56 thoughts on “Enabling web sign-in to Windows for usage with Temporary Access Pass”

  1. Is there a way to make password sign-in the default while having the web sign-in as an available option? In my testing, enabling web sign-in makes it the default. If you check the registry password sign-in is still the default but that is not the experience to the user. This may be a Windows 10 glitch. What is your experience with this?

    Reply
    • Hi George,
      I’m at least not seeing that behavior with newly deployed devices. I do know that there is a GPO setting (Assign a default credential provider) that could be used to set a default credential provider.
      Regards, Peter

      Reply
  2. Is there a way to use this now? If we configure this we always must logon with Temporary Access Pass otherwise the logon failed. In our scenario we want to use this with MFA (Pushnotifciation or SMS). That’s not possible any longer? Users wil get: Access Pass must be used for Web Sign In. Contact your admin to get an Access Pass.

    Reply
  3. Hi! Encountered this: AADSTS130506: Access Pass must be used for web sign in. Contact your admin to get an access pass. have been using web sign in as a option for a while now and all of a sudden when trying to log in with web sign in we suddenly get this error forcing TAP for web sign in. no clue as to why.

    Reply
  4. Hi Peter,

    I’m hoping you can help me / point me in the right direction.

    We were previously using Web Sign-In exclusinvely with passwordless for PC’s in Meeting Rooms and other Shared PC’s.

    With recent changes, Web Sign In has stopped working with Passwordless and now only works with Temporary Access Pass.

    This has broken ALL shared Win10 PC’s across our entire client base, requiring an urgent change of direction.

    If we are in a true passwordless environmment, how should we be targeting User authentication on shared Windows 10 devices that are used infrequently by Users?

    We’re in a sticky situation with this and currently issuing TAP’s to all Users until we identify and implement the solution.

    Any help would be greatly appreciated.

    Cheers
    David

    Reply
  5. hello,

    thanks for this explanation of TAP. I try to use in autopilot/intune scenario but they doesn’t works.

    It works after enrollement and intune deployement, but not just after the autopilot configuration.

    I’m on the loggin password text box and i have not the “sign in option”, even with a bad password.
    If i’m loggin, the intune deployment continue, if i lock the session, i have sign in option directly.

    i’m on win10 20h2
    no mfa on my user

    Reply
  6. Peter,
    I’ve tried setting it up, but i’m running into a problem when enrolling a new device.
    The first time logon screen works fine and asks for the TAP.
    The second time however we need to use the web sign-in function.
    The policy itself works fine, but new devices don’t receive the policy before the second login.
    Did you run into this issue and if so, how did you fix it?

    Thanks in advance

    Reply
  7. Hi Peter:

    Thank you for this article. It has been very helpful.

    We are able to use TAP using Web sign in after initial onboarding using Auto Pilot. However, the option to use TAP and web sign in logo do not appear as part of Auto Pilot.

    We are able to login using Security Key as part of the Autopilot.

    Is TAP supposed to work with Autopilot? We appreciate your help and expert guidance.

    Reply
      • Hi Peter:

        We have enabled TAP for all users. Here is what we are seeing.

        – TAP works for web app sign in
        – TAP works **AFTER** logging into Windows device for the first time.
        – TAP does NOT work while trying to login to the device fir the first time.

        The only option we see is Security Key (which works) and Password based authentication. If it helps we are also using third party IdP with Azure AD tenant in a federated mode.

        Regards,

        Ashwin

        Reply
        • Hi Ashwin,
          I don’t have recent experience with that combination. What I can do is run some tests after my vacation, to see what the current behavior is in an (Azure) AD only environment. Even in that scenario, the behavior has been on and off..
          Regards, Peter

          Reply
  8. We have been testing this for a few months now, until today …… a number of Users on different computers all of a sudden are unable to sign-in with a “New User” login and no option to do anything on device. The username behind this display name is DefaultUser100000. Only fix is to shutdown and turn on again a number of times before getting option for “Other User” then signing in.
    I have seen a few reports that this is due to the Web Sign-in, but wanted to get others feedback on this.

    Reply
  9. Does this work at all for hybrid joined devices? Out IAM team would love to move to passwordless in general, but the being able to log onto a device in the first place to configure your MFA/Win Hello/ Fido2 key is a bit of a blocker- especially as we require you to set those up from a company device behind Conditional Access rules.
    Thank You

    Reply
  10. Hi,

    trying to use TAP during the device enrollment to Intune (AAD only) without providing the password to the users.
    During the first sing-in screen it allows me to enter TAP (so far so good). On the following sign-in, only password and smart card option are provided as sign-in method.

    As a workaround I have enabled web sign-in, but I still don’t get the web sign-in option on the second sign-in during the device enrollment. Once the device is enrolled, the Web- sign-in is available.

    Any help would be appreciated!

    /BR

    Reply
  11. This is cool, but has some weird behaviour.

    Login fails, because its asking for TAP…which I didnt set up. But I got passwordless phone sign in, and the auth app rings the bells and whistles asking me to input code on screen. But there is no code on screen…only error asking for TAP after inputing my UPN.

    (Client is windows 11)

    Reply
  12. Hi Peter. I hope all is well in your world!

    I’m running into an unusual problem with web sign-in that I’m hoping you can assist with. We’re using TAP as a method to setup machines for users before putting it in their hands.
    On Windows 11 when we manually set the registry value to enable web sign-in, the options appear on the login screen as expected.
    On Windows 10, even with the registry value in place, we’re not seeing the web sign-in option at the login screen.
    Shame on us but we ran into this issue a few months ago but it apparently wasn’t documented, so I don’t recall exactly what we did. But, it had something to do with Windows Hello for Business, like enabling it for the user and setting up a PIN.

    Are you aware of any prerequisites that would prevent the web sign-in option from appearing on Windows 10, even though the registry value is in place?

    Any help is greatly appreciated!

    Reply
  13. I tried pushing this to 3 different computers and while I can go into Azure to create a PIN for a user, I never get the globe icon in my Sign-in options. I even tried to do this all through OMA-URI Settings in Intune:
    ./Device/Vendor/MSFT/Policy/Config/Authentication/EnableWebSignIn = 1 (Integer)
    ./Device/Vendor/MSFT/Policy/Config/Authentication/PreferredAadTenantDomainName = my domain name (String)
    I can’t for the life of me figure out how to get the web icon to pop up to even test if the sign in code works.

    Reply
  14. Could Web Sign-In/TAP an option for Administrators to “Run as Administrator” during a remote session on a device which has disabled the password credential provider?

    Reply
  15. Hi,

    For all IT Engineers out there who are trying to enable WebSignIn, you can do this without Intune.

    We are on a project where we are trying to enroll AAD Devices with a Temporary Access Pass, which means we no longer need to rely on the user’s password. You can enroll the Device to AAD with a TAP password, but to enroll the device in Intune, you need to sign in to the user’s profile. TAP only works if WebSignIn is enabled. To enable WebSignIn without the need for Intune (Setting Catalog or OMA-URI won’t work as the device is not yet in Intune 🙂 ) you can follow the steps below:

    While you are still signed in as the local admin, you need to add the below Key on the Registry to enable WebSignIn:

    Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\

    You need to add a new key: Authentication
    and inside the Key you need to add DWORD – EnableWebSignIn with the value 1. This will enable WebSign In.

    Enjoy 🙂

    Reply
  16. I have defined this within InTune for some testing purposes. I have validated that these registry settings are indeed being set yet I do not have the Web Sign In icon available at the desktop login prompt. It refuses to show.

    Reply
      • So I believe I have determine the issue. I have two testing laptops – one that was provisioned with Windows 11 23H2 and was an existing laptop on my Active Directory domain. It is showing as Microsoft Entra Hybrid Joined. The other is also a Windows 11 23H2 and was provisioned using Autopilot – it was not on the domain and is now showing as Microsoft Entra Registered.

        The laptop that is Entra Hybrid joined does not show the Web Sign in component. The one that is Entra Registered is showing the component and TAP works as expected.

        So, the issue appears to be with hybrid joined devices.

        Reply
  17. This doesn’t work for me randomly, it sometimes does but mostly it doesn’t and it throws this event when trying to use the web sign in (and just goes back to the login screen):

    Security-Kerberos Error 11 “The Distinguished Name in the subject field of your smart card logon certificate does not contain enough information to identify the appropriate domain or a non-domain joined computer”

    Any ideas? I am wondering if OpenIntuneBaselines has something that is blocking it but I havent found anything, I went through it line by line.

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.