As Microsoft touts Windows Insider for biz, let's take a look at W10's broken 2FA logins
Smart card support busted? Redmond says: ¯\_(ツ)_/¯
For months now, the Windows 10 Anniversary Update has broken two-factor logins using certain smart cards – and Microsoft has refused to discuss it.
According to Reg readers writing in, and W10 users on support forums, folks who have Yubikey two-factor authentication gadgets have been hitting frustrating error messages when trying to log in with the latest flavor of Windows 10. Ideally, you plug your key into the USB port and type in your password, and together they authenticate you. For some, that stopped working.
In forum posts dating back all the way to September 2016, fed-up Microsoft customers have complained that when logging in locally to their machines with the smart cards, they get "Error 7" messages. The cards still work on earlier editions of Windows, and users running bleeding-edge Windows Insider builds say their cards now work.
Other users report speaking with Yubikey support staffers on this issue, only to be told the problem was on Microsoft's end – and that there was no timetable for it to be fixed.
Despite this issue having been reported on for several months now, Redmond is keeping quiet. We asked the operating system giant for comment, and in return we got silence: no explanation, no workaround, no nothing. The lights are on, the barriers are down, but no train is coming.
"There is a bug in the windows 10 Anniversary Update that prevents the use of Yubikey smart cards for local login," one cheesed-off Reg reader, a director-level tech pro in the UK, told us.
"This showstopper of a bug must be known to Microsoft, as they have fixed it in the Insider preview fast-ring release. They will not publicly acknowledge it, and there is no suggestion that they will patch it either."
We pinged Yubikey-maker Yubico earlier in the day about this login issue. A couple of hours later, just as we were going to press, a spokesperson for the security hardware biz got in touch to say a hotfix is available to address the problem. This update was quietly crafted at the end of January, and will not automatically install. The spokesperson said:
We have confirmation from Microsoft that a hotfix has been released on the Windows Update Catalog that should solve the Windows 10 smart card login issue with the YubiKey. We do not have a timeframe when this will be available as an automatic Windows Update but it is available for a manual download and installation. We’ve done testing in our lab environment and found this has indeed solved the issue.
You can grab the fix, KB3216755, from here. Let your Yubico-using friends know about this bug fix because Microsoft won't.
Meanwhile, Redmond has kicked February's Patch Tuesday into next month: any bug fixes due to be released and installed this week will be rolled into patches released on March 14. Microsoft may be having problems with its build and distribution systems, hence the delayed Windows updates and the embarrassed silence.
Windows Insider previews for enterprises
Speaking of buggy, not-ready-for-business operating systems, Microsoft is going to offer company IT departments the chance to get in on the Windows Insider program. The Insider scheme gives loyalists an early look at forthcoming features, bugs and other beta-grade software in Windows 10. Folks can test drive the code, and send feedback to Redmond's product managers.
And soon, Microsoft's Insider for IT Professionals program will let corporate techies test out upcoming versions of Windows 10 within enterprise environments before the new builds are released, (presumably so sysadmins can check in advance for things like whether an update breaks Yubikey authentication).
"The Windows Insider Program recognizes IT Professionals as a critical asset to any organization," purrs Microsoft in its pitch to the industry.
"From managing complex environments that incorporate Microsoft systems, to managing how they integrate with other applications inside their organization, IT Professionals understand ‘mission critical’ and know how to think through and resolve deployment issues. They are the front-line IT heroes of any organization. But we don’t have to tell you this.
"In the coming months, we’ll be adding additional features to the existing Windows Insider Program to better support you in your job. Incorporating the Windows Insider Program for IT Professionals into your deployment plans enables you to prepare your organization for Windows 10, to deploy new services and tools more quickly, to secure your applications, to increase productivity giving you confidence in the stability of your environment."
The program will encourage IT pros to share advice among themselves on testing Windows 10 Insider builds on work systems; to vote on which bugs should be prioritized for fixes; to give feedback on how the operating system copes with business workflows; and to open a channel of comms between sysadmins and the Windows team. Let's hope they fare better than Yubikey owners.
Microsoft has not yet said exactly when the program will go live, although you can register your interest using the above link. ®