TAP & Autopilot: Make Deployment Easy!
Introduction
We have probably all tried it. Preparing a new computer for an existing user or a new user, and you would have to contact the user to know if you are allowed to change the password in order to prepare the computer.
One of the cool things that you can use TAP with is Windows Autopilot. If a user needs a new computer, configure a temporary access pass, and you are ready to go! I will recommend that you also set up a notification for the user to notify them when TAP is configured.
However, it isn't all that easy to begin with. We would have to configure some settings before we can start utilizing it with Autopilot.
Prerequisites
Before we can start playing around with TAP on a Windows device, we have to be aware of some requirements for web sign-in, which is a requirement for TAP to work.
- Only supported for Entra joined devices.
- The device has to be Windows 11 (22H2) or later.
Configuration of web sign-in
To get the most out of the TAP functionality, we need to enable web sign-in for Windows. By default, this is not enabled, so we need to configure it to be enabled in Intune.
There is a but: when web sign-in is enabled, it will become the default credential provider, meaning that it will be the standard login method. I wish to keep the password as the default login, so we will configure that as well.
- Create a new configuration profile and choose the settings catalog.
- We give the profile a name so we know what it does.
- Go and select the category Authentication and select Enable Web Sign In.
- We select "Enabled. Web sign-in will be enabled for signing in to Windows".
Now that web sign-in is enabled, we have to set the default credential provider. First of all, we have to check the GUID of the credential provider for password. Open a registry editor on a computer, and head to the below path:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers
You can now go through all the credential providers and see if you can spot the password GUID. However, I already have it, so you can use the below GUID:
{60b78e88-ead8-445c-9cfd-0b87f74ea6cd}
- Head back to the settings catalog in Intune and click add settings.
- Search for "Assign a default credential provider" and mark the setting.
- Enable the setting, and fill in the GUID of the credential provider you wish to use.
Now finish the profile and assign it to the group of devices you want. It's important that you assign it to devices.
Experience with Autopilot and Web Sign-in
I have created a test VM, and I am now ready to test. Before I do anything, I start by creating my TAP for the user. If you haven't read my last blog about TAP, take a look here.
Once the TAP is created, I'm now signing in with the user. Now that I have written the email, it's asking for the temporary access password. Enter your TAP and make sure to sign in.
I have configured an ESP, so it's now showing me the progress of Autopilot. Once it's finished, it will sign me in to the device automatically.
My ESP is finished, and I have logged out of the device. I will just show you how it looks when signing in with web sign-in. Click "Other User", and after that, take sign-in options. You will now see the little globe, which is web sign-in.
You will notice, when clicking on the globe, that it will give you the well-known sign-in page you have seen before. Make sure to sign in and test how it works!
Observation
A quick observation that I want to share is the location of the policies configured in this blog.
If you check the below path, you will be able to see web sign-in enabled on the device. You can take a look at the Policy CSP and see that "1" means that web sign-in is enabled.
On the other hand, if you wish to check the default credential provider, you have to go a little deeper in the registry. Before you can check this out, you have to know the device GUID. You can find it by opening File Explorer and browsing to the below location:
Once you have found the GUID, you can find the default credential provider. It's available at the same place as in the picture below. However, remember to change it to your GUID.
From that location, you can see the default credential provider value that is configured in your policy.
Conclusion
Thank you for reading this blog. I hope that it gave you some insights on how web sign-in works together with Autopilot. It might be worth thinking about a solution to monitor the use of TAP.