Microsoft Security | Intune | Configuration
Setting up and managing device configurations using Intune
Windows Hello for Business - registration won't start with FIDO Key login
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 65%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKM%3C/text%3E%3C/svg%3E)
Kenny McMichael
0
Reputation points
Have an issue where I can't get the enrollment for WHFB to work unless users log in with a password.
We are a hybrid environment - AD and Entra joined. TAP is not an option as you have to be entra only.
We have Yubikeys setup to work as an alternate login source which is linked with ENTRA ID. This works and users can sign in using these keys. The goal is passwordless with WHFB.
However when logging in using the Yubikeys - it will never prompt for registration to WHFB. I have to log out and log in with a password in order for that to happen.....
Has anyone got that to work?
Microsoft Security | Intune | Configuration
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 90%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPM%3C/text%3E%3C/svg%3E)
Pauline Mbabu 1,785 Reputation points Microsoft Employee2025-11-24T22:41:06.6666667+00:00 Hello Kenny,
This might be by design to have Windows Hello for Business (WHfB) enrollment on hybrid AD + Entra ID devices not starting when signing in with a FIDO2 key like YubiKey: Microsoft requires a different authentication method (such as a password or smart card) for the initial Hello setup to prevent attackers from enrolling their own credentials after a single-factor login. Once you log in with a password and complete WHfB provisioning, you can go fully passwordless using Hello PIN/biometrics and FIDO2 keys for future sign-ins.
Sign in to comment
Sign in to answer