Policy CSP - Authentication
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 [10.0.16299] and later |
./Device/Vendor/MSFT/Policy/Config/Authentication/AllowAadPasswordReset
Specifies whether password reset is enabled for Microsoft Entra accounts.
This policy allows the Microsoft Entra tenant administrator to enable the self-service password reset feature on the Windows sign-in screen.
Description framework properties:
Property name | Property value |
---|---|
Format | int |
Access Type | Add, Delete, Get, Replace |
Default Value | 0 |
Allowed values:
Value | Description |
---|---|
0 (Default) | Not allowed. |
1 | Allowed. |
Scope | Editions | Applicable OS |
---|---|---|
❌ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1507 [10.0.10240] and later |
./User/Vendor/MSFT/Policy/Config/Authentication/AllowEAPCertSSO
Allows an EAP cert-based authentication for a single sign-on (SSO) to access internal resources.
Description framework properties:
Property name | Property value |
---|---|
Format | int |
Access Type | Add, Delete, Get, Replace |
Default Value | 0 |
Allowed values:
Value | Description |
---|---|
0 (Default) | Not allowed. |
1 | Allowed. |
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1607 [10.0.14393] and later |
./Device/Vendor/MSFT/Policy/Config/Authentication/AllowFastReconnect
Allows EAP Fast Reconnect from being attempted for EAP Method TLS. Most restricted value is 0.
Description framework properties:
Property name | Property value |
---|---|
Format | int |
Access Type | Add, Delete, Get, Replace |
Default Value | 1 |
Allowed values:
Value | Description |
---|---|
0 | Not allowed. |
1 (Default) | Allowed. |
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1607 [10.0.14393] and later |
./Device/Vendor/MSFT/Policy/Config/Authentication/AllowSecondaryAuthenticationDevice
This policy allows users to use a companion device, such as a phone, fitness band, or IoT device, to sign-on to a desktop computer running Windows 10. The companion device provides a second factor of authentication with Windows Hello.
If you enable or don't configure this policy setting, users can authenticate to Windows Hello using a companion device.
If you disable this policy, users can't use a companion device to authenticate with Windows Hello.
Description framework properties:
Property name | Property value |
---|---|
Format | int |
Access Type | Add, Delete, Get, Replace |
Default Value | 0 |
Allowed values:
Value | Description |
---|---|
0 (Default) | Not allowed. |
1 | Allowed. |
Group policy mapping:
Name | Value |
---|---|
Name | MSSecondaryAuthFactor_AllowSecondaryAuthenticationDevice |
Friendly Name | Allow companion device for secondary authentication |
Location | Computer Configuration |
Path | Windows Components > Microsoft Secondary Authentication Factor |
Registry Key Name | SOFTWARE\Policies\Microsoft\SecondaryAuthenticationFactor |
Registry Value Name | AllowSecondaryAuthenticationDevice |
ADMX File Name | DeviceCredential.admx |
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/Authentication/ConfigureWebcamAccessDomainNames
Specifies a list of domains that are allowed to access the webcam in Web Sign-in based authentication scenarios.
Note
Web sign-in is only supported on Microsoft Entra joined PCs.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Allowed Values | List (Delimiter: ; ) |
Example:
Your organization federates to "Contoso IDP" and your web sign-in portal at signinportal.contoso.com
requires webcam access. Then the value for this policy should be:
contoso.com
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1803 with KB5001339 [10.0.17134.2145] and later |
./Device/Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls
Specifies a list of URLs that are navigable in Web Sign-in based authentication scenarios.
This policy specifies the list of domains that users can access in certain authentication scenarios. For example:
- Microsoft Entra ID PIN reset
- Web sign-in Windows device scenarios where authentication is handled by Active Directory Federation Services (AD FS) or a third-party federated identity provider
Note
This policy is required in federated environments as a mitigation to the vulnerability described in CVE-2021-27092.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Allowed Values | List (Delimiter: ; ) |
Example:
Your organization's PIN reset or web sign-in authentication flow is expected to navigate to the following two domains: accounts.contoso.com
and signin.contoso.com
. Then the value for this policy should be:
accounts.contoso.com;signin.contoso.com
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1809 [10.0.17763] and later |
./Device/Vendor/MSFT/Policy/Config/Authentication/EnableFastFirstSignIn
Specifies whether new non-admin Microsoft Entra accounts should auto-connect to pre-created candidate local accounts.
This policy is intended for use on Shared PCs to enable a quick first sign-in experience for a user. It works by automatically connecting new non-admin Microsoft Entra accounts to the pre-configured candidate local accounts.
Important
Pre-configured candidate local accounts are any local accounts that are pre-configured or added on the device.
Description framework properties:
Property name | Property value |
---|---|
Format | int |
Access Type | Add, Delete, Get, Replace |
Default Value | 0 |
Allowed values:
Value | Description |
---|---|
0 (Default) | The feature defaults to the existing SKU and device capabilities. |
1 | Enabled. Auto-connect new non-admin Microsoft Entra accounts to pre-configured candidate local accounts. |
2 | Disabled. Don't auto-connect new non-admin Microsoft Entra accounts to pre-configured local accounts. |
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 23H2 with KB5031455 [10.0.22631.2506] and later |
./Device/Vendor/MSFT/Policy/Config/Authentication/EnablePasswordlessExperience
Specifies whether connected users on Microsoft Entra joined devices receive a Passwordless experience on Windows.
Description framework properties:
Property name | Property value |
---|---|
Format | int |
Access Type | Add, Delete, Get, Replace |
Default Value | 0 |
Allowed values:
Value | Description |
---|---|
0 (Default) | The feature defaults to the existing edition and device capabilities. |
1 | Enabled. The Passwordless experience will be enabled on Windows. |
2 | Disabled. The Passwordless experience won't be enabled on Windows. |
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1809 [10.0.17763] and later |
./Device/Vendor/MSFT/Policy/Config/Authentication/EnableWebSignIn
Specifies whether web-based sign-in is allowed for signing in to Windows.
Web sign-in is a credential provider that enables a web-based sign-in experience on Windows devices. Initially introduced in Windows 10 with support for Temporary Access Pass (TAP) only, Web sign-in expanded its capabilities starting in Windows 11, version 22H2 with KB5030310. For more information, see Web sign-in for Windows.
Note
Web sign-in is only supported on Microsoft Entra joined PCs.
Description framework properties:
Property name | Property value |
---|---|
Format | int |
Access Type | Add, Delete, Get, Replace |
Default Value | 0 |
Allowed values:
Value | Description |
---|---|
0 (Default) | The feature defaults to the existing SKU and device capabilities. |
1 | Enabled. Web Sign-in will be enabled for signing in to Windows. |
2 | Disabled. Web Sign-in won't be enabled for signing in to Windows. |
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1809 [10.0.17763] and later |
./Device/Vendor/MSFT/Policy/Config/Authentication/PreferredAadTenantDomainName
Specifies the preferred domain among available domains in the Microsoft Entra tenant.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Example:
Your organization uses the @contoso.com
tenant domain name. Then the value for this policy should be:
contoso.com
For the user abby@constoso.com
, a sign-in is done using abby
in the username field instead of abby@contoso.com
.