Microsoft Enables Windows 11 Passwordless Option
- By Kurt Mackie
- October 25, 2023
Organizations with Entra ID-joined Windows 11 devices can now switch them over to passwordless authentications using a new policy option, Microsoft suggested this week.
Organizations can use Microsoft Intune or another mobile device management solution to set the policy, which was eanbled via a "September 2023 update for Windows 11, version 22H2," the announcement indicated. Here's Microsoft's statement to that effect:
Commercial organizations can now set the EnablePasswordlessExperience MDM policy from Intune or another MDM to enable a fully passwordless user experience on Microsoft Entra ID joined [Windows 11] machines.
By passwordless, Microsoft means that users so switched won't see a password prompt at all after the policy has been applied. The password prompt will be absent when signing into a device's lock screen. It also won't be there for "in-session auth scenarios like password managers in a web browser, 'Run as' admin scenarios, and User Account Control (UAC)," the announcement explained. Also, the Windows 11 Settings app won't show the "Change password" option after the passwordless policy has been applied, Microsoft indicated, in this document.
After the passwordless policy is applied, users will see initial authentication options as "security key, pin, Windows Hello, and fingerprint." Organizations can use phishing-resistant approaches, such as FIDO2 keys or Windows Hello for Business, which is Microsoft's biometric (face scan) authentication scheme.
Organizations going passwordless have options should a user fail to authenticate. "If the user fails to sign in, recovery mechanisms such as PIN reset or Web sign-in can be used to help the user recover their credentials without IT helpdesk engagement," the announcement indicated.
Microsoft's Sept. 2023 update to Windows 11 version 22H2 also ushered in the ability for Entra ID-joined devices to use a "Web sign-in" feature, as explained in this document. It permits users to "sign in with the Microsoft Authenticator app or with a SAML-P federated identity."
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.