This week is basically a follow-up on a few blog posts of about two years ago. Those posts where focused on requiring the use of Windows Hello for Business and on removing the ability to use a password for signing into Windows. Both acceptable starts in the passwordless journey and acceptable methods for requiring the strength of Windows Hello for Business as a sign-in method. Also, however, both methods are not that easy to configure and come with some side-effects. Most problematic side-effect being that it also impacts the sign-in capabilities to other apps and services that are relying on the same credential providers. To address that and to further simplify the passwordless journey on Windows devices, Microsoft introduced a new configuration option. That configuration option enables organizations to hide the password sign-in option from the Windows logon screen (and more). This post will provide some more details around that configuration, followed with the configuration steps. This post will end with showing the user experience.
Important: At the moment of writing this functionality is only available in Windows 11 Insider Preview Builds.
Note: For a lot more information around the passwordless journey, have a look at this series by Pim Jacobs.
Configuring enable passwordless experience
When looking at providing a passwordless experience, Microsoft introduced a new policy setting with Windows 11 Insider Preview Build 22621.2129. That new policy setting is the Enable Passwordless Experience policy setting that is part of the Authentication node in the Policy CSP. And that new policy setting provides organizations with the ability to remove the password requirement from the core authentication scenarios on Azure AD joined devices. That basically means that it creates an experience for the user that simply hides the password option from the Windows logon screen. Besides that, it will also hide that option for other in-session authentication scenarios, like password managers in a web browser, “Run as admin” and User Account Control. For recovery the user can still rely on mechanisms like PIN reset or web sign-in. Those mechanisms are strongly advised to have in place, for the best user experience with this configuration.
The configuration of this policy setting is actually pretty straight forward, as the setting is already available within the Settings Catalog. The following eight steps walk through the creation of a Settings Catalog profile that contains the required setting to configure the passwordless experience.
- Open the Microsoft Intune admin center portal and navigate to Devices > Windows > Configuration profiles
- On the Windows | Configuration profiles blade, click Create profile
- On the Create a profile blade, provide the following information and click Create
- Platform: Select Windows 10 and later to create a profile for Windows 10 and Windows 11 devices
- Profile: Select Settings catalog to select the required setting from the catalog
- On the Basics page, provide the following information and click Next
- Name: Provide a name for the profile to distinguish it from other similar profiles
- Description: (Optional) Provide a description for the profile to further differentiate profiles
- Platform: (Greyed out) Windows 10 and later
- On the Configuration settings page, as shown below in Figure 1, perform the following actions
- Click Add settings and perform the following in Settings picker
- Select Authentication as category
- Select Enable Passwordless Experience as setting
- Select Enabled with Enable Passwordless Experience and click Next
- On the Scope tags page, configure the required scope tags and click Next
- On the Assignments page, configure the assignment and click Next
- On the Review + create page, verify the configuration and click Create
Note: The OMA-URI for this setting is ./Device/Vendor/MSFT/Policy/Config/Authentication/EnablePasswordlessExperience.
Experiencing the new Windows sign-in options
After the configuration is applied, it’s really easy to experience the behavior as a standard user. When the user gets to the Windows logon screen, the user will immediately notice that the password sign-in option is missing from the logon screen (as shown below in Figure 2). That automatically moves the user away from using a password to sign into Windows. And not just from the logon screen, but also from in-session authentication scenarios. So, no longer a passwords option available with actions like “Run as admin” or User Account Control.
Besides that, as this doesn’t completely remove the credential provider, there are still ways to use a password as an alternative. The most obvious way is by using the “Other user” option on the Windows log-in screen (as shown below in Figure 3). That will still allow the user to rely on the username and password. Another option is using “Run as a different user“. That will also still allow the usage of a username and password.
More information
For more information about enabling the passwordless experience, refer to the following docs.
Hi,
Still nothing about the use of that option or OTP (for windows login) with hybrid scenario ? 🙁
Not with me, Alex.
Regards, Peter
Hi Alex,
Why are you looking for an OTP solution instate of using FIDO for hybrid scenario?
https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-passwordless-security-key-on-premises
Regards,
Remco