EDIT okt-2021. Microsoft has made it easier to configure Windows Web sign in. I have created a follow up article Configure Windows 10 Web sign in – 2
With the arrival of Windows 10 1809, Microsoft introduced a new way to sign in to your PC. Besides a pin, password or biometric authentication they introduced Web-sign in . This feature enables Windows logon support for identity provides like SAML. Web sign-in enables you to set multifactor authentication before signing in to Windows. Even though you cannot set the Web-sign-in as the default authentication method yet, I’m sure that this will become possible in the future.
In this blog I will show you how to enable Web sign-in, using Intune. This is what you need:
- A test device with Windows 10 1809.
- The test device needs to be Azure AD Joined.
- An Azure AD group with the test device as member.
- An Intune license assigned to a user. I’m using a test user with an EMS E5 License, but any Intune license will do.
To enable Web sign-in you will need to create a Device configuration Profile. So, sign into the Azure Portal and go to the Intune blade, where you select “Device Configuration” and “Profiles”.
Click “Create Profile”. Enter a name and for Platform choose Windows 10 and later. For Profile Type you will need to select Custom.
At the OMA-URI Settings click add and enter the following values (reference link):
Name: Web Sign In
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Authentication/EnableWebSignIn
Data Type: Integer
Value: 1
Click OK and click OK at the OMA-URI settings, finally choose create. The policy is now created.
Now you will need to assign the policy to a group with your test device(s).
Testing the policy
Wait before the policy is applied to your test machine. This could take a while but try to reboot your test device occasionally this could help. After you see the policy is applied you can go to the logon screen of your device. If you choose Sign-in options, you should see a new icon for Web sign-in.
Select the Icon and choose Sign in. This will take you to the web sign-in page of Microsoft where you need to authenticate with your password. If you require MFA there will also be an MFA challenge at this point.
When you passes the MFA challenge the user will be signed in.
I think this feature has a lot of potential. I often get the question whether it is possible to enable MFA for Windows. However the feature is not ready yet. I find the sign in process slow if you are used to a pin or facial recognition. Further more Web sign-in is not supported in the Multi Factor Unlock feature with Windows Hello For Business.