We want smartcard or YubiKey login on workstations.
Smartcard or FIDO2 login (YubiKey, Feitian) on Windows workstations replaces passwords with a physical key. Requires either a PKI or Entra-FIDO2 setup and a process for issuance and loss.
Try this first
- 1Pick the path: traditional smartcard with AD CS PKI (Kerberos PKINIT), or modern FIDO2/Passkeys via Entra ID with hybrid Windows login.
- 2For FIDO2 (YubiKey): Entra ID, Security, Authentication methods, enable FIDO2. Workstations must be Windows 10 21H1+ and Entra-joined or hybrid joined.
- 3Hardware: users get a primary key and ideally a backup key (loss of the only key = lockout). Track serial numbers per user.
- 4Provisioning: users register a key themselves at aka.ms/MySecurityInfo, or helpdesk onboards them with a Temporary Access Pass.
- 5Comms: 'what if I lose my key' is the key question. Helpdesk procedure, backup key, optionally a short Microsoft Authenticator as fallback.
When to bring us in
For environments with legacy line-of-business apps that don't understand smartcard/FIDO2, route those apps via a separate auth flow, otherwise you end up with 'half MFA' which is worse than no MFA.
See also
- One DC or two DCs for an SMB office?Two is almost always the right answer; one DC is a single point of failure for logon, DNS and GPOs.
- Should I split FSMO roles across two DCs?For a small domain all on one DC is fine; with two DCs splitting is tidier but not required.
- How do I know my AD replication is healthy?Replication errors creep in silently; they only surface when logins or GPOs misbehave.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.