This guide walks you through setting up Allthenticate as a FIDO2 security key (passkey) on Windows devices. Once complete, you and your team will be able to sign in to Windows using the Allthenticator app on your phone — no passwords needed.
Once setup is complete, the Windows login screen will show a Security Key sign-in option (a key icon). Clicking it will send a prompt to the user's phone via the Allthenticator app. After completing the biometric check on the phone, the PC unlocks — no password required.
<aside> ℹ️
The following steps are performed once by an IT administrator in the Microsoft Entra portal.
</aside>
Before starting, confirm the following on every device that will use Allthenticate:
Windows 10 Pro (v1903 or higher) or Windows 11 Pro — FIDO passkeys require a Pro edition of Windows.
<aside> 💡
To verify go to Settings → System → About → Windows specifications and confirm the edition says "Pro" (not "Home").
</aside>
The computer must be Microsoft Entra joined — This is required for FIDO2 passkey sign-in to work. To verify, open a terminal and run: dsregcmd /status. Look for the line that says AzureAdJoined : YES. If it says NO, the device must be joined to Entra before proceeding.
You have local administrator privileges on the machine.
Ensure that Bluetooth drivers are up-to-date.
Bluetooth is enabled — If your computer does not have built-in Bluetooth, we recommend purchasing a Bluetooth Low Energy (BLE) dongle such as this one on Amazon for best performance. We DO NOT recommend using the TP-link BLE dongles.
<aside> 💡
Confirm all of Microsoft’s requirements are satisfied
</aside>