Today I want to show you the new Windows passwordless experience and the new Web sign-in feature, which came with the latest Windows Update for Window 11 22H2.
The passwordless experience will hide the password credential provider in the logon screen, to make it easier for the user to select a passwordless logon provider like Windows Hello for Business.
The new Web Sign-in feature, is a wonderful addition to the passwordless experience, as it now does not only works as a fallback using Temporary Access Pass if WHFB is not working, but you can now also use it to logon using Phone Sign-in
- Windows 11, version 22H2 with KB5030310 or later
- Must have Internet connectivity, as the authentication is done over the Internet (Web Sign-in)
- Microsoft Entra joined (No Hybrid Join supported)
- Windows Hello for Business credentials enrolled for the user, or a FIDO2 security key (Passwordless experience)
We will start the configuration in Intune by creating a new Configuration Profile of type Settings Catalog:
Once the basics are done, we can enable the following two policies to enable the Web Sign-in feature and the new passwordless experience:
Additional I would recommend to set Windows Hello for Business as the default credential provider, otherwise Web Sign-in would be the default once available.
Once we have configured the Policy, we can assign it to a group of devices, for which we want to enable Web Sign-in and the passwordless experience.
The new passwordless experience will hide the password provider from the logon screen for users that already are enrolled in Windows Hello for Business.
You still can access the password provider if you select Other user in case you need it.
It will also limit access to local accounts like local Windows LAPS Accounts during UAC.
The Web Sign-in feature can be used for many different use cases. One of them is as a fallback if Windows Hello for Business is not working for some reason. Another useful use case can be the first logon to a new device. If you have a Temporary Access Pass available for your account, you will be asked for this:
Even if you don’t have a TAP available, you can still logon without an password, if you have for example Phone-Sign-in enabled in your Authenticator:
Once you are logged in, you can set-up Windows Hello for Business if you so desire or simply start working as usual. The Web Sign-in supports Kerberos Cloud Trust, so even access to onPrem Resources via Kerberos is working just fine.
For me the new passwordless experience can be really helpful on the journey to passwordless, since it allows us to point our users to use more passwordless authentication methods without the risk of breaking something, since you still can use your password in emergencies.
The new Web Sign-In feature is in my opinion a real game changer, since it now not only allows the use of Temporary Access Pass as a emergency logon method, but now also allows the use of for example Phone Sign-In as a logon method, which is really cool. Additional with the support of Cloud Trust makes it a really helpful feature for shared devices, where Windows Hello for Business and Fido2 is not an option