Policy CSP - Authentication
Important
This CSP contains preview policies that are under development and only applicable for Windows Insider Preview builds. These policies are subject to change and may have dependencies on other features or services in preview.
AllowAadPasswordReset
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE |
✅ Windows 10, version 1709 [10.0.16299] and later |
./Device/Vendor/MSFT/Policy/Config/Authentication/AllowAadPasswordReset
Specifies whether password reset is enabled for AAD accounts.
This policy allows the Azure Active Directory (Azure AD) tenant administrator to enable the self-service password reset feature on the Windows sign-in screen.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
Allowed values:
| Value | Description |
|---|---|
| 0 (Default) | Not allowed. |
| 1 | Allowed. |
AllowEAPCertSSO
| Scope | Editions | Applicable OS |
|---|---|---|
| ❌ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE |
✅ Windows 10, version 1507 [10.0.10240] and later |
./User/Vendor/MSFT/Policy/Config/Authentication/AllowEAPCertSSO
Allows an EAP cert-based authentication for a single sign on (SSO) to access internal resources.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
Allowed values:
| Value | Description |
|---|---|
| 0 (Default) | Not allowed. |
| 1 | Allowed. |
AllowFastReconnect
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE |
✅ Windows 10, version 1607 [10.0.14393] and later |
./Device/Vendor/MSFT/Policy/Config/Authentication/AllowFastReconnect
Allows EAP Fast Reconnect from being attempted for EAP Method TLS. Most restricted value is 0.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1 |
Allowed values:
| Value | Description |
|---|---|
| 0 | Not allowed. |
| 1 (Default) | Allowed. |
AllowSecondaryAuthenticationDevice
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE |
✅ Windows 10, version 1607 [10.0.14393] and later |
./Device/Vendor/MSFT/Policy/Config/Authentication/AllowSecondaryAuthenticationDevice
This policy allows users to use a companion device, such as a phone, fitness band, or IoT device, to sign on to a desktop computer running Windows 10. The companion device provides a second factor of authentication with Windows Hello.
If you enable or don't configure this policy setting, users can authenticate to Windows Hello using a companion device.
If you disable this policy, users can't use a companion device to authenticate with Windows Hello.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
Allowed values:
| Value | Description |
|---|---|
| 0 (Default) | Not allowed. |
| 1 | Allowed. |
Group policy mapping:
| Name | Value |
|---|---|
| Name | MSSecondaryAuthFactor_AllowSecondaryAuthenticationDevice |
| Friendly Name | Allow companion device for secondary authentication |
| Location | Computer Configuration |
| Path | Windows Components > Microsoft Secondary Authentication Factor |
| Registry Key Name | SOFTWARE\Policies\Microsoft\SecondaryAuthenticationFactor |
| Registry Value Name | AllowSecondaryAuthenticationDevice |
| ADMX File Name | DeviceCredential.admx |
ConfigureWebcamAccessDomainNames
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE |
✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/Authentication/ConfigureWebcamAccessDomainNames
Specifies a list of domains that are allowed to access the webcam in Web Sign-in based authentication scenarios.
Note
Web sign-in is only supported on Azure AD joined PCs.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | List (Delimiter: ;) |
Example:
Your organization federates to "Contoso IDP" and your web sign-in portal at signinportal.contoso.com requires webcam access. Then the value for this policy should be:
contoso.com
ConfigureWebSignInAllowedUrls
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE |
✅ Windows 10, version 1803 [10.0.17134.2145] and later |
./Device/Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls
Specifies a list of URLs that are navigable in Web Sign-in based authentication scenarios.
This policy specifies the list of domains that users can access in certain authentication scenarios. For example:
- Azure Active Directory (Azure AD) PIN reset
- Web sign-in Windows device scenarios where authentication is handled by Active Directory Federation Services (AD FS) or a third-party federated identity provider
Note
This policy is required in federated environments as a mitigation to the vulnerability described in CVE-2021-27092.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | List (Delimiter: ;) |
Example:
Your organization's PIN reset or web sign-in authentication flow is expected to navigate to the following two domains: accounts.contoso.com and signin.contoso.com. Then the value for this policy should be:
accounts.contoso.com;signin.contoso.com
EnableFastFirstSignIn
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE |
✅ Windows 10, version 1809 [10.0.17763] and later |
./Device/Vendor/MSFT/Policy/Config/Authentication/EnableFastFirstSignIn
Specifies whether new non-admin AAD accounts should auto-connect to pre-created candidate local accounts.
This policy is intended for use on Shared PCs to enable a quick first sign-in experience for a user. It works by automatically connecting new non-admin Azure Active Directory (Azure AD) accounts to the pre-configured candidate local accounts.
Important
Pre-configured candidate local accounts are any local accounts that are pre-configured or added on the device.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
Allowed values:
| Value | Description |
|---|---|
| 0 (Default) | The feature defaults to the existing SKU and device capabilities. |
| 1 | Enabled. Auto-connect new non-admin Azure AD accounts to pre-configured candidate local accounts. |
| 2 | Disabled. Don't auto-connect new non-admin Azure AD accounts to pre-configured local accounts. |
EnablePasswordlessExperience
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE |
✅ Windows Insider Preview |
./Device/Vendor/MSFT/Policy/Config/Authentication/EnablePasswordlessExperience
Specifies whether connected users on AADJ devices receive a Passwordless experience on Windows.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
Allowed values:
| Value | Description |
|---|---|
| 0 (Default) | The feature defaults to the existing edition and device capabilities. |
| 1 | Enabled. The Passwordless experience will be enabled on Windows. |
| 2 | Disabled. The Passwordless experience won't be enabled on Windows. |
EnableWebSignIn
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE |
✅ Windows 10, version 1809 [10.0.17763] and later |
./Device/Vendor/MSFT/Policy/Config/Authentication/EnableWebSignIn
Specifies whether web-based sign-in is allowed for signing in to Windows.
Warning
The Web sign-in feature is intended for recovery purposes in the event a password isn't available as an authentication method. Web sign-in only supports temporary access pass as an authentication method for Azure Active Directory (Azure AD), unless it's used in a limited federated scope.
Web sign-in is a modern way of signing into a Windows PC. It enables Windows sign-in support for new Azure AD credentials, like temporary access pass.
Note
Web sign-in is only supported on Azure AD joined PCs.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
Allowed values:
| Value | Description |
|---|---|
| 0 (Default) | The feature defaults to the existing SKU and device capabilities. |
| 1 | Enabled. Web Sign-in will be enabled for signing in to Windows. |
| 2 | Disabled. Web Sign-in won't be enabled for signing in to Windows. |
PreferredAadTenantDomainName
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE |
✅ Windows 10, version 1809 [10.0.17763] and later |
./Device/Vendor/MSFT/Policy/Config/Authentication/PreferredAadTenantDomainName
Specifies the preferred domain among available domains in the AAD tenant.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Example:
Your organization uses the @contoso.com tenant domain name. Then the value for this policy should be:
contoso.com
For the user abby@constoso.com, a sign-in is done using abby in the username field instead of abby@contoso.com.
Related articles
Feedback
Submit and view feedback for