: Windows selects the default last account added to the key for the logon, although in WebAuthn flows you can choose the account.
• Unlocking devices with Windows 10 1809 (unsupported experience). 1903 or higher recommended.

Enable Windows logon with FIDO2 keys

Organizations can enable security key login in Windows in several ways. Below, we've compiled a list of the ways to enable security key login in Windows. all supported options so you can choose the one that best suits your management (MDM, provisioning or GPO).

System version requirements

For devices joined to Microsoft Sign in ID, it is required Windows 10 1909 or higher. In the case of hybrid-joined devices to Entra ID, version 1.0 is required. Windows 10 2004 or later. In Windows 11, these capabilities are available natively with recent versions.

Enable with Microsoft Intune

If you manage your computers with Intune, you can enable the use of security keys from the Intune Admin Center following these steps:

1. Access the Microsoft Intune admin center.
2. Navigate to Devices > Enroll Devices > Windows Enrollment > Windows Hello for business.
3. In the settings, set “Use security keys to log in” in Enabled.

This setting It does not depend If you have Windows Hello for Business enabled, enable the security key credential provider for logon.

Targeted Intune Deployment (OMA-URI)

If you need granularity, create a custom profile to activate the credential provider in specific groups of teams or users:

1. Microsoft Intune admin center > Devices > Windows > Configuration profiles > Create profile.
2. Configure: Platform = Windows 10 and later; Profile Type = Templates > Custom; Name and Description of your choice.
3. In Settings, add an OMA-URI row with:
   • Name: Enable FIDO Security Keys for Windows Logon
   • OMA-URI: ./Device/Vendor/MSFT/PassportForWork/SecurityKey/UseSecurityKeyForSignin
   • Data type: Integer
   • Value: 1
4. Assign the profile to the users/devices/groups necessary.

Enable with a provisioning package

On devices not managed by Intune, you can apply a provisioning package with Windows Configuration Designer (available in the Microsoft Store). Summary procedure:

1. Open Windows Configuration Designer and create a New project (“Provisioning Package” flow).
2. Choose "All editions of Windows desktop” when asked for the configuration scope.
3. In Runtime Settings > WindowsHelloForBusiness > SecurityKeys > UseSecurityKeyForSignIn, mark “Enabled”.
4. Export and compile the package (.ppkg and .cat files are generated) and apply it to the target computers.

Enable with Group Policy (GPO)

For teams joined to Entra ID in a hybrid way, there is a GPO to allow logon with a FIDO2 security key. Path: Computer Configuration > Administrative Templates > System > Logon > Activate login with security key.

• Enabled: Allows login with security keys.
• Disabled or Not Configured: Prevents this.

Requires the policy template CredentialProviders.admx updated (included in modern Windows Server and Windows 10 20H1). You can manage it locally or from a central warehouse of administrative templates.

Registration and management of the security key by the user

Before registering, make sure that the administrator has enabled the method for your organization and that your device is up to date. You'll need an approved FIDO2 key (USB or NFC) and a supported browser.

To add the key as a method on your work or school account: go to My Profile > Security Information, choose “Add Method” and select “Security Key.” Choose the type (USB or NFC), insert or tap the key when prompted, and follow the on-screen prompts.

In Windows 11 23H2, if the browser prioritizes a passkey on mobile, sign in and press Next; under “More options,” choose “Security key” and continue. In older versions, a QR pairing screen may appear for another passkey: if you want to register the physical key, insert and touch the key to force that flow.

During the process, Windows will ask you to set or enter the Key PIN in the Windows Security box. When you're done, return to Security Information, give the key an identifiable name, and finish. You can register up to 10 keys per account.

To remove a key from your security information, use the link Delete on the card for that method and confirm. Note: this prevents its use with your account, but the credential data stored on the key is still there; to delete it, you must reset the key to the factory.

From Windows Settings > Accounts > Sign-in options > Security key > Manage, you can reset the key (return to default values) or create/change the Security key PIN. Insert or tap the key to verify your identity and follow the manufacturer's instructions.

FIDO2 Windows Login and Authentication Flow

Once the provider is enabled, in the lock screen from Windows you can choose the security key credential providerInsert the key, enter the PIN, or perform the biometric gesture, and access the desktop. On hybrid computers, remember to also enable passwordless login for local resources.

The technical flow with Enter ID is as follows: Windows detects the key and sends a authentication request; Enter ID returns a “nonce”; the key signs that nonce with its private key; Windows requests the PRT (Primary Refresh Token) by attaching the signature; the ID is verified with the public key and the PRT is returned, allowing access to resources.

To ensure the best experience and security, Microsoft requires that keys certify certain CTAP2 extensions Optional. In practice, choose certified vendors that explicitly state Windows/Login ID support (e.g., FIDO Alliance and MISA member vendors) to avoid friction.

When working offline, the key may work in certain cases, but there are limitations: if you are not logged in online previously With the key, you won't be able to use it to log in or unlock while offline.

Which methods are valid for MFA and which are valid for password reset?

In Microsoft Login, security information methods are used to two step verification and/or for password reset (SSPR). Not all of them are good for both:

Method	Use
Authentication application	Two-step verification and password reset
SMS	Two-step verification and password reset
Phone call	Two-step verification and password reset
Passcode / FIDO2 Key	Two step verification
External authentication method	Two step verification
Email	Password reset only
Security questions	Password reset only

Limitations and lessons learned from real deployments

When bringing FIDO2 into production, practical issues arise. For example, whether you enable Windows Hello to use FIDO2 and passkeys On websites and apps, Windows may prioritize the PIN/Hello entry during device logon. For local accounts, this may be undesirable if you intend to continue using the password for the initial login.

In real life, some teams report that there is no fully Law assigning keys to users: you must register each person in their Security Information once the method is enabled and 2FA is applied. This provides flexibility, but also involves designing a process for initial discharge (e.g. temporary pass on the first day) and governance over key additions/deletions.

Another point: the use of keys requires a PIN (or biometrics), so the typical sequence is “insert key, enter PIN, touch key”. It is more secure, but the UX is different from a classic password, and it is advisable to explain this to the user to avoid friction and plan the disk unlocking (BitLocker).

Forcing the key as a second factor at the machine level by disabling passwords can break scenarios such as remote support (e.g., TeamViewer), “Run as administrator” elevation, and working with RDP if the entire environment is not set up. If you disable the password without a plan, you could end up depending on the local administrator for certain tasks, such as exit safe mode, with the consequent operational risk.

Practical recommendations: define a plan of recuperación (spare key, alternative methods like an authenticator app), provides step-by-step registration guides, and establishes lifecycle policies (what to do if a key is lost, how to revoke it, and how to reissue it). If your environment uses RDP heavily, review dependencies and compatibility before attempting to remove it. completely password login.

Compatibility on iOS/macOS and Microsoft 365 tools

In the Apple ecosystem, there are nuances: the FIDO2 support on iOS announced by Microsoft applies to browsers; for native apps, the way is certificate-based credentials (Azure CBA). On macOS and iOS, there are restrictions (e.g., BLE keys and specific registration flows) that should be validated.

Additionally, not all cloud management tools (such as certain cloud modules) Azure PowerShell (or MSAL clients) have always consistently supported FIDO2. In advanced deployments, credential management solutions (CMS) can facilitate remote onboarding, account recovery, and distribution of hardware tokens to scale.

If a key is lost, PIN attempts are blocked after several errors, and the key becomes useless to third parties. At the organizational level, a CMS or Entra administration workflows allow revoke credentials registered on that key and issue a new one. In the meantime, some environments use Windows Hello or the Authenticator app as a temporary alternative.

User Tips: Registration, Usage, and Backup

Many guides recommend initializing the key and assigning a PIN before first use. Some manufacturers have specific utilities (e.g., PIN change or reset managers) that make this task easier, especially if you are going to manage two keys (primary and backup) from the beginning.

Golden rule: register your main key and your spare key for critical services. Configuration may vary between providers (each service has its own path for Security/2FA/MFA), but the general pattern is to always add a “Security Key” method and complete the WebAuthn/CTAP2 flow prompted by the browser.

In Windows, you can manage the key from Settings > Accounts > Sign-in options > Security key, where you can change your PIN, update your biometrics (if the key is biometric), or reset it if you're going to reuse it. Resetting erases all content on the key and allows you to start from scratch.