This week is a bit of a follow-up on a post of about two years ago and is mainly focussed on creating some awareness. That post was specifically about enabling web sign-in to Windows for usage with Temporary Access Pass. That web sign-in functionality provides a web-based sign-in experience on Microsoft Entra joined devices. At that time, that web-based sign-in experience was limited to Temporary Access Pass (TAP). Starting with Windows 11 version 22H2 with KB5030310 and later, that has changed. The supported scenarios and capabilities of web sign-in are now expanded. Besides TAP, it can now also be used for a passwordless sign-in experience with the Microsoft Authenticator app, a seamless Windows Hello for Business PIN reset experience, and even a federated identity with a third-party SAML-P identity provider. This post will provide a quick reminder about the required configuration for enabling web sign-in as credential provider, followed with a brief look at the main newly supported experiences.
Important: Web sign-in is only supported on Microsoft Entra joined devices.
Enabling web sign-in as credential provider
When looking at enabling web sign-in as credential provider on Windows 11, there’s not much changed compared to a few years ago. The configuration can be achieved by using the policy setting Enable Web Sign In policy setting that is part of the Authentication node in the Policy CSP. That policy setting provides organizations with the ability to add the web sign-in credential provider on Microsoft Entra joined devices. Luckily, that setting is directly available via the Settings Catalog. The following eight steps walk through the creation of a Settings Catalog profile that contains the required setting.
- Open the Microsoft Intune admin center portal and navigate to Devices > Windows > Configuration profiles
- On the Windows | Configuration profiles blade, click Create > New Policy
- On the Create a profile blade, provide the following information and click Create
- Platform: Select Windows 10 and later to create a profile for Windows 10 devices
- Profile: Select Settings catalog to select the required setting from the catalog
- On the Basics page, provide the following information and click Next
- Name: Provide a name for the profile to distinguish it from other similar profiles
- Description: (Optional) Provide a description for the profile to further differentiate profiles
- Platform: (Greyed out) Windows 10 and later
- On the Configuration settings page, as shown below in Figure 1, perform the following actions
- Click Add settings and perform the following in Settings picker
- Select Authentication as category
- Select Enable Web Sign In as setting
- Select Enabled. Web Sign-in will be enabled for signing in to Windows with Enable Web Sign In and click Next

- On the Scope tags page, configure the required scope tags and click Next
- On the Assignments page, configure the assignment and click Next
- On the Review + create page, verify the configuration and click Create
Note: Web sign-in is also recommended in combination with enabling the passwordless experience. More information around that experience can be found in this post: Easily hiding the ability to use passwords for signing into Windows.
Experiencing web sign-in as credential provider
This post can only end by showing the new experience on Windows 11. And most of the experiences are relatively easy to show, with the exception of the federated identity experience. It all starts with the availability of the web sign-in credential provider. That can easily identified by looking at the Windows sign-in screen. It should show the globe icon as shown below in Figure 2. The first experience to show, would be the more seamless self service PIN reset experience, as briefly shown below in Figure 3 (it can be recognized by the still old-school non-curved corners). This experience can be triggered by clicking on I forgot my PIN (and self-service PIN reset is configured). After signing in with the Microsoft Authenticator app, the PIN reset procedure will start within that same window. So, a much more seamless and user-friendly experience, compared to the early days of PIN reset.
Another interesting new experience is the passwordless sign-in experience with the Microsoft Authenticator app that is shown below in Figure 4. That experience can be triggered by actually using the web sign-in credential provider (and the Microsoft Authentication app is configured as an authentication method). In that case the user will get on a similar window as before, just with fancy round corners. After signing in with the Microsoft Authenticator app, the user can work on the device. Besides that, the already existing experience with the Temporary Access Pass (TAP) is still available, as shown below in Figure 5. That experience can also be triggered by using the web sign-in credential provider. The main difference is that a TAP must be available for the user. In that case, the correct flow will automatically be started.
Important: Keep in mind that web sign-in requires an active Internet connection.
Note: This behavior was successfully tested on Windows 11 version 22H2 and Windows 11 version 23H2.
More information
For more information about the web sign-in credential provider on Windows 11, refer to the following docs.
- Web sign-in for Windows – Windows Security | Microsoft Learn
- Policy CSP – Authentication – EnableWebSignIn | Microsoft docs
Discover more from All about Microsoft Intune
Subscribe to get the latest posts sent to your email.
Any chance this will ever support HAJ devices?
I really don’t know, Jason…
Regards, Peter
You have great website Peto, a go to resource if using Intune .
When using this policy, We are unable to get Elevated Permissions prompts to work when the logged on user is not an admin. The secure desktop does not allow entering username or password or do anything to supply credentials. How have you got past this please?
Thank you, Mark. Can you provide some more details? Are you only using this specific setting, or in combination with something else?
Regards, Peter
We are using with the ‘Local Policies Security Options’ of ‘Administrator elevation prompt behavior’ & ‘Standard user elevation prompt behavior’ set to ‘Prompt for Credentials on the secure desktop’
Users are standard users and not administrators of their devices.
Could it be that you’re also automatically denying elevation requests for standard users?
Regards, Peter
We are using the Microsoft Security baseline ands just changing the 2 settings as described above. I don’t think we are denying requests for elevation of standard users, I will go and have another look through the policy
I have looked through the ‘MS Security Baseline – Nov 2021’ settings and can’t see that we are denying user account elevation requests. Would it help if I recording a video to show whats happening?
Hi Mark,
You can always share the recording. Is the behavior only with this setting? And when you remove this setting, it works again?
Regards, Peter
So I have found the MS document that covers what we are seeing
https://learn.microsoft.com/en-us/windows/security/identity-protection/passwordless-experience/
Under ‘Example of UAC elevation experience:’
Then under the ‘recommendations’ section we get
“To facilitate helpdesk support operations, consider enabling the local administrator account or create a separate one, randomizing its password using the Windows Local Administrator Password Solution (LAPS)”
At the moment Passwordless is no good for us as we don’t use LAPS and can’t therefore support our users.
Thank you for sharing, Mark. I was under the impression that it was related to web sign-in, but do I understand it correctly that you also enabled the passwordless experience?
Regards, Peter
Hi Peter. Yes its the passwordless experience setting that causes the problem. Web sign-in is still enabled in my set-up and this works fine.
Regards, Mark
Ah, thank you for that Mark. That explains a lot for me 🙂
Regards, Peter
Hi Peter, thank you for yet another fantastic article. I’m trying to support a scenario where I can completely remove the password credential provider but have the web sign in provider available for Azure AD device admin users, as well as TAP sign ins.
The problem I’m facing on Windows 11 23H2 with latest CU is that when I attempt to do a web sign in with a privileged account, it accepts the username/password/MFA challange and commences sign in, but immediately boots me back to the log on screen.
Just wondering if you’ve tested privileged accounts with it to see whether I’m facing a known issue or a unique issue on my side. Regular TAP sign ins work as expected.
Hi Mitch,
What do you mean with a privileged account? A local administrator, or more?
Regards, Peter
The problem we’re having is that this new Web Sign-In featureset allow for password only (and passwordless with phone sign-in) logon to Windows.
It doesn’t seem to go through conditional access, so there is no option to configuration authentication strength.
And indeed regular TAP works, but without a TAP configured for the user, the user has the option to logon with only its password.
We can’t use TAP for enrollment and windows hello for business with multi-factor unlock anymore (and removing password credential provider), because the user still has the option for single factor logon with its password.
Hi JJ,
I understand the challenge with web sign-in. Can you provide some more details about what you’re trying to achieve?
Regards, Peter
Hi Peter,
Thanks, yes certainly.
In our setup, created back in 2021/2022, we created a more or less full multi-factor setup, therefore we
– Disabled the password credential provider
– Enabled/Forced Windows Hello for Business with Multi-Factor Unlock
– Enabled Web Sign-In
– Enabled TAP for enrollment and support
– Enabled FIDO2 for support (IT staff)
But since these Web Sign-In feature changes at the end of last year for Windows 11, version 22H2 with KB5030310 and 23H2 and later; Users are now able to just login with a password when using Web Sign-In if there is no TAP configured. Passwordless (Phone Sign-In) also seems an option if configured and registered, but there’s still an escape to use password-only.
We can’t find a way to just enable TAP for Web Sign-In and disable the new passwordless/password-only option. Web Sign-In also doesn’t seem to hit condition access, so we’re not able to force MFA or Authentication Strength.
We’ve logged a ticket with Microsoft Support, last week but for now we’re considering disabling Web Sign-In and going back to disabling the password credential provider through proactive remediation after succesfull registration/use of windows hello (though some customers only have business premium, we could use task scheduler). Checking the registry for:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI
– LastLoggedOnProvider
– SecondFactorLoggedOnProvider
PS. Your articles on the subject were very helpful these past years!
Thanks
Thank you for the details, JJ!
And what about the company policy? Is MFA required for the actual Windows login? And if so, what is considered as MFA?
Regards, Peter
I’m failry certain our web sign-in’s are hitting conditional access because we have designed our conditional access policies to apply rules to every different method/approach/location.
Hello! I’m trying to test web signin on one of my w11 23h2 hyper-v vm and its failing. I see the option and can enter my user and password – then it loooks for splitsecond as if it tries to load the authenticator screen but then defaults to an empty white screen with the microsoft logo. After a timeout I am returned to the lockscreen.
In my signin logs in entra I can see an entry with: Microsoft Authentication Broker = Interrupted
Any idea whats preventing this from working?
Hi Simon,
Are the authentication methods available for the user.
Regards, Peter
Hey Peter! Do you happen to know which GUID correlates to Web Sign-in so we could set this to be the default credential provider for subset of devices?
Hi Jonathan,
If I’m not mistaken, you’ve got to look for the Cloud Experience Credential Provider.
Regards, Peter
Hi Peter, or other readers.
After a while I have this finall working on a machine. Just 1 question, when I lock the Machine and want to unlock it, I dont see the current logged in user. Is this default behavior or….?
Hi Patrick,
That behavior is only with using web sign-in?
Regards, Peter
Yes, and I am testing this on a Shared workplace.
I do have the option enabled to still use the Password, when I use this option and logon and lock the machine, I also dont see the current logged in user, but the “Unlock the pc” screen.
But since you respond with that question, I can assume that this should be visible?
Are you also using the Shared PC Mode? That mode configures some specific behavior by itself.
Regards, Peter
we have web sign in working perfectly.
Microsoft docs say to enable LAPS so that we can administer the device locally (Ex: provide remote support to end user to installing application.)
When we get prompted for UAC screen and enter the LAPS password, it does not take it. I know the LAPS password is correct because my scripting works fine.
Right now as a work around, we have to sign into the users device using our global admin account and make any requested changes.
It appears to be a bug with the latest deployment. Any one else get this issue? Any one know of a fix of this issue?
Hi Amin,
Apologies for the late reply, but I was enjoying my vacation. Just for additional information; are you only seeing this after enabling web sign-in?
Regards, Peter
Hey Peter,
I am trying to set up Web Sign-in but to no avail.
Here’s where I’m at:
-I am running my test on an Entra-joined device with Windows 23H2.
-The Intune config profile to enable Web Sign-in shows that it was deployed successfully.
-I’ve verified that the HKLM “Authentication” has been added with a value of 1 for the “EnableWebSignIn” REG_DWORD.
-I’ve verified that “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion/Authentication/Credentials Providers” has REG_SZ with value “Cloud Experience Credential Provider”
Now from documentation it seems that local account WsiAccount should be added but unfortunately I do not see it under Users.
Is there anything that I’m missing ?
Hi RD,
Do you also see the configuration successfully applied locally on the devices?
Regards, Peter
Hey Peter, thanks for getting back!
So in my latest test I’ve applied to the configuration to a user group and it says it was applied successfully to the logged in user.
My initial test was on a device group which was applied to the logged in user as well as System account.
In both cases, the globe icon never appeared.
Should I try with a device group once again and go through autopilot on my test device ?
Thanks!!
Hi RD,
You could try, but I’m also curious if you’re seeing any errors locally on the device.
Regards, Peter
Hey Peter!
What kind of errors should I look for ? Is there a specific event ID that I should look for ?
What I find very odd, contrary to most posts and comments, is that my issue isn’t necessarily linked with the login portion. It’s more the fact that the “globe” icon on the Windows sign-in page isn’t even there. Even if the registry key values says that it’s enabled, it doesn’t seem like the icon has been enabled.
Thanks again!
Hi RD,
No, I have nothing specific to look for. More in general to get an understanding of what’s happening. Like, is the configuration completely successful, or is something preventing the WsiAccount from doing its magic.
Regards, Peter
Well the WsiAccount never got created. From my understanding, the WsiAccount gets created during the first use of the Web Sign-in feature and gets enabled during the login process. But since the “globe” icon never appeared, I’ve never actually had the chance to login to the user’s account using web sign-in.
The only options available for login is either with Username/Password or with security key.
Currently we do not have Windows Hello enabled. Although I don’t remember seeing that in the requirements, could it be the missing key to my confusion ?
Thanks!
To be honest, I’ve actually never used it without Windows Hello. It’s, however, never really described as a configuration requirement.
Regards, Peter
Hey Peter!
So after a lot of hair pulling wondering why this wasn’t working, I’m glad to say that I finally found the cause…. Cisco Duo 2FA.
After my last comment, I decided to create an Intune config profile to target my test device to see how Windows Hello works since we will be deploying it at large in the coming months. Once Intune said it was successfully deployed, I checked the laptop to see how the setup process is. It prompted me to set up a PIN and optional fingerprint and face recognition which I did.
And then when I wanted to test out the sign-in process on the Windows login page… nothing. Unfortunately, similar to my Web Sign-in issue, no option to use the PIN nor the biometrics were available. At that point I knew that both situations had to be related so I started scouring all over to see what could be the cause and finally stumbled on a comment that mentioned Duo 2FA.
Didn’t waste a single minute, uninstalled the app and… Voilà! Both Windows Hello sign-in and Web sign-in options were available and functional!
This app was automatically installed on all our devices as we use it for extra MFA for certains users and never really thought that it could be the cause. But for some reason, when Duo is installed, it takes over any other methods of authentication including Windows Hello.
So for anybody in the past, present or future that stumbled across my situation, a 3rd party MFA app can cause issues with Web sign-in and Windows Hello!!
Thanks for your help Peter!
Ah, thank you for the update! I should have asked, as those credential providers are known for making it all about them. But, anyway, great that you figured it out.
Regards, Peter
We’ve been using Web Sign in for a while but the latest windows update seems to have broke it and I can’t figure out what it is. We click sign in on the login screen which should bring up the web page to sign in but it doesn’t. The computer looks as if its loading something (arrow changes to hour glass) but nothing appears. Clicking the sign in button again does nothing I have to restart the machine to try again.
One thing I have noticed is if I press the sign in button I am then no longer able to sign into the local admin account until I restart the machine. Any ideas what this can be? Possibly a security setting somewhere but I’ve tried excluding a test device from other config profiles.
Hi reler,
So, for my understanding, did this change in behavior come after the latest update or after a configuration change?
Regards, Peter
It was after a Windows Update. Web Sign In still works on our 1to1 devices but shared devices it doesn’t load the web page to login. Very odd!
I did not specifically notice that yet. Are those devices that are configured as shared devices, using the default options?
Regards, Peter
One interesting scenario I have just come across is after upgrading a device enabled for web sign in with Windows 11 24H2 I was then unable to unlock the device. Even trying to log into or unlock the device using a work / school account failed. As I was unable to login to the device the only option was to re-image it and re-enroll it using Autopilot.
Autopilot accepted my work / school account for the initial enrollment however once it had completed the Enrollment Status Page phase, I was presented with the standard Windows login screen with the option to Unlock the PC. Again the login screen would not accept any valid credentials (even the one used during Autopilot).
The only way I fixed this was to remove the device from the Web sign-in group in Entra and then re-image the device.
Thank you for sharing, Andrew! After removing the device from the configuration, where you still able to bring it back again?
Regards, Peter
Just confirmed Windows 11 24H2 breaks Web sign-in, after you click sign in it planks the screen to just the wallpaper where the web sign-in dialog for TAP normally comes up and nothing happens
I downgraded back to Win 11 23H2 and its back working like normal
just something for people to be aware of
Thank you for sharing your experience, Rhys.
Regards, Peter
Thanks for this wasted a bunch of time trying to troubleshoot this and get Web sign-in working under 24H2. Windows 11 24H2 also breaks Windows sign-in using security keys, at least for hybrid joined machines…have an open case with Microsoft on it.
We turned this on for a few users. We told them that internet connection would always be required. They said it was acceptable, but after a couple transatlantic flights without wifi, they are changing their mind. If I remove this policy, it removes the globe option at the login, but password auth still requires an internet connection.
Is there a way to unwire this after it is configured without resetting the device or other nuclear option?
Hi Matt,
Did you also verify that the options are now also the same again in the registry?
Regards, Peter
Hello there!
We recently configure Passwordless for all users, TAP and web-sign in.
Passwordless works flawlessly, so does TAP but web sign-in for windows 11 (24H2) Is simply broken.
Multiple of us can see the web sign-in icon, but when we click the little globe and hit sign-in it simply loops us back to the start.
Beginning to wonder if this is a 24H2 issue as some previous comments added was their issue.
We however don’t get the pop-up at all just the spinning cicle that loads us back to the “sign in” box. We hit sign in it spins and takes us back.
We want to enroll this for all of our clients but need to figure out what’s going on here.
Any advise/suggestions would help.
I’ll probably try to do an OS downgrade to see if that makes a difference.
Thank you,
Austin
Hi Austin,
I’ve now indeed seen and heard this more (also in the comments on this post). It seems to be Windows 11 24H2 specific. I would suggest to contact Microsoft about it at this point.
Regards, Peter
Someone mentioned the Web Sign-in is fixed in one of the insider builds, and I can confirm that is the case. I loaded one of the insider windows preview build 26100.2161 and the Web Sign In is working again. I suspect Microsoft will release an update to 24H2 and fix a bunch of issues, web sign in being just one of them.
That is good to hear. Thank you for the information, Michael!
Regards, Peter