The Best Method to Enable Windows Passwordless Experience using Intune

In this article, I will explain the Best Method to Enable a Windows Passwordless Experience with Microsoft Intune. The near future is passwordless. Microsoft is expanding its passwordless experience for Windows, particularly for devices joined to Microsoft Entra ID.

This new feature, got introduced with the September 2023 update to Windows 11 (version 22H2), allows organizations to enable passwordless authentication methods like Windows Hello for Business and FIDO2 security keys. These methods are designed to be phish-resistant and more secure than traditional passwords.

Once the passwordless experience is enabled, users no longer need to enter a password to sign in, whether for in-session authentication, User Account Control (UAC), or the “Run as” administrator feature. Additionally, options to change passwords are removed from settings, though users can still manage their accounts using the “Ctrl + Alt + Del” method.

Once the policy is configured, passwords are eliminated from the user interface for both device sign-in and in-session auth scenarios, such as “Run as” admin scenarios, password managers in web browsers, and User Account Control (UAC). Instead of using a password for login, users will need to utilize Windows Hello.

Patch My PC
[sibwp_form id=2]
The Best Method to Enable Windows Passwordless Experience with Intune. Fig. 1
The Best Method to Enable Windows Passwordless Experience with Intune. Fig. 1

Enable Windows Passwordless Experience Microsoft Recommendations

Before enabling Windows passwordless experience, take into consideration the following list of Microsoft recommendations.

Details
Configure the PIN reset feature so users can reset their PIN from the lock screen if Windows Hello for Business is enabled. With KB5030310, the PIN reset process is enhanced in Windows 11, version 22H2.
Don’t set up the security rules. Interactive sign-in: Don’t show the most recent sign-in as this interferes with the Windows passwordless experience.
Do not disable the password credential provider by using the Exclude credential providers policy. The following are the main distinctions between the two policies.
All accounts, including local accounts, have their passwords disabled by the Exclude credential providers policy. Only Microsoft Entra accounts that log in using Windows Hello or a FIDO2 security key are eligible for the Windows passwordless experience. Additionally, it removes Other User from the policy, giving users an additional way to log in.
The RDP and Run authentication scenarios are prohibited from using passwords due to the Exclude Credential Providers policy.
Consider enabling the local administrator account or creating a new one and using the Windows Local Administrator Password Solution (LAPS) to randomly generate its password in order to streamline helpdesk support operations.
The Best Method to Enable Windows Passwordless Experience with Intune. Table. 1

Create Enable Windows Passwordless Experience Configuration Policy in Intune

Users can rely on PIN reset or web sign-in options if passwordless methods fail. This update is part of Microsoft’s ongoing effort to enhance security by reducing reliance on passwords and encouraging organizations to adopt more secure and modern authentication methods.

Users can use recovery tools like Web sign-in and PIN resets to retrieve their login credentials, avoiding contacting the IT help desk if they cannot sign in.

Follow the steps below to create an Enable Windows Passwordless Experience configuration policy with Microsoft Intune. Log in to the Microsoft Intune Admin Center using your Intune administrator credentials.

Adaptiva
  • Navigate to Devices  Windows > Configuration
  • Click on +Create +New Policy
The Best Method to Enable Windows Passwordless Experience with Intune. Fig. 2
The Best Method to Enable Windows Passwordless Experience with Intune. Fig. 2

In the next step, we can create a new Configuration Profile from scratch. First, we need to provide the options mentioned below.

The Best Method to Enable Windows Passwordless Experience with Intune. Fig. 3
The Best Method to Enable Windows Passwordless Experience with Intune. Fig. 3

On the Basics details page, we can name the configuration profile “Enable Windows Passwordless Experience”, briefly describe the policy’s use and click Next.

The Best Method to Enable Windows Passwordless Experience with Intune. Fig. 4
The Best Method to Enable Windows Passwordless Experience with Intune. Fig. 4

We can now add the required settings to the Configuration Settings pane. To do so, click +Add settings in the bottom left corner of the page.

The Best Method to Enable Windows Passwordless Experience with Intune. Fig. 5
The Best Method to Enable Windows Passwordless Experience with Intune. Fig. 5

Search for “Enable Passwordless Experience” as a keyword. This will help you find the correct policy based on our current needs. Now you can see the browse by category found as Authentication. Click that to find “Enable Passwordless Experience” Select the check option and close the Settings picker pane.

Note! Specifies whether connected users on AADJ devices receive a Passwordless experience on Windows. The feature defaults to the existing edition and device capabilities, Enabled. The Passwordless experience will be enabled on Windows and Disabled. The Passwordless experience will not be enabled on Windows.

The Best Method to Enable Windows Passwordless Experience with Intune. Fig. 6
The Best Method to Enable Windows Passwordless Experience with Intune. Fig. 6

On the next page, in the Enable Passwordless Experience drop-down menu, select Enabled. The Passwordless experience will be enabled on the Windows option, and click Next.

The Best Method to Enable Windows Passwordless Experience with Intune. Fig. 7
The Best Method to Enable Windows Passwordless Experience with Intune. Fig. 7

On the next page, Leave the Scope tags as Default. If you have any custom scope tags available, you can also select them for this policy assignment.

The Best Method to Enable Windows Passwordless Experience with Intune. Fig. 8
The Best Method to Enable Windows Passwordless Experience with Intune. Fig. 8

Click on Next and assign the configuration profile to HTMD – Test Computers. Then click Add Groups and select the required device group using the Included Groups option.

The Best Method to Enable Windows Passwordless Experience with Intune. Fig. 9
The Best Method to Enable Windows Passwordless Experience with Intune. Fig. 9

On the Review + Create page, carefully review all the settings you’ve defined for the “Enable Windows Passwordless Experience” configuration. Once you’ve confirmed everything is correct, select Create to deploy the Configuration Policy.

The Best Method to Enable Windows Passwordless Experience with Intune. Fig. 10
The Best Method to Enable Windows Passwordless Experience with Intune. Fig. 10

Monitor the Enable Windows Passwordless Experience Policy Deployment

This configuration policy has been deployed to the Microsoft Entra ID group (HTMD – Test Computers). Once the device is synced, the profile will take effect immediately. To monitor the profile deployment status from the Intune Portal, follow the steps below.

  • Navigate to Devices > Windows > Configuration > Search for the “Enable Passwordless Experience” configuration.
  • Under the Device and user check-in status, you can see the policy’s deployment status.
The Best Method to Enable Windows Passwordless Experience with Intune. Fig. 11
The Best Method to Enable Windows Passwordless Experience with Intune. Fig. 11

End User Experience – Enable Windows Passwordless Experience Policy

Now we have to check whether the Enable Windows Passwordless Experience worked. To check the same. Log in to one of the policy-targeted devices.

  • Click on Start > Settings > Accounts > Sign-in options

All allowed Sign-in options except the Password and Picture password are available on the device. So we can conclude our policy is working perfectly fine!

The Best Method to Enable Windows Passwordless Experience with Intune. Fig. 12
The Best Method to Enable Windows Passwordless Experience with Intune. Fig. 12

Author

Vaishnav K has over 11 years of experience in SCCM, Device Management, and Automation Solutions. He writes and imparts knowledge about Microsoft Intune, Azure, PowerShell scripting, and automation. Check out his profile on LinkedIn.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.