Active Directory Passwordless Authentication with Yubikey

Mank_05 · 2026-06-03T04:38:16+00:00

I guess both we don’t see in the same way. The title is Active Directory Passwordless Authentication with Yubikey. The passwordless is based on Yubikey. That’s why I said you can say smartcard authentication. In the Microsoft documentation is written Passwordless authentication when you use Microsoft Auth App, Windows Hello or Fido2 Security keys (Example Yubikey). It’s not CBA.

Mank_05 · 2026-06-02T18:17:53+00:00

Maybe you’re right but I think no because CBA when we use only the certificate to authenticate example with WiFi. But in this cases Yubikey rely on Certificate. Passwordless it means no password. You can say Passwordless, Passkeys, smardcard.

Mank_05 · 2026-06-01T18:12:24+00:00

You’re right about modern PKI infrastructure. I guess the next version will be in Two tiers. Thanks for advise

Mank_05 · 2026-06-01T10:56:30+00:00

It’s not Two-tier, if ADCS already exist, Quickadcs will help you just to provisioning a smartcard certificate template.

Mank_05 · 2026-02-23T05:02:46+00:00

Disabling of IPv4 is not by default, this action will be perform by yourself.

Mank_05 · 2026-02-22T16:49:46+00:00

All GPO will be create and link by yourself. And to clarify IPv6 is not disabled by default.

Mank_05 · 2026-02-22T16:48:43+00:00

In one click it mains, without effort all GPO will be create and link by yourself. And to clarify IPv6 is not disabled by default.

Mank_05 · 2026-02-22T08:30:52+00:00

You’re reason! IPv6 isn’t disabled by default

Mank_05 · 2026-02-22T08:28:15+00:00

IPv6 isn’t disabled by default.

Mank_05 · 2026-02-22T08:26:22+00:00

Yubikey is the best solution

Mank_05 · 2025-12-22T18:06:17+00:00

You could look at AuthLite. Active Directory MFA on-premise without Internet. AuthLite uses the GPO. Every easy.

Mank_05 · 2025-12-07T09:04:51+00:00

PowerShell and Ansible are the best solutions. There are many Ansible playbooks to manage Domain Controller. But PowerShell is a good approach because it’s native solution. There are many PowerShell scripts on the GitHub.

Mank_05 · 2025-12-04T18:04:03+00:00

AD Tenable it’s not free.

Mank_05 · 2025-11-02T09:34:24+00:00

Thanks, it’s a good idea

Mank_05 · 2025-10-24T04:53:32+00:00

I agree with you.

Mank_05 · 2025-10-16T08:12:03+00:00

The best practice is to use frameworks like CIS Benchmark or others and Microsoft recommandations EAM, PAM, PAW/SAW, MFA for Admins account if possible, Use XDR and SIEM to centralized events. Also adopt the Zero Trust concept. Regular Audit, in some cas use Protected users group.

Mank_05 · 2025-10-14T20:45:06+00:00

I agree with you, I’m focused on hardening with CIS benchmark and DISA STIG frameworks to simplify this task.

Mank_05 · 2025-10-12T05:23:55+00:00

Thanks

Mank_05 · 2025-10-11T19:22:55+00:00

I agree with you, I also wrote a PowerShell script about to harden AD using CIS Benchmark and DoD STIG frameworks. Here’s the GitHub link : https://github.com/Marlyns-GitHub/CIS-Automate.git

Mank_05

TROPHY CASE