Forum Discussion

Jragnmark's avatar
Jragnmark
Copper Contributor
Jan 04, 2023

PowerShell Get-AutopilotInfo -Online with FIDO2 key requirement

Hello!

Quick info: Authenticating with a security Key in PowerShell keeps failing and I've been browsing the web for a way to upload AutoPilot HWID with Get-AutopilotInfo -Online with a FIDO2 key requirement without results.

 

Therefore I tried to exclude "Microsoft Intune Enrollment" in the FIDO2 conditional access policy but I was unable to get it to work. Is "Microsoft Intune Enrollment" the correct App to exclude or should I look into excluding something else to bypass Security Key requirement?


Conditional Access
Intune
mobile device management (mdm)

10 Replies

  • rahuljindal's avatar
    rahuljindal
    Bronze Contributor
    Jan 04, 2023
    What is the end objective here? Using FIDO for uploading of hashid or uploading hash no matter what? Can only suggest the next steps after you confirm.
    • Jragnmark's avatar
      Jragnmark
      Copper Contributor
      Jan 05, 2023
      The objective is to use FIDO as authentication for everything, EXCEPT for uploading hashid.

      • rahuljindal's avatar
        rahuljindal
        Bronze Contributor
        Jan 05, 2023

        Then consider using a dedicated account not setup for FIDO for the purpose of uploading the hashids when using -online parameter. I am not sure of how your CA policies are setup, but excluding the Intune enrolment apps is not recommended from a security standpoint.

  • Rudy_Ooms_MVP's avatar
    Rudy_Ooms_MVP
    MVP
    Jan 04, 2023

    Huh.. okay... so you are trying to upload the hwid to the autopilot service and you want to require a fido key to do so?
    The Microsoft Intune Enrollment is used to enroll a device into intune... But as you are trying to exclude them from the ca policy, I assume uploading the hwid istn working....?

    • Jragnmark's avatar
      Jragnmark
      Copper Contributor
      Jan 04, 2023

      I cannot get past the authentication as it keeps prompting to authenticate with Security Key..
      In powershell Security key as authentication method gets stuck and doesnt go through, hence the situation i would like to bypass the conditional access policy that's requiring the security key during device enrollments.

      • Rudy_Ooms_MVP's avatar
        Rudy_Ooms_MVP
        MVP
        Jan 04, 2023
        Did you try to create another global admin and log in with that user? Did you also tried uploading the hash from a different device (as example new installed VM) to find out if you get the same prompt
  • Krishnakumar_M's avatar
    Krishnakumar_M
    Brass Contributor
    Jan 04, 2023
    Hi,
    Are you sure that you are using correct parameter switches.
    Kindly refer this article:
    https://learn.microsoft.com/en-us/managed-desktop/prepare/windows-autopilot-registration
    • Jragnmark's avatar
      Jragnmark
      Copper Contributor
      Jan 04, 2023
      Hi,

      Apologies for the bad description.
      I use the -Online parameter to push it to Endpoint Manager, which propmts a sign in with credentials.
      PowerShell does not handle Security Key as authentication method so well, therefore I want to exclude Endpoint Enrollment from the Conditional Access Policy so I can authenticate with text-message for this action.

Resources