Configure Windows 10 Web sign in

EDIT okt-2021. Microsoft has made it easier to configure Windows Web sign in. I have created a follow up article Configure Windows 10 Web sign in – 2

With the arrival of Windows 10 1809, Microsoft introduced a new way to sign in to your PC. Besides a pin, password or biometric authentication they introduced Web-sign in . This feature enables Windows logon support for identity provides like SAML. Web sign-in enables you to set multifactor authentication before signing in to Windows. Even though you cannot set the Web-sign-in as the default authentication method yet, I’m sure that this will become possible in the future.

In this blog I will show you how to enable Web sign-in, using Intune. This is what you need:

  • A test device with Windows 10 1809.
  • The test device needs to be Azure AD Joined.
  • An Azure AD group with the test device as member.
  • An Intune license assigned to a user. I’m using a test user with an EMS E5 License, but any Intune license will do.

To enable Web sign-in you will need to create a Device configuration Profile. So, sign into the Azure Portal and go to the Intune blade, where you select “Device Configuration” and “Profiles”.

Click “Create Profile”. Enter a name and for Platform choose Windows 10 and later. For Profile Type you will need to select Custom.

At the OMA-URI Settings click add and enter the following values (reference link):

Name: Web Sign In
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Authentication/EnableWebSignIn
Data Type: Integer
Value: 1

Click OK and click OK at the OMA-URI settings, finally choose create. The policy is now created.

Now you will need to assign the policy to a group with your test device(s).

Testing the policy

Wait before the policy is applied to your test machine. This could take a while but try to reboot your test device occasionally this could help. After you see the policy is applied you can go to the logon screen of your device. If you choose Sign-in options, you should see a new icon for Web sign-in.

Select the Icon and choose Sign in. This will take you to the web sign-in page of Microsoft where you need to authenticate with your password. If you require MFA there will also be an MFA challenge at this point.

When you passes the MFA challenge the user will be signed in.

I think this feature has a lot of potential. I often get the question whether it is possible to enable MFA for Windows. However the feature is not ready yet. I find the sign in process slow if you are used to a pin or facial recognition. Further more Web sign-in is not supported in the Multi Factor Unlock feature with Windows Hello For Business.

11 thoughts on “Configure Windows 10 Web sign in”

  1. Dear Stephan, Great informative Blog .

    Question , I am trying to setup the same however I am able to get the web sign in option. Is there are registry key option . I assumed it was the lack of an intune license assigned to the logged on user . So i subscribed for a trial intune license , but nothing seem to be working. The one thing I noticed is that the policy assignment shows no device assigned? Its a windows 1903 machine azure AD joined

    1. Hi Roopesh, Yes you need a Intune license so that you can push configuration policies. Sometimes I can take a while before the assigned policies are visible. Can you check if you set the MDM authority to Intune?

  2. Hi Stephan,

    We enabled this option, which works great, but upon locking the device the Web signin option is gone.
    Only option is to reboot and login again. Do you have any idea what could go wrong here?

    Kind Regards,
    Bas

    1. Hi Bas,

      On my test machine I dont have this issue. I can sign in using web sign in and when I lock the test machine I can choose to log in with web sign in. Not sure what can cause your problem. I’m running Windows 1903 on Hyper-V, and connecting using the basic connection instead of the enhanced session.

  3. I have hybrid Azure AD joined a device (so, it is joined to both AD DS and AAD; they are synchronised). “DSREGCMD /STATUS” confirms the computer is Azure Ad Joined.

    I then installed Windows 10 ADK, then Configuration Designer, then created a provisioning package to set “EnableWebSignIn” to “Enabled”. (no expertise in InTune, so applying the setting this way).

    I do not get the “Web Sign-In” option.

    Is this working correctly? The page

    Web sign-in to Windows 10 – does this work on Hybrid Azure AD joined devices?
    With regards to…
    Web sign-in to Windows 10
    https://docs.microsoft.com/en-us/windows/whats-new/whats-new-windows-10-version-1809#web-sign-in-to-windows-10

    I have hybrid Azure AD joined a device (so, it is joined to both AD DS and AAD; they are synchronised). “DSREGCMD /STATUS” confirms the computer is Azure Ad Joined.

    I then installed Windows 10 ADK, then Configuration Designer, then created a provisioning package to set “EnableWebSignIn” to “Enabled”. (no expertise in InTune, so applying the setting this way).

    I do not get the “Web Sign-In” option.

    Is this working correctly? The page (https://docs.microsoft.com/en-us/windows/whats-new/whats-new-windows-10-version-1809#web-sign-in-to-windows-10) says “Web sign-in is only supported on Azure AD Joined PCs”, but that leaves ambiguity for “Hybrid Azure AD joined devices”.

    My objective is to use Azure AD MFA, to log on to Windows 10 [itself] – this isn’t directly possible (Microsoft say use Windows Hello for Business) But that’s not quite MFA user logon. But there is also a massive on premises infrastructure, so this should remain operational, too, hence hybrid Azure AD Join, not pure Azure AD Join.

    1. Hi,

      I cannot confirm that the web sign in works for hybrid joined devices. The documentation states that Web Sign in is only supported on AAD joined devices, so I understand your point. But I saw that you opened a ticket https://github.com/MicrosoftDocs/azure-docs/issues/40220.

      Microsoft is chancing the definition of MFA. MFA used to be a password and a challenge on your phone or an hardware token. Nowadays MFA is on the one hand a compliant device (Intune Managed laptop for example) on the other hand bio metrics, like facial recognition. The Web-sign in is a nice option but this would always require an internet connection. Furthermore this option is still in preview so changes can happen

    2. Hi Anwar.

      Did you ever get an answer to your AZADHJ question? I know web sign-in to a hybrid device is not supported by MS (if it works at all), but this does not necessarily mean it doesnt work.

      Then again, even if it does somehow work without MS support, it could easily break without notice next time MS apply some update.

  4. Hi Stephan, great article. I was able to enable wen sign in through Intune. We use Google SSO to authenticate to Azure AD but this flow does not work with web sign in. It says it’s unable to open our google url for sign in. Is Web Sign in able to support external SSO providers?

    1. Hi Dallin, Thank you! To be honest I don’t believe I have an answer for your question.

    2. You have to create a new OMA-URI policy to allow the Web Sign In Page.

      ./Device/Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls

      Data type string:

      Value = your SSO login page

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: