Implementing SCRIL with FIDO2 Security Keys: Key Questions

From my experience, enabling SCRIL mainly changes backend processes, and users generally don’t notice much. LAPS continues operating as it should since those credentials don’t go through the FIDO system. To prevent any potential issues during the transition, it’s best to refresh passwords before turning on SCRIL. After that, the main difference is that logins will depend solely on the hardware key rather than the old password method.

From what I've gathered, SCRIL operates fairly quietly once implemented. You can still use LAPS for UAC prompts since it works locally and isn’t affected by the FIDO setup. It’s often recommended to change user passwords before activating SCRIL; users typically won't notice any unusual behavior during login when this happens. After fine-grained password policies are applied, the primary change is that FIDO keys will continue to take the lead in authentication without introducing anything new for users.

1. Just to clarify, LAPS refers to the local admin password, not the user passwords in Active Directory. SCRIL won’t interfere with local admin passwords, so you’re fine there! The way you use LAPS for UAC will continue seamlessly after SCRIL is enabled.

2. You don’t need to change user passwords manually before enabling SCRIL, as SCRIL will automatically generate a 128-character password when activated.

3. Users won't see any changes when SCRIL is enabled; the fine-grained password policy kicks in during a password change, and they won't be able to change passwords while SCRIL is active, so they won't know the current password required for a change.