Tag: UAC

Going passwordless should be the goal for anyone who cares about security and preventing identity and cyber attacks. It is possible to be almost 100% passwordless using Microsoft passwordless technologies. However, even if you have moved to not using your password, the password options are still available at Windows sign-in and also within Windows when signed in. It is now possible to reduce the password use in Windows.

New passwordless experience options available in Windows 11

One big step towards truer passwordless experience is to set the policy named EnablePasswordlessExperience. This will give you the following benefits:

• No password sign-in option on the default Windows sign-in screen.
• The primary user of the device sees only non-password sign-in options, and can only sign into the device using:
  • Windows Hello for Business.
  • FIDO2 security keys.
  • Web sign-in, which in turn uses either Temporary Access Pass (TAP) or the Authenticator app.
  • Smart cards.
• No password options within Windows, when for instance elevating as administrator (UAC prompts).
  Note: You can still use runas to elevate with password as well as use the password for a local admin account (such as when using Windows LAPS).
• The password setting option is removed from Settings > Accounts > Sign-in options.

This will mean that once this new setting is enabled, any user who used to use passwords is now much more likely to sign into Windows with anything else than the password. You can find more about this CSP setting at learn.microsoft.com: Authentication Policy CSP – Windows Client Management | Microsoft Learn.

Password credential provider is hidden from certain UI part of Windows

The reason why I say much more likely to sign in with anything else other than password is that the EnablePasswordlessExperience setting means that the password credential provider is only hidden on the Windows “primary user” sign-in screen.

That means that there are a number of ways to still use passwords in Windows, which is for example required to make sure for instance remote support through help desk is still a viable option:

• Clicking Other users on the sign-in screen will allow the user to sign in using a password, as the password credential provider is enabled there.
• Password use is available in Remote Desktop Connections and for web sites in Microsoft Edge.
• Password can be used with runas to elevate with password as well as use the password for local admin accounts (such as when using Windows LAPS
• Password change can still be accessed from Ctrl+Alt+Delete prompt.

Pre-reqs:

Currently, the following operating systems support the new setting EnablePasswordlessExperience:

• Windows 11 22H2 build 22621.2361 + Windows Configuration Update (KB5030509) with “Get the latest updates as soon as they’re available” to On. Reference: Rolling out new features for Windows 11 (22H2) to the Release Preview Channel | Windows Insider Blog
• Windows 11 23H2 build 22631.2361 or later.
• Windows 11 Insider Dev build 23506 or later.
• Windows 11 Insider Canary build 25921 or later.

Configuration

The Enable Passwordless Experience settings are configured via Intune and are available in the Settings Catalog and this is how I recommend that you configure this new feature:

• Enable Passwordless Experience is set to Enabled. This will in practice remove the password credential provider from the aforementioned parts of the Windows UI.

• Enable Web Sign In is set to Enabled. This will show the “globe” as a sign-in option on the sign-in screen and acts as fallback for logging in if Windows Hello for Business sign-in fails, or if an administrator needs to sign into the device.

UI changed when passwordless is enabled

When these two settings are enabled, the password credential provider is removed from some UI elements, as well as introducing the web sign-in “globe” on the sign-in screen.

Sign-in screen

At the sign in screen, this is where we have maybe the most benefit of enabling the passwordless experience. The reason is that the option to sign in using password is gone! This will certainly reduce the use of password to sign in. At the same time you see the globe which can be used to sign in when or if Windows Hello for Business fails.

UAC Elevation Prompt

When trying to elevate as admin, UAC kicks in. With the passwordless experience enabled, you will only see passwordless options + the ability to use any local admin account (with password). This is to make sure that help desk for instance can still help via remote connections. The important thing is that the typical end users cannot choose any password options. Basically, this means that there is no option “Use a different account”.

Extra #1 – Interactive logon: Require Windows Hello for Business or smart card policy

Just to get this new passwordless experience one step further, I tried the good old policy setting Interactive logon: Require Windows Hello for Business or smart card policy to Enabled. The idea was to also prevent circumventing the “Other users” trick and disable password use even there, as well as completely in Windows.

But no, that setting will not allow you to sign in with Web Sign-in (which is working by design) so that means the setting is useless unless you can live with having no “back door” into your computers if authentication fails or there are problems.

Extra #2 – Excluding the password credential provider all together

To really go passwordless already, you can enable the more hardcore passwordless option that has been in Windows 10 and 11 for some time. It is the ExcludedCredentialProvider setting ADMX_CredentialProviders Policy CSP – Windows Client Management | Microsoft Learn.

This means that you can disable the password credential provider all together in Windows, leaving no room to use a password anywhere within Windows. This might sound good at first thought but will likely mean trouble for remote help for instance by help desk staff, as they will not be able to elevate as admin when needed.

Extra #3 – KQL Kusto Query to find out who are signing into Windows using passwords

The following query is something I use all the time, and it lists how many times your users sign into a Windows device using password. This is useful for “smoking out” password use at Windows sign-in but also in general in Microsoft 365, with a slight modification.

SigninLogs
| where Resource == "Microsoft.aadiam" and AppDisplayName == "Windows Sign In"
| extend authenticationMethod_ = tostring(parse_json(AuthenticationDetails)[0].authenticationMethod)
| extend succeeded_ = tostring(parse_json(AuthenticationDetails)[0].succeeded)
| where authenticationMethod_== "Password" and succeeded_ == "true"
| extend authenticationStepDateTime_ = todatetime(tostring(parse_json(AuthenticationDetails)[0].authenticationStepDateTime))
| extend displayName_ = tostring(DeviceDetail.displayName)
| extend trustType_ = tostring(DeviceDetail.trustType)
| extend deviceId_ = tostring(DeviceDetail.deviceId)
| summarize Count = count() by displayName_, Identity

Thanks to Michael Hildebrand for this blog for being a good inspiration on KQL and dashboards in this topic: Azure AD Sign-in Logs + Workbooks = Know Who is Using Windows Hello for Business – Microsoft Community Hub

Extra #4 – Single Sign-On to on-premises resources

When signing into Windows with Windows Hello for Business or security keys, you do not have single-sign on to on-premises resources such as file shares, printers or applications. By enabling Azure AD Kerberos you enable single sign-on using security keys and by settings an Intune setting to use Windows Hello for Business Cloud Trust, you enable single sign-on using Windows Hello for Business.

Summary

The Enable Passwordless Experience that has been added to Windows 11 is a great step in the right direction of becoming fully passwordless, at the same time as not interfering with remote help and support. Anything that can be done to reduce the use of passwords is simply great!

Sidenote: If you use security keys with multiple identities, you have probably learned that when trying to sign into Windows it will sign you in with the last written identity on the security key. If you like me want to be able to choose which identity to sign in with, please upvote this Windows Feedback item!

A problem when you remote control another user and try to elevate to Administrator, using for instance Quick Assist which is built into Windows 10 and 11, or using TeamViewer, the screen on the admin side will freeze. This is due to UAC Secure Desktop feature kicking in.

The solution is to turn this secure desktop feature off, lowering security a little but at hardly no risk.

Configuration via Intune (MDM)

Create a Settings catalog profile and select the Local Policies Security Options setting User Account Control Switch to the Secure Desktop When Prompting For Elevation and set it to Disabled.

Configuration via Group Policy (GPO)

In the GPO editor, go to Security Settings > Local Policies > Security Options > User Account Control: Switch to the secure desktop when prompting for elevation to Disabled

One very common problem that I encounter every now and then with customers and when doing Windows training is the fact that remote controlling computers causes a freeze in the remote session when UAC kicks in. By default, UAC prompts for elevation on something called the secure desktop, and that effectively blocks any remote input.

This problem can be fixed by changing the necessary UAC settings. Just as a note; Never ever turn off UAC!

Configure UAC to allow for remote support by setting the following GPO settings under Computer Configuration / Policies / Administrative Templates / Windows settings / Security settings / Local policies / Security Options node:

User Account Control: Switch to the secure desktop when prompting for elevation policy = Disabled
User Account Control: Allow UIAccess application to prompt for elevation without using the secure desktop policy = Enabled

The new framework and infrastructure around apps in Windows 8 brings some new challenges to deal with. To start with you cannot turn off User Account Control if you want to use the modern apps in Windows 8, but there are more going on behind the scenes that are essential to the working of Windows Store Apps.

When a problem do occur Microsoft provide a nifty little troubleshooter tool for Windows Store Apps, download and run the tool from:
http://go.microsoft.com/fwlink/?LinkId=271185

I get many questions about the confusing problem with mapped network connections not being available when running for instance cmd.exe as an administrator even though the account is the same one being used when the cmd.exe is run with standard rights and everything works splendid.

The cause of this is UAC and the fact that you have multiple security tokens and that the mapped network drives are linked to the standard user token and not the administrator token. The solution is to enable “Linked Connections”, see the KB article 937624 for more information on how to set this value.

Also read the case of some other mysterious problems or behaviors when UAC is en effect.

Just wanted to post a quick reminder that if you turn off UAC (User Account Control) in Windows Vista or Windows 7 you also turn off “Protected mode” in Internet Explorer. Turning off UAC is not recommended but if you do, make sure that you run with a standard user account.