Skip to main content

1. Introduction

This document aims to clarify a limitation within Microsoft’s FIDO2 authentication system when used in conjunction with Intune Autopilot, specifically in Self-Deployment mode. The focus will be on the interaction between FIDO2-based authentication and the triggering of the User Enrollment Status Page (ESP) during the Windows Autopilot deployment process.

2. Overview of Key Concepts

FIDO2 Authentication: FIDO2 is a web authentication standard that enables passwordless login through security keys, biometric data, or other methods Microsoft has integrated FIDO2 into Windows 10 and later versions, allowing users to authenticate securely without using traditional passwords. Intune Autopilot: Windows Autopilot is a deployment tool in Microsoft Intune that allows organizations to pre-configure new Windows 10/11 devices, making them ready for use with minimal user interaction. Autopilot supports several deployment modes, including User-Driven and Self-Deployment. User Enrollment Status Page (ESP): The User ESP is part of the Autopilot process that ensures the required applications, security policies, and configurations are applied before the user gains full access to the device. It typically triggers after a user logs in during the Autopilot process.

3. Issue Description

In the Intune Autopilot Self-Deployment mode, the process is designed to be userless, meaning that the device is pre-configured and ready for use without requiring a user to log in during setup. However, in scenarios where user authentication is necessary, such as when deploying with a User ESP, this mode typically expects authentication via a user’s email ID and password or through a QR code scan. FIDO2 Limitation: When using a FIDO2 security key, such as the TruU Security Key, to authenticate during the Windows login process, the User ESP is not triggered. This is because the current implementation of Microsoft’s Autopilot does not support User ESP when login authentication is done via a FIDO2 key in Self-Deployment mode.

4. Impact

The lack of support for FIDO2 keys in triggering the User ESP during the Self-Deployment mode has several implications:
  • Security Risks: The screen doesn’t trigger the user ESP(Block user to access device until all user targeted apps, policies are applied) . However, the intended applications, policies, and configurations that rely on user will still be applied in the background while user has access to the device.
  • User Experience: Users expecting a fully configured device upon first use might not be met as the user targeted apps and policies will get applied in the background while user has access to the device. However, the time taken to setup the Autopilot device will be lesser as the user targeted apps and polices will be installed in the background and doesn’t block the user to access the device.

5. Workaround and Recommendations

While this limitation exists, there are several approaches organizations can consider:
  1. Device targeted: Move the important applications and policies to device targeted groups so that it gets applied during the Device ESP and those applications and polices which are not required to be installed before the user access the device, can be targeted to user groups which will get installed in the background and improves the user-experience by reducing the setup time.
  2. Use User-Driven Mode: In scenarios where User ESP is essential, consider switching from Self-Deployment mode to User-Driven mode. This mode supports user authentication via email ID and password/TruU QR scan Auth using phone, which will trigger the User ESP as expected.
  3. Conditional Access Policies: Implement Conditional Access policies that enforce additional checks post-login to ensure that required configurations are applied, even if the User ESP was not triggered during Autopilot.
  4. Monitor for Updates: Stay updated with Microsoft’s developments in Autopilot and FIDO2 support. Future updates may address this limitation, enabling full support for User ESP in Self-Deployment mode with FIDO2 keys.
Adjust the Installer Application.config file Shared Workstaion