Let’s discuss Enable or Disable Web Sign-in Policy for Windows using Intune. Microsoft designed different policies in Intune Portal to securely manage users accesses to devices and resources in an organizations. To configure polices you can choose Settings Catalog.
Today we are going to explore a policy which is related to Authentication. This policy is Applicable for Windows Devices. Here I am going to configure Web Sign-in Policy. This policy specifies whether web-based sign-in is allowed for signing in to Windows.
Web sign-in is a credential provider that enables a web-based sign-in experience on Windows devices. Web Sign-in policy is helps to enable passwordless authentication for Windows devices using web-based credentials. This policy provides streamlined authentication process in your organization.
This Policy supports authentication methods like Temporary Access Pass (TAP), Microsoft Authenticator, and federated identity providers. In this Blog post, I will help you to Enable or Disable Web Sign-in Policy using Intune.
Table of Contents
For Which Windows Version Web Sign-in Policy Introduced?
Initially introduced in Windows 10 with support for Temporary Access Pass (TAP) only, Web sign-in expanded its capabilities starting in Windows 11, version 22H2, with KB5030310.
Enable or Disable Web Sign-in Policy for Windows using Intune
By configuring this policy, organisations can enhance security, streamline authentication processes, and support modern identity management solutions. Web Sign-in is particularly useful for scenarios like shared devices, temporary access, and passwordless authentication strategies.
- Enable Fast First Sign In Policy under Authentication in Intune Settings Catalog
- Passwordless Authentication Now Users Can Sign-In With A TAP
- Enable Windows Hello for Business and Remove Password Login on Windows 11 v22H2
CSP Details of Web Sign-in Policy
Web Sign-in Policy unlocks new sign-in options and capabilities. With the release of Windows 11, the supported scenarios and capabilities of Web sign-in are expanded. For example, you can sign in with the Microsoft Authenticator app or with a SAML-P federated identity. This policy applicable for editions like Pro, Enterprise, Education,loT Enterprise / loT, Enterprise LTSC.
Description Framework Properties
The table below shows the technical attributes and behaviour of the Saving History. It includes Property Name and Property Value.
| Property Name | Property Value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
Allowed Values
These values help organisations determine which value is suitable for each device. You can refer to he following table to understand the values.
| Value | Name |
|---|---|
| 0 (Default) | The feature defaults to the existing SKU and device capabilities. |
| 1 | Enabled. Web Sign-in will be enabled for signing in to Windows. |
| 2 | Disabled. Web Sign-in won’t be enabled for signing in to Windows. |
./Device/Vendor/MSFT/Policy/Config/Authentication/EnableWebSignIn
Steps to Configure Web Sign-in
You can start the policy creation of the Web Sign-in Policy in Intune. Using simple steps, you can easily complete the policy creation. Open the Intune admin center. Go to Devices > Configuration > Policies> + Create > + New policy.
Next, you will get a profile window to select the platform and profile type. First of all, you select the platform, then you can select the profile type. Select Windows 10 and later as the platform, and select settings catalog as the profile type. Click on the create button.
Basic Tab
The basic tab is starting step of policy creation. On this tab, you have to give a name for the policy that you want to create. The name field is mandatory. Without giving a name, you can’t create a policy on the basic tab. You can also describe the policy, which description is not compulsory. Click on the next button.
Configuration Settings
The configuration tab allows you to select specific policy settings to manage your organisation’s devices. On this page, we click on the + Add Settings hyperlink. Then you will get a settings picker that will show different types of categories to select specific settings. Here, I choose to authenticate the category and select the Enable Web Sign In settings.
Choose Default Value
After selecting the settings, you can close the settings picker page. On the configuration settings page, you can see the selected settings. By default, the Web Sign-in Policy is applicable according to the existing SKU and device capabilities. If you want to configure Web Sign-in policy with default value, Click on the Next Button.
Enable Web Sign-in
You can Enable Web Sign-in policy for signing in to Windows. By enabling this policy, users can sign in without traditional passwords, reducing the risk of credential theft.
- To enable this policy, choose Enabled. Web Sign-in will be enabled for signing in to Windows Previous value.
- Click on the Next button
Disable Web Sign-in Policy
By disabling this policy, admins can ensure that unauthorised access is minimized. You can prevents web-based authentication methods, reducing exposure to potential phishing attacks.
- To Disable this policy, choose Disable. Web Sign-in won’t be enabled for signing in to Windows Previous value.
- Click on the Next button
Scope Tags
The next section is the Scope tag and which is not a compulsory step. It helps to assign this policy to a defined group of users or devices. Here, I skip the section and click on the next button.
Assignments Tab
The assignments tab is the crucial step that determines which groups can be selected to assign the policy. Click on the +Add groups option under included groups. Select the group from the list of groups on your tenant.
Click on the Select button. And you can see the selected group on the Assignments tab. Click on the Next button in the window below.
Review + Create Tab
The Review + Create tab is the last step of policy creation. On this tab, you can verify every detail of the policy which are added in the previous steps (basic configuration settings, scope tag assignments s etc). If you want to make any changes, click on the previous button; otherwise, you can click on the Create button.
Monitoring Status
When the Policy is created successfully, you can sync the device on the Company portal for faster deployment. After syncing is completed, you can check the status on the Intune Portal. Go to Devices > Configuration and search for the policy.
Client Side Verification – Event Viewer
By accessing Event Viewer you can easily complete Client Side Verification. Open the Event Viewer on the assigned device. Go to Applications and Services Logs > Microsoft > Windows > Devicemanagement-Enterprise-Diagnostics-Provider > Admin to open it. Here, you can see the success event ID in 813.
MDM PolicyManager: Set policy int, Policy: (EnableWebSignln), Area: (Authentication),
EnrollmentID requesting merge: (B1E9301C-8666-412A-BA2F-3BF8A55BFA62), Current User:
(Device), Int: (0x1), Enrollment Type: (0x6), Scope: (0x0).
Remove Web Sign-in Policy
Intune helps you to easily remove the Web Sign-in policy from your tenant. To do this, open the policy from the Configuration tab and click on the Edit button on the Assignment tab. Click on the Remove button on this section to remove the policy.
For detailed information, you can refer to our previous post – Learn How to Delete or Remove App Assignment from Intune using by Step-by-Step Guide.
Delete Web Sign-in Policy
Admins may delete policies in Intune due to different reasons. If you want to quickly delete a Policy, Intune helps you to do that. To do this, search for this policy on the Intune admin center. Click on the 3-dot option and then click on the Delete button.
For more information, you can refer to our previous post – How to Delete Allow Clipboard History Policy in Intune Step by Step Guide.
Need Further Assistance or Have Technical Questions?
Join the LinkedIn Page and Telegram group to get the latest step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, Join the WhatsApp Community to get the latest news on Microsoft Technologies. We are there on Reddit as well.
Author
Anoop C Nair has been a Microsoft MVP for 10 consecutive years from 2015 onwards. He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is a Blogger, Speaker, and Local User Group Community leader. His primary focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career, etc.