OpenIntuneBaseline icon indicating copy to clipboard operation
OpenIntuneBaseline copied to clipboard
verified publisher icon SkipToTheEndpoint

[Bug] - MFA setup first time use (web login enabled)

Open kbauwens opened this issue 3 months ago • 3 comments

Baseline Info (please complete the following information):

  • OS: Windows 11 Pro
  • Version: 25H2

Describe the bug When weblogin is enabled and a new user is logging into the device. The more information is required pop-up comes up. But after pressing next the main display will display an error. In short "That it's not possible to setup MFA due to a security setting"

To Reproduce Steps to reproduce the behaviour:

  1. Go to 'weblogin"
  2. Login to a new user (w/o known MFA methods)
  3. Press continue to setup
  4. See error

Expected behaviour Redirection to the register security information page, so first time users can setup using a compliant (managed) device

Screenshots If applicable, add screenshots of error messages or logs to help explain the problem.

Image Image

*text is in dutch but basically says" this page can't be opened, due to security measures you need to view this page from a browser or different device...."

Additional context Add any other context about the problem here.

kbauwens avatar Oct 28 '25 08:10 kbauwens

Hi @kbauwens

I can replicate the issue, though I'll be honest and say I'm not quite sure what setting would actually be causing that behaviour.

I found you can work around the issue by issuing the account a Temporary Access Pass which then allows the login, and once the user is at the desktop they could go change their password/set up other MFA methods on their account.

Given this is quite a niche scenario and using web sign-in suggests this might be a shared device (which is a use-case I've not built for or tested specifically) if anyone wanted to investigate and feed back what might be causing it, as long as it doesn't impact anything else I'd be happy to bring changes into the next version.

SkipToTheEndpoint avatar Oct 29 '25 10:10 SkipToTheEndpoint

Hi @SkipToTheEndpoint,

I found some additional information regarding the web sign-in, i've yet to confirm if this is actually the case. But it appears that the web sign-in uses a embedded webbrowser and accessing the more information page isn't allowed trough this embedded browser. Since the web sign-in was broken up untill the most recent Windows 11 version, Microsoft might fix this at some point.

In this example case it's not meant to be a shared desktop, but an OOBE setup laptop delivered to a new colleague.At this moment in this BL u can either use WHfB or Web and to setup WHfB I need to login trough web first.

I'll see if TAP could be a solution or have them enroll MFA trough their phones before recieving a device.

I'll update this if I could confirm this and-or find a solution / work-around.

kbauwens avatar Oct 29 '25 11:10 kbauwens

If the user is taking the device through Autopilot they shouldn't need to use web sign-in and should get to the desktop either being required to configure MFA when initially putting their credentials in, or when going through the WHfB setup.

But yeah, knowing that it's been broken a few times, it wouldn't surprise me if it's just a different type of broken. My mind immediately goes to IE Zones configuration if they're using an embedded browser, but it could be all sorts of things tbh.

SkipToTheEndpoint avatar Oct 29 '25 11:10 SkipToTheEndpoint