Three ways of enforcing Security Key sign-in on Windows 10 & Windows 11

So you have rolled out FIDO2 security keys to your users, everything is working like a charm and now you are ready for the next step!? In this guide I will cover how to enforce security key sign-in by disabling alternative methods.

Table of Contents

– Background and Scope
– Prerequisites
– Read this first!
– Enforce security key sign-in with Endpoint Manager
– Enforce security key sign-in with Group Policy
– Enforce security key sign-in by editing registry
– Verification
– List of Windows Credential Providers
– Further reading

Background and Scope

As an organization you may want to enforce the use of FIDO2 security keys so that users (or attackers) cannot use alternative and less secure sign-in methods and as to reduce the cost (TCO) impact of continued password and alternative credential support.

In the context of Microsoft Windows, this task can be achieved by disabling (disallowing) alternative methods. In this guide I present a few different approaches to doing just that, ranging from script deployment with Endpoint Manger (Intune) to GPO and to directly modifying registry.

At the bottom of the article I have compiled a list of Windows Credential Providers. Links are also included to additional listing of providers by OS.

💡 If you are instead looking for a guide for enabling security key sign-in you can find one here.

Prerequisites

The following are prerequisites towards following this guide:

• FIDO2 Security key sign-in has been enabled (see this guide)
• You have administrator permissions on the domain (or host)
• You have administrator permissions on the Azure tenant*
• Target device is managed by Endpoint Manager*

*Applicable only if you intend to use Azure-based controls, e.g. configuration with Endpoint Manager / Intune.

Read this first!

⚠️ Before disabling a credential provider please consider possible adverse effect of doing so; The removal of a credential provider not only affects Windows logon, but also important functionality once the user is logged in, like User Account Control (UAC) dialogs, Run As(!) and more. Microsoft:

Credential providers are used to process and validate user
credentials during logon or when authentication is required.

My recommendation would be leaving the smart card credential provider as this functionality is both highly secure, capable of use with most/all Windows native features and supported by the YubiKey (assuming that’s what you have). Also: test configurations in a Dev/Test environment before making any change in Production (duh!).

If you do decide to remove all alternative credential providers practice restoring providers for recovery purposes (e.g. re-enable password at will).

Enforce security key sign-in with Endpoint Manager

Microsoft Endpoint Manger (Intune) can be used to easily enforce security key sign-in for managed devices. The following instructions and script are adapted from a blog post by Craig Wilson found here.

🛑 This script example disables Password and Windows Hello(!)

Note: You can easily edit the script by changing values: 1 = Disabled or 0 = Enabled or simply commending out # credential providers you want to leave in place.

1. Download the example script (right-click and select Save link as…)
2. Modify the example script as needed
3. Open a browser and navigate to Microsoft Intune
4. Login as administrator
5. Click on Devices in the panel left hand side
6. Next, navigate to Windows and PowerShell scripts
7. Click the + Add button
8. In the Basics view, provide a meaningful name and (optionally) a description and click Next
9. Click the Browse action button and upload the script downloaded in step 1, toggle the script settings to run on 64 bit PowerShell (‘Yes’) and click Next
10. Select assignment (scope), e.g. some or all devices and click Next
11. Review the summary and click Add.

Navigate to Windows devices and PowerShell scripts to add a new script.

Give the script a name and a description and click ‘Next’.

Upload the (edited) example script adjust settings and click ‘Next’.

Select scope (start with a designated test machine!) and click ‘Next’.

Click ‘Add’ to deploy the script to its configured assigned devices.

Enforce security key sign-in with Group Policy

1. Open / create a Group Policy
2. Navigate to Computer Configuration > Policies > Administrative Templates > Logon >
3. Double-click on Exclude credential provider
4. Click the ‘Enabled’ radio button and then under ‘Options’, paste in the credential provider(s) you would like to exclude. For example if you want to disable Picture login, enter: {2135f72a-90b5–4ed3-a7f1–8bb705ac276a}or if you want to disable both Picture login AND Passwords, enter the following: {2135f72a-90b5–4ed3-a7f1–8bb705ac276a},{60b78e88-ead8–445c-9cfd-0b87f74ea6cd} (note separation by comma)
5. Click OK and exit the group policy editor.

Enforcing security key sign-in is achieved by excluding other methods.

Enforce security key sign-in by editing registry

The following sections document alternative approaches to enforcing security key sign-in (removing other methods) based on locally modifying system registry.

Using Command Prompt

If you want to exclude one or more credential providers using command line (or you want to scrip this) the below steps provides a working example.

🛑 This example disables Password (!)

1. Press the Windows key and type cmd
2. Select Run as administrator
3. Select Yes when prompted to run the app in elevated mode
4. Provide the following input and press Enter

REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{60b78e88-ead8-445c-9cfd-0b87f74ea6cd}" /v Disabled /t REG_DWORD /d 1 /f

5. Type “exit” to close the Command Prompt

6. Reboot to apply changes.

Make sure you run the Command Prompt as administrator.

“PasswordProvider” shown disabled from command line (reboot to test).

Using Registry Editor

If you want to exclude one or more credential providers using the graphical registry editor the below steps provides a working example.

🛑 This example disables Password (!)

1. Press the Windows key and type regedit
2. Again, select Run as administrator
3. Select Yes when prompted to run the app in elevated mode
4. In the Registry Editor, navigate to HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Windows > CurrentVersion > Authentication > Credential Providers
5. Create a key of REG_DWORD type and name “Disabled” and value of 1
6. Close the Registry Editor and reboot to apply changes.

Make sure you run the Registry Editor as administrator.

Create a DWORD with name “Disabled” and value of ‘1’ (“PasswordProvider” shown disabled).

Using a ready-made registry key

Finally if you want to exclude one or more credential providers just by double-clicking a ready-made registry key I’ve got you covered as well!

🛑 This example disables Password (!)

1. Download this file (right-click and select Save link as…)
2. Double-click on the file
3. Select Yes and then Yes followed by OK to apply the settings
4. Reboot to apply changes.

Verification

To verify outcome you simply need to (reboot) bring up the login screen of your target device. The credential providers that you have disabled should simply not be selectable under ‘Sign-in options’.

In the example below I have excluded the Password and the Windows Hello related providers, leaving Smart Card and FIDO (Security Key) providers.

All but Security Key (and smart card) login options are available.

List of Windows Credential Providers

For your benefit here is a list of credential providers in the CSLID format.

This list is not exhaustive (you may have additional 3rd party credential providers in your environment). I have attempted to sort providers under categories (e.g. ‘Windows Hello’), but there may still be errors or omissions.

# PASSWORD
{60b78e88-ead8-445c-9cfd-0b87f74ea6cd} 'PasswordProvider'
{8841d728–1a76–4682-bb6f-a9ea53b4b3ba} 'PasswordProvider\LogonPasswordReset'

# WINDOWS HELLO
{cb82ea12-9f71-446d-89e1-8d0924e1256e} 'PINLogonProvider'
{C885AA15-1764-4293-B82A-0586ADD46B35} 'IrisCredentialProvider'
{8AF662BF-65A0-4D0A-A540-A338A999D36F} 'FaceCredentialProvider'
{BEC09223-B018-416D-A0AC-523971B639F5} 'WinBio Credential Provider'
{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD} 'TrustedSignal Credential Provider'

# PICTURE LOGON
{2135f72a-90b5-4ed3-a7f1-8bb705ac276a} 'PicturePasswordLogonProvider'

# SMART CARD
{1b283861-754f-4022-ad47-a5eaaa618894} 'Smartcard Reader Selection Provider'
{1ee7337f-85ac-45e2-a23c-37c753209769} 'Smartcard WinRT Provider'
{8FD7E19C-3BF7-489B-A72C-846AB3678C96} 'Smartcard Credential Provider'
{94596c7e-3744-41ce-893e-bbf09122f76a} 'Smartcard Pin Provider'

# FIDO2
{2D8B3101-E025-480D-917C-835522C7F628} 'FIDO Credential Provider'
{F8A1793B-7873-4046-B2A7-1F318747F427} 'FIDO Credential Provider'

# MISCELLANEOUS (MAY SORT UNDER OTHER CATEGORIES)
{600e7adb-da3e-41a4–9225–3c0399e88c0c} 'CngCredUICredentialProvider'
{25CBB996-92ED-457e-B28C-4774084BD562} 'GenericProvider'
{3dd6bec0-8193-4ffe-ae25-e08e39ea4063} 'NPProvider'
{D6886603-9D2F-4EB2-B667-1971041FA96B} 'NGC Credential Provider'
{F8A0B131-5F68-486c-8040-7E8FC3C85BB6} 'WLIDCredentialProvider'
{A910D941-9DA9-4656-8933-AA1EAE01F76E} 'Remote NGC Credential Provider'
{e74e57b0–6c6d-44d5–9cda-fb2df5ed7435} 'CertCredProvider'

Further reading

• Azure AD Passwordless Sign in, forcing Windows 10 to login with FIDO only
• List of default credential providers by Windows OS version (Sophos)
• Three ways of enabling security key sign-in on Windows 10 & Windows 11
• Locking the workstation on FIDO2 security key removal