Windows passwordless experience
Starting in Windows 11, version 22H2 with KB5030310, Windows passwordless experience is a security policy that promotes a user experience without passwords on Microsoft Entra joined devices.
When the policy is enabled, certain Windows authentication scenarios don't offer users the option to use a password, helping organizations and preparing users to gradually move away from passwords.
With Windows passwordless experience, users who sign in with Windows Hello or a FIDO2 security key:
Can't use the password credential provider on the Windows lock screen
Aren't prompted to use a password during in-session authentications (for example, UAC elevation, password manager in the browser, etc.)
Don't have the option Accounts > Change password in the Settings app
Users can reset their password using CTRL+ALT+DEL > Manage your account
Windows passwordless experience doesn't affect the initial sign-in experience and local accounts. It only applies to subsequent sign-ins for Microsoft Entra accounts. It also doesn't prevent a user from signing in with a password when using the Other user option in the lock screen.
The password credential provider is hidden only for the last signed in user who signed in Windows Hello or a FIDO2 security key. Windows passwordless experience isn't about preventing users from using passwords, rather to guide and educate them to not use passwords.
This article explains how to enable Windows passwordless experience and describes the user experiences.
Windows Hello for Business users can achieve passwordless sign-in from the first sign-in using the Web sign-in feature. For more information about Web sign-in, see Web sign-in for Windows devices.
Windows passwordless experience has the following requirements:
- Windows 11, version 22H2 with KB5030310 or later
- Microsoft Entra joined
- Windows Hello for Business credentials enrolled for the user, or a FIDO2 security key
- MDM-managed: Microsoft Intune or other MDM solution
Microsoft Entra hybrid joined devices and Active Directory domain joined devices are currently out of scope.
Windows edition and licensing requirements
The following table lists the Windows editions that support Windows passwordless experience:
|Windows Pro||Windows Enterprise||Windows Pro Education/SE||Windows Education|
Windows passwordless experience license entitlements are granted by the following licenses:
|Windows Pro/Pro Education/SE||Windows Enterprise E3||Windows Enterprise E5||Windows Education A3||Windows Education A5|
For more information about Windows licensing, see Windows licensing overview.
Enable Windows passwordless experience with Intune
To configure devices with Microsoft Intune, create a Settings catalog policy and use the following settings:
|Authentication||Enable Passwordless Experience||Enabled|
Assign the policy to a group that contains as members the devices or users that you want to configure.
- Data type: int
Lock screen experience
Passwordless experience turned off: users can sign in using a password, as indicated by the presence of the password credential provider in the Windows lock screen.
Passwordless experience turned on: the password credential provider is missing for the last user who signed in with strong credentials. A user can either sign in using a strong credential or opt to use the Other user option to sign in with a password.
In-session authentication experiences
When Windows passwordless experience is enabled, users can't use the password credential provider for in-session authentication scenarios. In-session authentication scenarios include:
- Password Manager in a web browser
- Connecting to file shares or intranet sites
- User Account Control (UAC) elevation, except if a local user account is used for elevation
RDP sign in defaults to the credential provider used during sign-in. However, a user can select the option Use a different account to sign in with a password.
Run as different user is not impacted by Windows passwordless experience.
Example of UAC elevation experience:
Passwordless experience turned off: UAC elevation allows the user to authenticate using a password.
Passwordless experience turned on: UAC elevation doesn't allow the user to use the password credential provider for the currently logged on user. The user can authenticate using Windows Hello, a FIDO2 security key or a local user account, if available.
Here's a list of recommendations to consider before enabling Windows passwordless experience:
- If Windows Hello for Business is enabled, configure the PIN reset feature to allow users to reset their PIN from the lock screen. The PIN reset experience is improved starting in Windows 11, version 22H2 with KB5030310
- Don't configure the security policy Interactive logon: Don't display last signed-in, as it prevents Windows passwordless experience from working
- Don't disable the password credential provider using the Exclude credential providers policy. The key differences between the two policies are:
- The Exclude credential providers policy disables passwords for all accounts, including local accounts. Windows passwordless experience only applies to Microsoft Entra accounts that sign in with Windows Hello or a FIDO2 security key. It also excludes Other User from the policy, so users have a backup sign in option
- Exclude credential providers policy prevents the use of passwords for RDP and Run as authentication scenarios
- To facilitate helpdesk support operations, consider enabling the local administrator account or create a separate one, randomizing its password using the Windows Local Administrator Password Solution (LAPS)
There's a known issue affecting the in-session authentication experience when using FIDO2 security keys, where security keys aren't always an available option. The product group is aware of this behavior and plans to improve this in the future.
To provide feedback for Windows passwordless experience, open Feedback Hub and use the category Security and Privacy > Passwordless experience.