This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(156.8, 94%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
We implemented passwordless authentication in our Azure AD environment and use Windows 10 and 11 Pro in our computers. When joining a computer to Azure Active Directory for the first time, the only option presented to a user is to provide their Azure AD username and password. Since we reset all of the passwords to something nobody knows, it seems Microsoft requires a password to join Windows 10/11 computers to Azure AD.
Then even AFTER joining, the user still needs their password the first time they login. Subsequently, any new users who attempt to login to the computer using their Azure AD credentials ALSO need their password, because it only asks them to setup Windows Hello for Business AFTER they login the first time.
The work-around I use right now is to reset their password, have them login, change it, then setup Windows Hello for Business. Not a good solution as this requires intervention and a lot of steps.
So, how can we completely eliminate passwords in this scenario?
@alippiatt
Thank you for your post and I apologize for the delayed response!
Resources:
Windows 10/11 computers are Azure AD Joined
Windows Hello for Business is used for passwordless authentication
Summary:
Azure AD Join - When joining your PC for the first time, user's need to log-in using their username and password.
WHfB - After Azure AD Join is complete, users logging into their computers using Azure AD credentials are prompted for username and password again to set-up WHfB.
Issue:
Because of all these steps - resetting a user's password twice, and setting up WHfB, you'd like to know if there's a solution to mitigate all these steps.
----------
Questions:
To gain a better understanding of your issue, can you share what documentation you're following to set this up?
Are your devices joined via Intune?
Additional Links:
Azure Active Directory join cloud only deployment
Manage Windows Hello for Business on devices at the time devices enroll with Intune
I've also added our Intune tags to this thread so their community can look into this issue as well.
Thank you for your time and patience throughout this issue.
First, note that this really has nothing to do with Intune but is AAD specific.
Today, there is no direct passwordless path for initial Windows AADJ, however, Temporary Access Password (https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-temporary-access-pass) is planned to be enabled during Windows OOBE in the near future.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 50%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
Is this still relevant or is it possible to use my Passkeys intial setup of AADJ during the second logon after OOBE?