How to Set Up FIDO2 Security Keys for Simple Windows 365 Link Authentication

Passwords have long served as the standard for authentication, yet they present several challenges. They are frequently forgotten, difficult to manage, and often represent the most vulnerable aspect of an organization’s security posture. Despite these drawbacks, passwords remain the default method for many organizations. This situation is particularly problematic for Windows 365 Link devices, where users are required to enter both a username and password to log in and unlock the screen.

Anyone who has worked with end users understands their frustration with entering credentials each time they log in and unlock their screen. Passwordless authentication using FIDO2 security keys offers a simpler and more secure way to access Cloud PCs from Windows 365 Link.

In this post, we’ll explore why FIDO2 is a smart choice for Windows 365 Link and walk through the steps to enable it for Link devices. This approach works seamlessly, giving users a smooth experience while strengthening your security posture. See the video above for a full demonstration of configuring FIDO2 authentication for Windows 365 Link devices.

Why FIDO2 Is a Game-Changer

FIDO2 keys provide passwordless authentication with multi-factor security built in. Users have something they own, the physical key, and something they know, a PIN. This combination makes it extremely difficult for attackers to compromise accounts. Even if someone steals the key, it is bound to the device, so it won’t work to authenticate elsewhere.

Beyond security, FIDO2 improves the user experience. No more typing long passwords or worrying about password resets. Users simply insert the key, enter the PIN, and they’re in. It’s a fast, secure, and simple option for Windows 365 Link.

What You’ll Need

To get started, you’ll need permissions to make changes to the Entra ID Tenant and Intune, as well as a FIDO2-compliant security key such as a YubiKey. The Windows 365 Link device has one USB-A port on the front, so if you’re using a USB-C key, you’ll need to connect it to the back of the device or use a USB hub. It’s also a good idea to provide users with two keys and have them register both. This ensures they have a backup if one gets lost or damaged.

Step 1: Enable FIDO2 in Microsoft Entra ID

The first step is enabling FIDO2 authentication at the tenant level. Log in to the Microsoft Entra portal and navigate to Authentication Methods. Locate Passkey (FIDO2) and enable it. You can apply this setting to all users or specific groups, and you can even enforce key restrictions based on attestation GUIDs to ensure only trusted keys are used.

Entra ID Authentication Methods

Step 2: Configure Intune for Windows Devices

Next, head to the Intune portal to enable FIDO2 for Windows devices. Under Windows Hello for Business, set Use Security Keys for Sign-In to enabled. This applies to newly provisioned devices by default.

Windows Hello for Business

If you need to target existing devices, create a custom configuration policy using the OMA-URI path:

./Device/Vendor/MSFT/PassportForWork/SecurityKey/UseSecurityKeyForSignin

Set the value to 1 and assign the policy to your Windows 365 Link devices. This ensures the feature is active across your environment.

Custom WIndows 10 and Later Policy

Step 3: Register the Security Key

Once the policy is applied, users can register their FIDO2 key through the My Account portal. They’ll select Security Info, choose Add Method, and pick Security Key. From there, they’ll insert the key, enter their PIN, and name the key for easy recognition. After registration, the key is ready for sign-in.

Register the Security Key

Step 4: Test the Login

Restart the Windows 365 Link device and select Security Key Login at the sign-in screen. Insert the key, enter the PIN, and touch the key. That’s it—the user is logged in securely without a password.

FIDO2 Sign In

Why This Matters

Implementing FIDO2 authentication reduces the risk of credential theft and phishing attacks while improving user productivity. It’s a win-win for IT teams and end users. With Windows 365 Link and Cloud PC, this setup creates a seamless experience that’s both secure and convenient.

Links:

Zero to Hero with Azure Virtual Desktop
https://www.udemy.com/course/zero-to-hero-with-windows-virtual-desktop/?referralCode=B2FE49E6FCEE7A7EA8D4

A Beginner’s Guide to the AZ-900
https://www.udemy.com/course/beginners-guide-az-900/?referralCode=C74C266B74E837F86969

Hybrid Identity with Windows AD and Azure AD
https://www.udemy.com/course/hybrid-identity-and-azure-active-directory/?referralCode=7F62C4C6FD05C73ACCC3

Windows 365 Enterprise and Intune Management
https://www.udemy.com/course/windows-365-enterprise-and-intune-management/?referralCode=4A1ED105341D0AA20D2E

Video: Discover the Power of AVD SSO: What You Must Know!

Targeted Intune Deployment
https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-passwordless-security-key-windows?WT.mc_id=AZ-MVP-5004159#targeted-intune-deployment

OMA-URI: /Device/Vendor/MSFT/PassportForWork/SecurityKey/UseSecurityKeyForSignin

FIDO2 Security Key
https://learn.microsoft.com/en-us/windows-365/link/sign-in-methods#fido2-security-key

Create a dynamic device group containing your Cloud PCs
https://learn.microsoft.com/en-us/windows-365/enterprise/create-dynamic-device-group-all-cloudpcs?WT.mc_id=AZ-MVP-5004159

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.
Youtube
Click Here!

About Auther

Travis Roberts is a Cloud Infrastructure Architect, author, and speaker based in Minneapolis, Minnesota.

Contact Info

  • Email
  • 5123 W 98th St #1392 Minneapolis, MN 55437

© copyright 2022. All Rights Reserved.

Scroll to Top