deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 05:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/client-management/mdm/policy-csp-authentication.md
Heidi Lohr 1f751a9ad0 Merged PR 13436: Update to MDM policy article footnotes 
Updated footnotes to policy articles to reflect user-friendly name for RS5, added new footnote for future Windows 10 updates. Attached to bug #19739184.
2018-12-18 13:45:33 +00:00

14 KiB
Raw Blame History

title, description, ms.author, ms.topic, ms.prod, ms.technology, author, ms.date
title description ms.author ms.topic ms.prod ms.technology author ms.date
Policy CSP - Authentication Policy CSP - Authentication maricia article w10 windows MariciaAlforque 07/30/2018

Policy CSP - Authentication

Warning

Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

Authentication policies

Authentication/AllowAadPasswordReset
Authentication/AllowEAPCertSSO
Authentication/AllowFastReconnect
Authentication/AllowFidoDeviceSignon
Authentication/AllowSecondaryAuthenticationDevice
Authentication/EnableFastFirstSignIn
Authentication/EnableWebSignIn
Authentication/PreferredAadTenantDomainName

Authentication/AllowAadPasswordReset

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark3 check mark3 check mark3 check mark3 cross mark cross mark

Scope:

[!div class = "checklist"]

  • Device

Added in Windows 10, version 1709. Specifies whether password reset is enabled for Azure Active Directory accounts. This policy allows the Azure AD tenant administrators to enable self service password reset feature on the windows logon screen.

The following list shows the supported values:

  • 0 (default) Not allowed.
  • 1 Allowed.

Authentication/AllowEAPCertSSO

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

Scope:

[!div class = "checklist"]

  • User

Allows an EAP cert-based authentication for a single sign on (SSO) to access internal resources.

The following list shows the supported values:

  • 0 Not allowed.
  • 1 (default) Allowed.

Authentication/AllowFastReconnect

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark check mark check mark check mark check mark check mark check mark

Scope:

[!div class = "checklist"]

  • Device

Allows EAP Fast Reconnect from being attempted for EAP Method TLS.

Most restricted value is 0.

The following list shows the supported values:

  • 0 Not allowed.
  • 1 (default) Allowed.

Authentication/AllowFidoDeviceSignon

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark3 check mark3 check mark3 check mark3 cross mark cross mark

Scope:

[!div class = "checklist"]

  • Device

Preview release in Windows 10, version 1709. Supported in the next release. Specifies whether Fast Identity Online (FIDO) device can be used to sign on. This policy enables the Windows logon credential provider for FIDO 2.0

Value type is integer.

Here is an example scenario: At Contoso, there are a lot of shared devices and kiosks that employees throughout the day using as many as 20 different devices. To minimize the loss in productivity when employees have to login with username and password everytime they pick up a device, the IT admin deploys SharePC CSP and Authentication/AllowFidoDeviceSignon policy to shared devices. The IT admin provisions and distributes FIDO 2.0 devices to employees, which allows them to authenticate to various shared devices and PCs.

The following list shows the supported values:

  • 0 - Do not allow. The FIDO device credential provider disabled. 
  • 1 - Allow. The FIDO device credential provider is enabled and allows usage of FIDO devices to sign into an Windows.

Authentication/AllowSecondaryAuthenticationDevice

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark1 check mark1 check mark1 check mark1 check mark1 check mark1 check mark1

Scope:

[!div class = "checklist"]

  • Device

Added in Windows 10, version 1607. Allows secondary authentication devices to work with Windows.

The default for this policy must be on for consumer devices (defined as local or Microsoft account connected device) and off for enterprise devices (such as cloud domain-joined, cloud domain-joined in an on-premises only environment, cloud domain-joined in a hybrid environment, and BYOD).

ADMX Info:

  • GP English name: Allow companion device for secondary authentication
  • GP name: MSSecondaryAuthFactor_AllowSecondaryAuthenticationDevice
  • GP path: Windows Components/Microsoft Secondary Authentication Factor
  • GP ADMX file name: DeviceCredential.admx

The following list shows the supported values:

  • 0 Not allowed.
  • 1 Allowed.

Authentication/EnableFastFirstSignIn

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark5 check mark5 check mark5 check mark5

Scope:

[!div class = "checklist"]

  • Device

This policy is intended for use on Shared PCs to enable a quick first sign-in experience for a user. It works by automatically connecting new non-admin Azure Active Directory (Azure AD) accounts to the pre-configured candidate local accounts.

Value type is integer. Supported values:

  • 0 - (default) The feature defaults to the existing SKU and device capabilities.
  • 1 - Enabled. Auto connect new non-admin AZure AD accounts to pre-configured candidate local accounts
  • 2 - Disabled. Do not auto connect new non-admin Azure AD accounts to pre-configured local accounts

Authentication/EnableWebSignIn

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark5 check mark5 check mark5 check mark5

Scope:

[!div class = "checklist"]

  • Device

"Web Sign-in" is a new way of signing into a Windows PC. It enables Windows logon support for non-ADFS federated providers (e.g. SAML).

Note

Web Sign-in is only supported on Azure AD Joined PCs.

Value type is integer. Supported values:

  • 0 - (default) The feature defaults to the existing SKU and device capabilities.
  • 1 - Enabled. Web Credential Provider will be enabled for Sign In
  • 2 - Disabled. Web Credential Provider will not be enabled for Sign In

Authentication/PreferredAadTenantDomainName

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark5 check mark5 check mark5 check mark5

Scope:

[!div class = "checklist"]

  • Device

Specifies the preferred domain among available domains in the Azure AD tenant.

Example: If your organization is using the "@contoso.com" tenant domain name, the policy value should be "contoso.com". For the user "abby@constoso.com", she would then be able to sign in using "abby" in the username field instead of "abby@contoso.com".

Value type is string.

Footnote:

  • 1 - Added in Windows 10, version 1607.
  • 2 - Added in Windows 10, version 1703.
  • 3 - Added in Windows 10, version 1709.
  • 4 - Added in Windows 10, version 1803.
  • 5 - Added in Windows 10, version 1809.
  • 6 - Added in the next major release of Windows 10.