Let’s discuss Enforce Windows Credential UI for Edge and Negotiate Challenges using Intune. Windows Hello For HTTP Auth Policy in Intune helps you to controls how Windows responds to NTLM and Negotiate authentication challenges.
As you know that, NTLM stands for (NT LAN Manager) is a legacy authentication protocol used for Windows devices. NTLM protocol works as a challenge-response mechanism where the server sends a challenge, and the client responds with a hashed version of the password.
As a admin you can implement Windows Hello For HTTP Auth Policy you can enable Windows Hello as an authentication method when Microsoft Edge encounters HTTP authentication challenges. Windows Hello for Business helps to get seamless integration across browser and OS.
By Implementing Windows Hello as an authentication methods, admins, users and organizations get many benefits. Admins can ensure that all users get seamless authentication experience on all the devices and can avoid cyberattacks. Users will get no passwordless experience and logins will be faster and Easier.
Table of Contents
Enforce Windows Credential UI for Edge and Negotiate Challenges using Intune
By implementing this policy in your organization, security can be improved, organizational data can be protected and avoid threats like phishing, credential stuffing, and brute-force attacks. This reduces the risk of data breaches, financial loss, and reputational damage.
| Benefis for users | Benefis for Admins | Benefits for Organization |
|---|---|---|
| Get Stronger Personal security | Reduced Attack Surface | Improved cost savings |
| No need to remember complex passwords | Reduced Help Desk Tickets | Increased productivity |
- Allow Basic Authentication for HTTP Using Setting Catalog in Intune
- Enable Disable Secure DNS over HTTPS in Microsoft Edge
- Policy to Turn Off Downloading of Print Drivers Over HTTP using Intune
How to Configure Windows Hello For HTTP Auth Policy
Microsoft Intune Settings Catalog, allows you to configure the policy quickly. To start policy creation you have to sign in Microsoft Intune Admin center. Then Go to Devices > Windows >Configuration > Create > New Policy.
Policy Profile Creation
Profile creation is a necessary step in Intune policy creation. To create a profile, you have to select platform and profile type. Here I selected Windows 10 and later as the Platform and Settings catalog as the profile type. Then click on the Create button.
How to Add Name for the Policy
Basic Tab helps you to add appropriate Name for the settings you have to select for policy creation. You can also add description for the settings to know more about the policy. The Name is mandatory and description is optional. Click on the Next button to continue.
Select the Settings
With Configuration Settings tab, you can select specific settings. To select a setting, click on the +Add settings hyperlink. Then you will get Settings Picker. After clicking on the +Add settings, you will get the Settings Picker.
Here I would like to select the settings by browsing by Category. I choose Microsoft Edge – Default settings (Users can override) and Choose HTTP Authentication category. From this sub category I choose Windows Hello For HTTP Auth Enabled settings.
Disable Windows Hello For HTTP Auth Policy
The default value is disable. If you disable this policy, Windows will fall back to a basic username and password prompt. This is less secure and doesn’t support modern authentication methods. If you like to go with these value, click on the Next button.
Enable Windows Hello For HTTP Auth Policy
If you enable this policy, Windows Credential UI will be used. This UI can support advanced authentication methods like Windows Hello (e.g., fingerprint, face recognition, PIN). Here I would like to enable this policy.
Scope Tags
By using scope tags, you can restrict the visibility of the Preload of the New Tab Page in MS Edge. It is helps to organise resources as well. Here I would like to skip this section, because it is not mandatory. Click on the Next button.
Assign this Policy to Specific Groups
To assign the policy to specific groups, you can use the Assignment Tab. Here I click, +Add groups option under Included groups. I choose a group from the list of groups and click on the Select button. Again, I click on the Select button to continue.
Last Step of Policy Creation
To complete the policy creation you can review all the policy details on the Review + create tab. It helps to avoid mistakes and successfully configure the policy. After verifying all the details, click on the Create Button. After creating the policy you will get success message.
Device Checking Status
To quickly configure the policy and take advantage of the policy sync the assigned device on Company Portal. Open the Intune Portal. Go to Devices > Configuration > Search for the Policy. Here, the policy shows as succeeded.
Client Side Verification with Event Viewer
If you get success message, that doesn’t means you will get the policy advanatges. To varify the policy successfully configured to client device check the Event Viwer.
- Open Event Viewer: Go to Start > Event Viewer.
- Navigate to Logs: In the left pane, go to Application and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin.
- Filter for Event ID 814: This will help you quickly find the relevant logs.
| Event ID Details |
|---|
| MDM PolicyManager: Set policy string, Policy: (WindowsHelloForHTTPAuthEnabled_recommended), Area: (microsoft_edgev90 ~Policy~microsoft_edge_recommended~HTTPAuthentication_recommended), EnrollmentID requesting merge: (EB427D85-802F-46D9-A3E2-D5B414587F63), Current User: (Device), String: (), Enrollment Type: (0x6), Scope: (0x0). |
Removing the Assigned Group from Windows Hello For HTTP Auth Settings
If you want to remove the Assigned group from the policy, it is possible from the Intune Portal. To do this, open the Policy on Intune Portal and edit the Assignments tab and the Remove the Policy.
To get more detailed information, you can refer to our previous post – Learn How to Delete or Remove App Assignment from Intune using by Step-by-Step Guide.
How to Delete Windows Hello For HTTP Auth Settings
You can easily delete the Policy from the Intune Portal From the Configuration section you can delete the policy. It will completely remove from the client devices.
For detailed information, you can refer to our previous post – How to Delete Allow Clipboard History Policy in Intune Step by Step Guide.
Need Further Assistance or Have Technical Questions?
Join the LinkedIn Page and Telegram group to get the step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, Join the WhatsApp Community to get the latest news on Microsoft Technologies. We are there on Reddit as well.
Author
Anoop C Nair has been Microsoft MVP for 10 consecutive years from 2015 onwards. He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is a Blogger, Speaker, and Local User Group Community leader. His primary focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career, etc.