Intune Endpoint Privilege Management - FIDO2

we have begun testing out Intune EPM as a replacement for local admin accounts in our org. We have users that authenticate with PIV certs via Smartcard as well as FIDO2 with Yubikeys. PIV authentic...

Endpoint Privilege Management (EPM)

Intune

Intune Suite

micheleariis
Feb 25, 2025
klenTAHNYeah, the issue is that FIDO2 alone doesn’t work with EPM the same way PIV smart cards do. To get it working, you need to enable Windows Hello for Business (WHfB) on the device.
Without WHfB, FIDO2 is just recognized as an MFA method for Azure AD, but it’s not treated as a valid credential for privilege elevation with EPM.

micheleariis

MCT

Feb 25, 2025

klenTAHNYeah, the issue is that FIDO2 alone doesn’t work with EPM the same way PIV smart cards do. To get it working, you need to enable Windows Hello for Business (WHfB) on the device.

Without WHfB, FIDO2 is just recognized as an MFA method for Azure AD, but it’s not treated as a valid credential for privilege elevation with EPM.

klenTAHN
Copper Contributor
Feb 25, 2025
thank you! that's the direction i was heading, but documentations not exactly crystal clear.

Forum Discussion

Intune Endpoint Privilege Management - FIDO2

Resources