Windows passwordless experience and Web Sign-in

Today I want to show you the new Windows passwordless experience and the new Web sign-in feature, which came with the latest Windows Update for Window 11 22H2.
The passwordless experience will hide the password credential provider in the logon screen, to make it easier for the user to select a passwordless logon provider like Windows Hello for Business.
The new Web Sign-in feature, is a wonderful addition to the passwordless experience, as it now does not only works as a fallback using Temporary Access Pass if WHFB is not working, but you can now also use it to logon using Phone Sign-in

Requirements

  • Windows 11, version 22H2 with KB5030310 or later
  • Must have Internet connectivity, as the authentication is done over the Internet (Web Sign-in)
  • Microsoft Entra joined (No Hybrid Join supported)
  • Windows Hello for Business credentials enrolled for the user, or a FIDO2 security key (Passwordless experience)

You can find the official docs for these features here:
Web sign-in
Passwordless experience

Intune

We will start the configuration in Intune by creating a new Configuration Profile of type Settings Catalog:

Once the basics are done, we can enable the following two policies to enable the Web Sign-in feature and the new passwordless experience:

Additional I would recommend to set Windows Hello for Business as the default credential provider, otherwise Web Sign-in would be the default once available.

Once we have configured the Policy, we can assign it to a group of devices, for which we want to enable Web Sign-in and the passwordless experience.

Passwordless experience

The new passwordless experience will hide the password provider from the logon screen for users that already are enrolled in Windows Hello for Business.

You still can access the password provider if you select Other user in case you need it.

It will also limit access to local accounts like local Windows LAPS Accounts during UAC.

Web Sign-in

The Web Sign-in feature can be used for many different use cases. One of them is as a fallback if Windows Hello for Business is not working for some reason. Another useful use case can be the first logon to a new device. If you have a Temporary Access Pass available for your account, you will be asked for this:

Even if you don’t have a TAP available, you can still logon without an password, if you have for example Phone-Sign-in enabled in your Authenticator:

Once you are logged in, you can set-up Windows Hello for Business if you so desire or simply start working as usual. The Web Sign-in supports Kerberos Cloud Trust, so even access to onPrem Resources via Kerberos is working just fine.

Conclusion

For me the new passwordless experience can be really helpful on the journey to passwordless, since it allows us to point our users to use more passwordless authentication methods without the risk of breaking something, since you still can use your password in emergencies.
The new Web Sign-In feature is in my opinion a real game changer, since it now not only allows the use of Temporary Access Pass as a emergency logon method, but now also allows the use of for example Phone Sign-In as a logon method, which is really cool. Additional with the support of Cloud Trust makes it a really helpful feature for shared devices, where Windows Hello for Business and Fido2 is not an option


Posted

in

by

Comments

6 responses to “Windows passwordless experience and Web Sign-in”

  1. Daniel M

    How could we go from this, to the user using the signed-in Windows to read Outlook on their phone? Preferably without the Authenticator app.

    We want to:

    1) Not rely on Yubikeys, use the W11 machine’s TPM as a “security hub”
    2) Not install apps on a user’s phone where possible
    3) Only use phish-resistant MFA

    1. Hi, to be honest, I have no idea, we only use Company owned phones and deployed the Authenticator App. We use Phone Sign-in for passwordless scenarious with the Authenticator App, besides using Windows Hello for Business for personalized Clients an Fido2 Keys for our Frontline workers that are using shared devices. I’m not aware of a real way to use the TPM of a Wndows Device for an Authentication on a mobile phone. Sorry.

  2. […] Windows passwordless experience and Web Sign-in. Learn more […]

  3. […] Windows passwordless experience and Web Sign-in […]

  4. […] Of course the new 23H2 update also contains all features that were introduced in the last continuous innovation “moment” update like the new passwordless experience, that I tested here: Passwordless Experience […]

  5. […] Windows passwordless experience and Web Sign-in […]

Leave a Reply

Your email address will not be published. Required fields are marked *