Security Key Login with Hybrid Windows 10 Devices

Security key login to Windows 10 has been possible since May 2019 for cloud-only environments where devices are Azure AD Joined. For hybrid environments where devices are Hybrid Azure AD Joined using a security key for login wasn’t possible until now with the release of the May 2020 update to Windows 10.

Learn how we can allow you users to sign-in to their PCs using a security key and what the requirements are to make it work.

Technically speaking, this feature has been available for some time if you were prepared to use machines joined to the Windows Insider Programme, as it required a minimum build of Windows 10. Because that build, Build 18945, was exclusive to the Insider Programme, it meant that this feature wasn’t viable for production users because who wants to use preview builds with real users?

With the release of the May 2020 update for Windows 10, however, all the parts are now all there in production form to enable the use of a security key for Windows 10 login on hybrid devices.

What is a hybrid device?

A hybrid device is a machine that is managed by both an on-premises environment and a cloud environment.

A typical example of a hybrid device is a Windows 10 computer that is domain-joined and configured by Group Policy with Windows Server Active Directory Domain Services. The device, through Azure AD Connect, is then synchronised with Azure Active Directory to enable it to be managed in the cloud by Azure AD.

We can supplement the basic domain-joined and Azure AD Hybrid Join behaviour with Microsoft Endpoint Configuration Manager (MECM) on-premises which can be cloud attached or co-managed with Microsoft Intune to provide compliance, application deployment, and more.

The history of security key login

This isn’t a full history but a bridge edition just to give some background is you aren’t all that familiar with this type of login. In traditional on-premises environments where we wanted users to authenticate and login using some form of token or key, we would use smart cards. Available in various form factors and sizes, smart cards provided physical security keys to users. Their set-up, however, was challenging: You required a comprehensive Public Key Infrastructure (PKI) deployment to support the enrolment, management, renewal, and support of certificates.

In May 2019 with the release of Windows 10 version 1903, Windows 10 added support for login using a security key, however, this was limited to Azure AD Joined devices and did not support hybrid devices with the initial feature availability.

Advantages of using a security key

Windows Hello for Business gives us the ability to use a PIN, facial recognition, a fingerprint, or a security key for login to Windows 10.

Facial recognition and fingerprint are no doubt more secure than a standalone password as it requires something you have (you face or your finger) but they are still a single factor.

Security keys on the other hand are two factor. To use a security key requires both the presence of the security key but also a PIN that is configured on the security key. When using a security key for login you get the usual advantages of Windows Hello for Business but with the added benefit of that method using both something the user has (the key) and something the user knows (the PIN).

Unlike historical smart card certificate-based solutions, Azure AD makes using security keys very simple and users can enrol and manage their keys without input from IT.

Prerequisites and set-up for using a security key on a hybrid device

To enable the use of a security key for Windows 10 device login on a hybrid device there are a number of prerequisites that need to be met.

  • A device running Windows 10 Build 19845 or above as part of the Windows Insider Programme
  • A device running the new Windows 10 May 2020 update or higher
  • Azure AD Connect version 1.4.32.0 or higher
  • Active Directory Domain Services Domain Controllers running Windows Server 2016 or 2019
    • KB4534307 installed on Windows Server 2016 Domain Controllers
    • KB4534321 installed on Windows Server 2019 Domain Controllers

Microsoft notes in the documentation that not all Domain Controllers need to be running this hotfix, however, you must have a number of them running it in order to provide enough capacity and resiliency to support users trying to login with security keys.

With all the requirements in place, you need to make sure your Azure AD tenant is also ready for it. In Azure AD, security key login must be enabled. Once you have enabled security key login you can optionally configure which types of security key are permitted.

Lastly, the device must have the use of the security key for login enabled. This can be achieved either via Microsoft Intune with an enrolment setting, via a Provisioning Package, or via Group Policy.

At Arcible, for example, we have restricted the use of security keys to YubiKey tokens based on the model that we purchase for use. We have also used Microsoft Intune to configure the setting as the setting applies to hybrid devices managed via Intune.

What about Azure AD joined devices?

If you have Azure AD Joined devices in your environment then you will have been able to use security key login on these devices since the release of the 1903 update for Windows 10 so you can go ahead and enable this without any problems.

Using a security key for web-based logins

Web-based logins using a security key have been possible for sometime now. By configuring a security key in the My Sign Ins portal in Microsoft 365, a user can perform web-based authentication to Azure AD to access services like Microsoft 365, Microsoft Azure, and more.

Supporting a security key implementation

If you are looking to implement security keys in your environment whether it be on-premises, cloud-only, or hybrid, Arcible has the know-how to assist you.

Arcible has worked with Active Directory Certificate Services deployments on-premises to support various PKI needs and requirements. We work extensively with Microsoft 365, Microsoft Azure, and Microsoft Intune to configure and help organisations implement cloud-based productivity and management solutions too.

For more information please, contact us to find out what we can do. Alternatively, you might want to take a look at our Security and Identity or our Enterprise Mobility solutions.

If you want to take a look at the Microsoft documentation on hybrid devices using security key login please, refer to https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises.