Anteckning
Åtkomst till den här sidan kräver auktorisering. Du kan prova att logga in eller ändra kataloger.
Åtkomst till den här sidan kräver auktorisering. Du kan prova att ändra kataloger.
AllowAadPasswordReset
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 [10.0.16299] and later |
./Device/Vendor/MSFT/Policy/Config/Authentication/AllowAadPasswordReset
Specifies whether password reset is enabled for Microsoft Entra accounts.
This policy allows the Microsoft Entra tenant administrator to enable the self-service password reset feature on the Windows sign-in screen.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
Allowed values:
| Value | Description |
|---|---|
| 0 (Default) | Not allowed. |
| 1 | Allowed. |
AllowEAPCertSSO
| Scope | Editions | Applicable OS |
|---|---|---|
| ❌ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1507 [10.0.10240] and later |
./User/Vendor/MSFT/Policy/Config/Authentication/AllowEAPCertSSO
Allows an EAP cert-based authentication for a single sign-on (SSO) to access internal resources.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
Allowed values:
| Value | Description |
|---|---|
| 0 (Default) | Not allowed. |
| 1 | Allowed. |
AllowFastReconnect
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1607 [10.0.14393] and later |
./Device/Vendor/MSFT/Policy/Config/Authentication/AllowFastReconnect
Allows EAP Fast Reconnect from being attempted for EAP Method TLS. Most restricted value is 0.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1 |
Allowed values:
| Value | Description |
|---|---|
| 0 | Not allowed. |
| 1 (Default) | Allowed. |
AllowSecondaryAuthenticationDevice
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1607 [10.0.14393] and later |
./Device/Vendor/MSFT/Policy/Config/Authentication/AllowSecondaryAuthenticationDevice
This policy allows users to use a companion device, such as a phone, fitness band, or IoT device, to sign-on to a desktop computer running Windows 10. The companion device provides a second factor of authentication with Windows Hello.
If you enable or don't configure this policy setting, users can authenticate to Windows Hello using a companion device.
If you disable this policy, users can't use a companion device to authenticate with Windows Hello.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
Allowed values:
| Value | Description |
|---|---|
| 0 (Default) | Not allowed. |
| 1 | Allowed. |
Group policy mapping:
| Name | Value |
|---|---|
| Name | MSSecondaryAuthFactor_AllowSecondaryAuthenticationDevice |
| Friendly Name | Allow companion device for secondary authentication |
| Location | Computer Configuration |
| Path | Windows Components > Microsoft Secondary Authentication Factor |
| Registry Key Name | SOFTWARE\Policies\Microsoft\SecondaryAuthenticationFactor |
| Registry Value Name | AllowSecondaryAuthenticationDevice |
| ADMX File Name | DeviceCredential.admx |
ConfigureWebcamAccessDomainNames
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/Authentication/ConfigureWebcamAccessDomainNames
Specifies a list of domains that are allowed to access the webcam in Web Sign-in based authentication scenarios.
Note
Web sign-in is only supported on Microsoft Entra joined PCs.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | List (Delimiter: ;) |
Example:
Your organization federates to "Contoso IDP" and your web sign-in portal at signinportal.contoso.com requires webcam access. Then the value for this policy should be:
contoso.com
ConfigureWebSignInAllowedUrls
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1803 with KB5001339 [10.0.17134.2145] and later |
./Device/Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls
Specifies a list of URLs that are navigable in Web Sign-in based authentication scenarios.
This policy specifies the list of domains that users can access in certain authentication scenarios. For example:
- Microsoft Entra ID PIN reset
- Web sign-in Windows device scenarios where authentication is handled by Active Directory Federation Services (AD FS) or a third-party federated identity provider
Note
This policy is required in federated environments as a mitigation to the vulnerability described in CVE-2021-27092.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | List (Delimiter: ;) |
Example:
Your organization's PIN reset or web sign-in authentication flow is expected to navigate to the following two domains: accounts.contoso.com and signin.contoso.com. Then the value for this policy should be:
accounts.contoso.com;signin.contoso.com
EnableFastFirstSignIn
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1809 [10.0.17763] and later |
./Device/Vendor/MSFT/Policy/Config/Authentication/EnableFastFirstSignIn
Specifies whether new non-admin Microsoft Entra accounts should auto-connect to pre-created candidate local accounts.
This policy is intended for use on Shared PCs to enable a quick first sign-in experience for a user. It works by automatically connecting new non-admin Microsoft Entra accounts to the pre-configured candidate local accounts.
Important
Pre-configured candidate local accounts are any local accounts that are pre-configured or added on the device.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
Allowed values:
| Value | Description |
|---|---|
| 0 (Default) | The feature defaults to the existing SKU and device capabilities. |
| 1 | Enabled. Auto-connect new non-admin Microsoft Entra accounts to pre-configured candidate local accounts. |
| 2 | Disabled. Don't auto-connect new non-admin Microsoft Entra accounts to pre-configured local accounts. |
EnablePasswordlessExperience
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 23H2 with KB5031455 [10.0.22631.2506] and later |
./Device/Vendor/MSFT/Policy/Config/Authentication/EnablePasswordlessExperience
Specifies whether connected users on Microsoft Entra joined devices receive a Passwordless experience on Windows.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
Allowed values:
| Value | Description |
|---|---|
| 0 (Default) | The feature defaults to the existing edition and device capabilities. |
| 1 | Enabled. The Passwordless experience will be enabled on Windows. |
| 2 | Disabled. The Passwordless experience won't be enabled on Windows. |
EnableWebSignIn
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1809 [10.0.17763] and later |
./Device/Vendor/MSFT/Policy/Config/Authentication/EnableWebSignIn
Specifies whether web-based sign-in is allowed for signing in to Windows.
Web sign-in is a credential provider that enables a web-based sign-in experience on Windows devices. Initially introduced in Windows 10 with support for Temporary Access Pass (TAP) only, Web sign-in expanded its capabilities starting in Windows 11, version 22H2 with KB5030310. For more information, see Web sign-in for Windows.
Note
Web sign-in is only supported on Microsoft Entra joined PCs.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
Allowed values:
| Value | Description |
|---|---|
| 0 (Default) | The feature defaults to the existing SKU and device capabilities. |
| 1 | Enabled. Web Sign-in will be enabled for signing in to Windows. |
| 2 | Disabled. Web Sign-in won't be enabled for signing in to Windows. |
PreferredAadTenantDomainName
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1809 [10.0.17763] and later |
./Device/Vendor/MSFT/Policy/Config/Authentication/PreferredAadTenantDomainName
Specifies the preferred domain among available domains in the Microsoft Entra tenant.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Example:
Your organization uses the @contoso.com tenant domain name. Then the value for this policy should be:
contoso.com
For the user abby@constoso.com, a sign-in is done using abby in the username field instead of abby@contoso.com.