Prevent disabling passkeys on Windows

I recently read an article from Dr. Emin Huseynov about the toggle in Windows settings that disables passkeys for every user.

While there can be specific circumstances where an organization may intentionally disable passkey usage, I – passkey fan – want to make sure it is enabled.

I did not find any official solution to restrict disabling passkeys, so I share my approach.

TL;DR

The toggle state can be queried via registry
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
  CapabilityAccessManager\ConsentStore\passkeys\Value (REG_SZ) = Deny / Allow
When you slide the toggle to on, the following command kicks in:
- “C:\Windows\system32\SystemSettingsAdminFlows.exe” SetCamSystemGlobal passkeys 1
We know how to detect the drift and how to remediate, it’s up to our favorite device management solution to handle it (I’m sharing my first Intune remediation script – but don’t worry SCCM, you will always be my favorite)

Note: It is not enough to set the registry value to “Allow”. The command above invokes “svchost.exe -k osprivacy -p -s camsvc” which applies the relevant settings.

I guess I summarized everything so let’s cut to the Intune remediation.

Detection script:

if ((Get-ItemPropertyValue -Path registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\passkeys -Name "Value") -eq "Allow"){exit 0}else{exit 1}

Remediation script:

cmd /c "C:\Windows\system32\SystemSettingsAdminFlows.exe" SetCamSystemGlobal passkeys 1

Create the Intune setting:

Upload the detection and remediation scripts. As per my experience, this requires admin privileges so make sure “Run this script using the logged-on credentials” is set to “No” and “Run script in 64-bit PowerShell” is set to “Yes” (registry detection would fail because of the 32bit redirection)

I guess this can be deployed to All devices, but for testing purposes I deployed it to a dedicated group with Hourly schedule:

After “enforcing” the remediation, the issue is now fixed:

Happy passkeying!

by Daniel Kovacs on April 18, 2026 • Permalink

Posted in Intune, PowerShell

Tagged Intune, passkeys, PowerShell

Posted by Daniel Kovacs on April 18, 2026

https://f12.hu/2026/04/18/prevent-disabling-passkeys-on-windows/

Comments are closed.

Archives
Categories
- AlwaysOn VPN
- Android
- AOVPN
- App configuration policy
- AzureAD
- Bitlocker
- Conditional Access
- Defender
- Edge
- Entra Workload Identities
- EntraID
- Exchange
- Exchange Online
- GPO
- GraphAPI
- Intune
- KQL
- M365
- MDI
- PowerShell
- SCCM
- SharePoint Online
- Uncategorized
- Windows Hello for Business
Disclaimer

The information on this website is provided for informational purposes only and I make no warranties, either express or implied. Information in these documents, including URL and other Internet Web site references, is subject to change without notice. The entire risk of the use or the results from the use of this document remains with the user.

The postings on this site are my own and do not necessarily represent the postings, strategies or opinions of my employer.
Social

LinkedIn

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Recent Posts

Recent Comments

Prevent disabling passkeys on Windows

Archives

Categories

Disclaimer

Social