This week is basically a follow-up on a few blog posts of about two years ago. Those posts where focused on requiring the use of Windows Hello for Business and on removing the ability to use a password for signing into Windows. Both acceptable starts in the passwordless journey and acceptable methods for requiring the strength of Windows Hello for Business as a sign-in method. Also, however, both methods are not that easy to configure and come with some side-effects. Most problematic side-effect being that it also impacts the sign-in capabilities to other apps and services that are relying on the same credential providers. To address that and to further simplify the passwordless journey on Windows devices, Microsoft introduced a new configuration option. That configuration option enables organizations to hide the password sign-in option from the Windows logon screen (and more). This post will provide some more details around that configuration, followed with the configuration steps. This post will end with showing the user experience.
Important: At the moment of writing this functionality is only available in Windows 11 Insider Preview Builds.
Note: For a lot more information around the passwordless journey, have a look at this series by Pim Jacobs.
Configuring enable passwordless experience
When looking at providing a passwordless experience, Microsoft introduced a new policy setting with Windows 11 Insider Preview Build 22621.2129. That new policy setting is the Enable Passwordless Experience policy setting that is part of the Authentication node in the Policy CSP. And that new policy setting provides organizations with the ability to remove the password requirement from the core authentication scenarios on Azure AD joined devices. That basically means that it creates an experience for the user that simply hides the password option from the Windows logon screen. Besides that, it will also hide that option for other in-session authentication scenarios, like password managers in a web browser, “Run as admin” and User Account Control. For recovery the user can still rely on mechanisms like PIN reset or web sign-in. Those mechanisms are strongly advised to have in place, for the best user experience with this configuration.
The configuration of this policy setting is actually pretty straight forward, as the setting is already available within the Settings Catalog. The following eight steps walk through the creation of a Settings Catalog profile that contains the required setting to configure the passwordless experience.
- Open the Microsoft Intune admin center portal and navigate to Devices > Windows > Configuration profiles
- On the Windows | Configuration profiles blade, click Create profile
- On the Create a profile blade, provide the following information and click Create
- Platform: Select Windows 10 and later to create a profile for Windows 10 and Windows 11 devices
- Profile: Select Settings catalog to select the required setting from the catalog
- On the Basics page, provide the following information and click Next
- Name: Provide a name for the profile to distinguish it from other similar profiles
- Description: (Optional) Provide a description for the profile to further differentiate profiles
- Platform: (Greyed out) Windows 10 and later
- On the Configuration settings page, as shown below in Figure 1, perform the following actions
- Click Add settings and perform the following in Settings picker
- Select Authentication as category
- Select Enable Passwordless Experience as setting
- Select Enabled with Enable Passwordless Experience and click Next
- On the Scope tags page, configure the required scope tags and click Next
- On the Assignments page, configure the assignment and click Next
- On the Review + create page, verify the configuration and click Create
Note: The OMA-URI for this setting is ./Device/Vendor/MSFT/Policy/Config/Authentication/EnablePasswordlessExperience.
Experiencing the new Windows sign-in options
After the configuration is applied, it’s really easy to experience the behavior as a standard user. When the user gets to the Windows logon screen, the user will immediately notice that the password sign-in option is missing from the logon screen (as shown below in Figure 2). That automatically moves the user away from using a password to sign into Windows. And not just from the logon screen, but also from in-session authentication scenarios. So, no longer a passwords option available with actions like “Run as admin” or User Account Control.
Besides that, as this doesn’t completely remove the credential provider, there are still ways to use a password as an alternative. The most obvious way is by using the “Other user” option on the Windows log-in screen (as shown below in Figure 3). That will still allow the user to rely on the username and password. Another option is using “Run as a different user“. That will also still allow the usage of a username and password.
More information
For more information about enabling the passwordless experience, refer to the following docs.
- Authentication Policy CSP – Windows Client Management | Microsoft Learn
- Announcing Windows 11 Insider Preview Build 23506 | Windows Insider Blog
Discover more from All about Microsoft Intune
Subscribe to get the latest posts sent to your email.
Hi,
Still nothing about the use of that option or OTP (for windows login) with hybrid scenario ? 🙁
Not with me, Alex.
Regards, Peter
Hi Alex,
Why are you looking for an OTP solution instate of using FIDO for hybrid scenario?
https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-passwordless-security-key-on-premises
Regards,
Remco
Hi Peter,
I have a profile with 3 settings in it:
1 Configure web sign in Allowed Urls
2 Enable passwordless experience (this doesn’t remove the Password logon button as you mention)
3 Enable web signin.
But what ever I do, it asks my for a password. I don’t see you mentioning anything about Conditional Access policies, so I assume they wont clash with this Web sign in. It seems so easy to enable…
Do you have any tip what I am missing 🙂
Hi Patrick,
Which version of Windows are you using? This setting is only available for Windows 11 23H2 (see also: https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-authentication#enablepasswordlessexperience).
Regards, Peter
I am not sure what the version was before this weekend, but its 23h2 and the password option is now gone.
Still having issues with getting the Web signin method asking for a MS Authenticator code instead of password 🙁
That is good to hear, Patrick! Regarding the web sign-in, I don’t think that passwords are part of the supported flows. For more information, see also: https://learn.microsoft.com/en-us/windows/security/identity-protection/web-sign-in/?WT.mc_id=EM-MVP-5001447&tabs=intune#user-experiences
Regards, Peter
Yes, i must be missing something. I dont get that logon screen at 15 sec, but that example on the MS website is for a machine configured with Windows Hello. The machine I am checking is a Shared device with no main owner.
So, does that mean that you’re not using passwordless?
Regards, Peter
Peter, after rechecking everything it seems that the MS Authenticator settings are wrong, it is set as Push and according to the documentation “Choosing Push prevents the use of the passwordless phone sign-in credential”.
Ah, great! Thanks for the update!
Regards, Peter
Thats correct Peter, i dont know why it isnt passwordless, because that is my goal. 😀
And is the Authenticator app also an allowed and configured authentication method for the user?
Besides that, are you using an actual shared device configuration, or just a standard Windows device with multiple users?
Regards, Peter
After receiving Reader rights in the Tenant, i found it last week. The setting for the MS Authenticator is not configured as Any but Push.
Peter
we finally have some machines working, thanks for your replies.
The only feedback we get is that when a user locks the machine, he or she needs to fill in their username again.
Do you know if there is any way to not empty it.
Hi Patrick,
Can you provide me with some more context? Are you saying that they have to sign in again like using Other user?
Regards, Peter
HI Peter, yes. When the device locks the user need to fill in their credentials.
I don’t recall that experience. Do you have any specific hardening policies in place related to the login screen?
Regards, Peter
Hi Peter,
Thanks for the Reply.
I read one of the requirements on Microsoft:
– Windows Hello for Business credentials enrolled for the user, or a FIDO2 security key
Shared devices doesn’t have this, so we will look for another solution.
Have a nice day.
Kind regards, Mike
Ah, yes. In that case you’re indeed short of options to work with.
Regards, Peter
Hi Peter,
Thanks for this informative post.
I just wonder if this also works on a Shared Device where we obviously don’t use Windows Hello. We would like web sign-in as the only option with the passwordless experience.
After configuring all these settings, it still continues to show the (password) sign in options.
Hi Mike,
The challenge with shared devices is that you often go to “Other user”. And in that case the password option is still shown.
Regards, Peter
Hello Patrick,
the password option is still there for us. is it because i have assign the whfb policy to user and not devices?
because i have enabled this feature (passwordless experience) in the same policy and its being assigned to the users not devices?