This article explains how to set up and manage Beyond Identity Windows Desktop Login 2.0 using YubiKeys for secure, passwordless authentication on domain-joined or hybrid Windows devices, including prerequisites, enrollment, configuration, and troubleshooting.
Operating System | Windows 10 and up |
Feature | Beyond Identity Windows Desktop Login with YubiKeys |
Limitations | This release of our product enables customers to protect the following:
|
***GENERAL AVAILABILITY***
Overview
Beyond Identity integrates with Microsoft Windows to enable secure, passwordless desktop logins using YubiKey 5 Series devices. By replacing traditional passwords with smart card–based credentials, this solution delivers strong, phishing-resistant authentication and significantly reduces the risk of credential theft.
For IT administrators, deploying Beyond Identity with Windows Desktop Login 2.0 strengthens organizational security, simplifies the login experience, and supports alignment with industry best practices for identity protection.
This article provides information to IT administrators with information on:
1. Current Limitations
Windows Desktop Login 2.0 is currently supported for Microsoft Domain Joined or Hybrid Joined Devices. Entra ID-only devices are not supported.
A Primary Refresh Token (PRT) is not automatically obtained upon login.
Re-enrolling the same YubiKey multiple times may cause Windows to enter a state that requires a reboot before continuing the enrollment process.
The user interface for both the Platform Authenticator and the Admin Console (web interface) is still in a draft state and subject to change.
YubiKeys enrolled during the early access period may become invalid as we approach the final release.
2. Prerequisites
A Beyond Identity Secure Work tenant
Windows Active Directory and Entra ID
A physical YubiKey 5 series manufactured by Yubico such as:
YubiKey 5C NFC (USB-C)
YubiKey 5C NFC (USB-A)
YubiKey 5C Nano (USB-C)
YubiKey 5C Nano (USB-A)
YubiKey 5C
YubiKey 5Ci
YubiKey 5C NFC FIPS (USB-C)
YubiKey 5C NFC FIPS (USB-A)
YubiKey 5C Nano FIPS (USB-C)
YubiKey 5C Nano FIPS (USB-A)
YubiKey 5C FIPS
YubiKey 5Ci FIPS
A Windows PC with a Windows System Beyond Identity platform Authenticator installed.
3. Configure Active Directory and Entra to Use WDL 2.0
Before you begin, ensure that your Secure Work tenant is fully set up and configured.
3a. Configuring Active Directory for Windows Desktop Login
First, you must configure Active Directory to trust the Beyond Identity Certificate Authority in order to use smart card logon certificates issued by Beyond Identity for domain login. Follow the steps below to complete the configuration.
Download the .zip file containing the three Beyond Identity certificates from the link below, and save it to a convenient location on your Active Directory server:
https://api-us.beyondidentity.com/v1/tenants/wdl/realms/preview/applications/a/certificate-chainNext, unzip the file. This guide assumes you extract the contents to the following path:
C:\tmp\bi_ca (see the image below).
The table below lists the root certificate and two intermediate certificates that make up the current Beyond Identity Certificate Authority. These certificates must be trusted by your Active Directory environment. The following section explains how to configure this trust.000_certificate.cer
Purpose: Issues the smartcard logon certificates.
Subject: CN=Beyond Identity Intermediate CA 1.2.2, O=Beyond Identity, Inc., C=US
001_certificate.cer
Purpose: Issues the 000_certificate.cer issuer.
Subject: CN=Beyond Identity Intermediate CA 1.1.2, O=Beyond Identity, Inc., C=US
002_certificate.cer
Purpose: This is the Beyond Identity Root CA.
Subject: CN=Beyond Identity Root CA 1, O=Beyond Identity, Inc., C=US
3b. Configuring Active Directory to Trust the Beyond Identity Certificate Authority
To establish trust for the Beyond Identity CA in your Active Directory environment, follow these steps from an administrative Command Prompt or PowerShell session:
1. Navigate to the directory containing the extracted certificates:
cd C:\tmp\bi_ca2. Add the certificates to the appropriate certificate stores:
certutil -addstore -f Root 002_certificate.cer
certutil -addstore -f CA 001_certificate.cer
certutil -addstore -f CA 000_certificate.cer3. Publish the certificates to Active Directory:
certutil -dspublish -f 002_certificate.cer RootCA
certutil -dspublish -f 000_certificate.cer SubCA
certutil -dspublish -f 001_certificate.cer SubCA4. Publish the certificates to the NTAuth store (required for smart card logon):
certutil -dspublish -f 000_certificate.cer NTAuthCA
certutil -dspublish -f 001_certificate.cer NTAuthCA
certutil -dspublish -f 002_certificate.cer NTAuthCA5. Force a Group Policy update to apply changes:
gpupdate /force6. (If needed) Force Active Directory replication:
repadmin /syncall /AdePYou can see the result of the certutil commands by running certmgr.msc, and looking under Trusted Root Certification Authorities:
Beyond Identity Root CA 1
And by looking under Intermediate Certification Authorities:
Beyond Identity Intermediate CA 1.1.2
Beyond Identity Intermediate CA 1.2.2
CRL Access Requirements
To ensure proper certificate validation, all Domain Controllers must have internet access to the following base URLs:
http://crl.rootca.beyondidentity.com/
http://crl.ca2.beyondidentity.com/
http://crl-us.beyondidentity.com/
In addition, verify that each Domain Controller can directly access the specific Certificate Revocation Lists (CRLs) at these URLs:
http://crl.rootca.beyondidentity.com/crl/710d7f1b-90ac-4aed-a2f3-36388282ce3b.crl
http://crl.ca2.beyondidentity.com/crl/5cc079ab-79a4-43bb-8070-873773f07cec.crl
http://crl-us.beyondidentity.com/v1/issuers/C%3DUS%2C%20O%3DBeyond%20Identity%5C%2C%20Inc.%2C%20CN%3DBeyond%20Identity%20Intermediate%20CA%201.2.2/crl
Note: Lack of access to these CRLs may prevent proper certificate validation and result in authentication failures.
3c. Configuring a Windows PC for Yubikey Usage
To enroll users for Windows desktop login 2.0 using YubiKeys, follow the steps below.
Steps
1. Download the YubiKey Smart Card Minidriver for Windows. Be sure to select the version that matches your Windows system specifications: Windows Minidriver downloads
Note: We recommend using the MSI installer rather than the CAB option when configuring an individual machine for testing.
2. Next, begin the Minidriver installation process.
3. Ensure the Beyond Identity Windows System Platform Authenticator is installed.
Click the link to download the Authenticator: https://beyond-identity-production-downloads.s3.us-west-2.amazonaws.com/msi/BeyondIdentitySystem-2.103.2-3.msi
4. Check that users logged in to Windows have a passkey registered to the Windows Platform Authenticator. The Username field (see the image below) will be used as the UserPrincipleName (UPN) when the smartcard logon certificate is created. This must match a UPN in Active Directory (Entra ID).
Enabling User Enrollment
5. To allow users to enroll a YubiKey directly from the Windows Platform Authenticator, you must enable the self-enrollment feature using the BIConfigure.exe tool from an administrative command prompt:
"c:\Program Files\BeyondIdentity\Tools\BIConfigure" --set-wdl-type modern
3d. Configuring Policy
You can specify the conditions under which users are permitted to enroll themselves or others with a YubiKey.
In the Policy Editor, a new transaction type is now available: Desktop Login Enrollment.
This transaction type introduces a unique attribute:
'This user is enrolling <For themselves> <For someone else>' (see the image below).
With this attribute, you can easily define policies that control, for example, which user groups are allowed to enroll themselves (typically an end-user function), and which groups can enroll on behalf of others (usually an administrator’s responsibility).
3e. Viewing Event Logs
To view event logs of user activity, log in to your tenant at, https://admin.byndid.com/
Then, click Events from the left-hand navigation panel.
To view event log details, click the event's Date & time.
3f. Remediating a Blocked YubiKey
If a user enters an incorrect PIN too many times in a row, the YubiKey will become locked. To resolve this, there are three available options:
Unblock the YubiKey using the PUK code
An administrator must click the Reveal PUK button in the Beyond Identity administrative console. The user must then physically access a machine with Yubico Manager installed. In Yubico Manager, navigate to:
Applications > PIV > PIN > Management > Unblock
Then, enter the revealed PUK and set a new PIN.User re-enrollment via the Windows authenticator
The user must log in to a machine with the Windows Authenticator installed and their passkey available. They can re-enroll the YubiKey by selecting their passkey and choosing Manage Desktop Login. This process will overwrite the existing credential on the YubiKey with a new one.Administrator-assisted re-enrollment
An administrator can perform the re-enrollment on a machine that has the Windows Authenticator installed and where the administrator's passkey is available.Click Users from the left-hand navigation panel
Select the affected user
Initiate YubiKey re-enrollment
This will overwrite the locked YubiKey with a new, valid credential.
3g. Error Messages
The following screens may display when encountering errors, along with their likely reasons.
The Active Directory server does not trust the Beyond Identity CA Certificates. | |
The Beyond Identity Certificate Authority certificates are not stored in NTAuthCA. | |
The PIN entered by the user does not match the PIN used at enrollment. | |
The user entered the wrong PIN multiple times. | |
If you are using a new smartcard on a PC that isn't connected to its domain controller, you will see this message. | |
If you log in with a smartcard containing a domain suffix unknown to AD, you will get the error: “Your credentials could not be verified.” Also, on the PC you attempted to log in, you’ll see System Log Event ID 11, with the description: Reason: If the Object User SID does not match to a user, this can occur. The Log you'll get is in System Log Event ID 4, with the General tab saying: Log Name: Source: Date: Event ID: Task Category: Level: Keywords: User: Computer: Description: The Key Distribution Center (KDC) encountered a user certificate that was valid but contained a different SID than the user to which it mapped. As a result, the request involving the certificate failed. See https://go.microsoft.com/fwlink/?linkid=2189925 to learn more. User: john.doe User SID: S-1-5-21-95967616-770253833-872112096-12608 Certificate Subject: @@@CN=SmartCard User 1 Certificate Issuer: Dummy Root CA Certificate Serial Number: 52F8F0B8059E992D7E85B05743A6F750D1F4A9DC Certificate Thumbprint: DE20C0AF27E03DA114AEDA292ED00489ABC8F73D Certificate Issuance Policies: Certificate SID: S-1-5-21-1468012755-800561317-457473099-500 |
If you log in with a smartcard containing a domain suffix unknown to AD, you will get an error Your credentials could not be verified.
Also, on the PC you attempted to log in with, you can see in the System Log Event ID 11, with the description:
The Distinguished Name in the subject field of your smart card logon certificate does not contain enough information to identify the appropriate domain on an non-domain joined computer.
You may also get credentials not verified, corresponding to an error message of the below.
Event Log Warning: Microsoft-Windows-Kerberos-Key-Distribution-Center | EVent ID 39.
Example
The Key Distribution Center (KDC) encountered a user certificate that was valid but could not be mapped to a user in a secure way (such as via explicit mapping, key trust mapping, or a SID). Such certificates should either be replaced or mapped directly to the user via explicit mapping. See https://go.microsoft.com/fwlink/?linkid=2189925 to learn more.
User: john.doe
Certificate Subject: @@@O=wdl-hybrid-staging, CN=Seth Call
Certificate Issuer: Staging Beyond Identity Intermediate CA 1.2.2
Certificate Serial Number: 515AB74D9A59BC635869D7618B58BF39BF7AF93C
Certificate Thumbprint: 6FF07463F7850C0DD44BAC24F449FD1F834C6578
4. Enroll Users
4a. Enrolling a User's YubiKey (On-Behalf-Of Enrollment)
To enroll a user's YubiKey to your tenant, follow these steps:
Log in to your tenant at https://admin.byndid.com/
Then, from the left-hand navigation panel, click Users.
Select a user from the list by clicking their name.
Next, click Enroll a Passkey, and select the Desktop Login Passkey option from the drop-down.
Plug in the YubiKey for the user and follow the rest of the prompts.
4b. The End User Self-Enrollment Process
To learn about the self-enrollment process for users, click here.
4c. Listing Windows Login Passkeys for a Given User
To view users enrolled with YubiKeys, log in to your tenant at, https://admin.byndid.com/
Then, from the left-hand navigation panel, click Users.
Click the Desktop login passkeys tab to view the list of users able to enroll with a YubiKey.
5. Manage Users
5a. Revoking a User's YubiKey Credential
To revoke a user's YubiKey credential, log in to your tenant at, https://admin.byndid.com/
Click Users from the left-hand navigation, then select the Desktop login passkeys tab.
Under the Actions column, click the pencil icon to revoke the user's credential.
Click Revoke certificate
Note: This action cannot be undone.
6. Troubleshooting
6a. Verifying Connectivity to Certificate Revocation Lists (CRLs)
To ensure YubiKey authentication is functioning correctly, your system must be able to access the Certificate Revocation Lists (CRLs) published by Beyond Identity. These CRLs are used to validate that certificates have not been revoked.
Steps
1. On a Domain Controller, open Notepad or any text editor.
2. Paste the following PowerShell script into a new file:
# Define the list of CRL URLs
$crlUrls = @(
"http://crl.rootca.beyondidentity.com/crl/710d7f1b-90ac-4aed-a2f3-36388282ce3b.crl",
"http://crl.ca2.beyondidentity.com/crl/5cc079ab-79a4-43bb-8070-873773f07cec.crl",
"http://crl-us.beyondidentity.com/v1/issuers/C%3DUS%2C%20O%3DBeyond%20Identity%5C%2C%20Inc.%2C%20CN%3DBeyond%20Identity%20Intermediate%20CA%201.2.2/crl"
)
# Define output directory
$outputDir = "$PSScriptRoot\DownloadedCRLs"
New-Item -ItemType Directory -Force -Path $outputDir | Out-Null
# Download and verify each CRL
$allSuccessful = $true
foreach ($url in $crlUrls) {
try {
$uri = [System.Uri]$url
$fileName = [System.IO.Path]::GetFileName($uri.LocalPath)
$filePath = Join-Path $outputDir $fileName
Write-Host "Downloading $url ..."
Invoke-WebRequest -Uri $url -OutFile $filePath -ErrorAction Stop -TimeoutSec 5
if ((Test-Path $filePath -PathType Leaf) -and ((Get-Item $filePath).Length -gt 0)) {
Write-Host "Successfully downloaded: $fileName`n" -ForegroundColor Green
} else {
Write-Warning "Download failed or empty file: $fileName`n`n"
$allSuccessful = $false
}
} catch {
Write-Warning "$($_.Exception.Message)`n`n"
$allSuccessful = $false
}
}
if ($allSuccessful) {
Write-Host "`nAll CRLs were successfully downloaded." -ForegroundColor Green
exit 0
} else {
Write-Host "`nOne or more CRLs failed to download." -ForegroundColor Red
exit 1
}3. Save the file as test-crl.ps1.
4. Open PowerShell as Administrator and run:
powershell.exe .\test-crl.ps15. If everything works correctly, you will see messages like:
Downloading http://crl.rootca.beyondidentity.com/...
Successfully downloaded: 710d7f1b-...ce3b.crl
Downloading http://crl.ca2.beyondidentity.com/...
Successfully downloaded: 5cc079ab-...7cec.crl
Downloading http://crl-us.beyondidentity.com/...
Successfully downloaded: crl
All CRLs were successfully downloaded.If any CRLs fail to download, confirm the Domain Controller can access the URLs and is not blocked by a firewall, proxy, or DNS issues.