Forum Discussion
Solved
Intune Endpoint Privilege Management - FIDO2
we have begun testing out Intune EPM as a replacement for local admin accounts in our org. We have users that authenticate with PIV certs via Smartcard as well as FIDO2 with Yubikeys. PIV authentication works no problem, but i cannot find a way to enable FIDO2 to work with EPM. Has anyone found a solution for this?
klenTAHNYeah, the issue is that FIDO2 alone doesn’t work with EPM the same way PIV smart cards do. To get it working, you need to enable Windows Hello for Business (WHfB) on the device.
Without WHfB, FIDO2 is just recognized as an MFA method for Azure AD, but it’s not treated as a valid credential for privilege elevation with EPM.
klenTAHNYeah, the issue is that FIDO2 alone doesn’t work with EPM the same way PIV smart cards do. To get it working, you need to enable Windows Hello for Business (WHfB) on the device.
Without WHfB, FIDO2 is just recognized as an MFA method for Azure AD, but it’s not treated as a valid credential for privilege elevation with EPM.
thank you! that's the direction i was heading, but documentations not exactly crystal clear.
solid move replacing local admin accounts with Intune EPM! Since PIV authentication is working smoothly, but FIDO2 with YubiKeys isn't, have you checked if your Conditional Access policies or Authentication Strength settings are blocking FIDO2 for elevation? Also, ensure that FIDO2 authentication is properly configured in Azure AD and allowed for privilege elevation. Some orgs have reported success by enabling "Require multi-factor authentication" in EPM policies while ensuring FIDO2 keys are registered as a valid MFA method. Hope this helps—would love to hear if anyone else has found a workaround!
