Forum Discussion
Intune Endpoint Privilege Management - FIDO2
klenTAHNYeah, the issue is that FIDO2 alone doesn’t work with EPM the same way PIV smart cards do. To get it working, you need to enable Windows Hello for Business (WHfB) on the device.
Without WHfB, FIDO2 is just recognized as an MFA method for Azure AD, but it’s not treated as a valid credential for privilege elevation with EPM.
solid move replacing local admin accounts with Intune EPM! Since PIV authentication is working smoothly, but FIDO2 with YubiKeys isn't, have you checked if your Conditional Access policies or Authentication Strength settings are blocking FIDO2 for elevation? Also, ensure that FIDO2 authentication is properly configured in Azure AD and allowed for privilege elevation. Some orgs have reported success by enabling "Require multi-factor authentication" in EPM policies while ensuring FIDO2 keys are registered as a valid MFA method. Hope this helps—would love to hear if anyone else has found a workaround!