Disable Credential Providers from Windows Logon Screen Using Group Policy

Product: HYPR Workforce Access
Applicable Version(s): 6.10 and above

This process requires administrator access to the Windows Group Policy Editor.

Instructions

  1.  To hide the default Microsoft Windows credential providers after installation of HYPR Workforce Access, a Windows Group Policy setting must be configured using either the local group policy editor (gpedit.msc) or the group policy management console (gpmc.msc):

    • Modify an existing group policy or create a new group policy and go to the Exclude credential providers setting: Computer Configuration | Policies | Administrative Templates | System | Logon | Exclude credential providers

    • Open the Properties of the group policy setting and set the policy to Enabled

  2. Use the Exclude the following credential providers field to exclude specific credential providers. Enter the comma-separated CLSIDs for multiple credential providers to be excluded from use during the authentication process. HYPR requires the smart card credential provider to be available.

  3. On a Windows 10 system with the HYPR Workforce Access Client installed, Windows Password Provider appears next to the HYPR Logon. Smart Card credential provider can be excluded from the login interface using the following string: {8FD7E19C-3BF7-489B-A72C-846AB3678C96}

    Credential Provider

    CLSID

    Smartcard Reader Selection Provider

    {1b283861-754f-4022-ad47-a5eaaa618894}

    Smartcard WinRT Provider

    {1ee7337f-85ac-45e2-a23c-37c753209769}

    PicturePasswordLogonProvider

    {2135f72a-90b5-4ed3-a7f1-8bb705ac276a}

    GenericProvider

    {25CBB996-92ED-457e-B28C-4774084BD562}

    NPProvider

    {3dd6bec0-8193-4ffe-ae25-e08e39ea4063}

    CngCredUICredentialProvider

    {600e7adb-da3e-41a4-9225-3c0399e88c0c}

    PasswordProvider

    {60b78e88-ead8-445c-9cfd-0b87f74ea6cd}

    PasswordProvider\LogonPasswordReset

    {8841d728-1a76-4682-bb6f-a9ea53b4b3ba}

    FaceCredentialProvider

    {8AF662BF-65A0-4D0A-A540-A338A999D36F}

    Smartcard Credential Provider

    {8FD7E19C-3BF7-489B-A72C-846AB3678C96}

    Smartcard Pin Provider

    {94596c7e-3744-41ce-893e-bbf09122f76a}

    WinBio Credential Provider

    {BEC09223-B018-416D-A0AC-523971B639F5}

    IrisCredentialProvider

    {C885AA15-1764-4293-B82A-0586ADD46B35}

    PINLogonProvider

    {cb82ea12-9f71-446d-89e1-8d0924e1256e}

    NGC Credential Provider

    {D6886603-9D2F-4EB2-B667-1971041FA96B}

    CertCredProvider

    {e74e57b0-6c6d-44d5-9cda-fb2df5ed7435}

    WLIDCredentialProvider

    {F8A0B131-5F68-486c-8040-7E8FC3C85BB6}

  4. To check for additionally installed third-party credential providers, open the registry and browse to the following location:[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers]

NOTE: Hiding credential providers via group policy also apply to UAC and RunAs authentication dialog boxes

Enabling the Exclude Credential Provider will allow disabling password-based login on the machine level.

 

Version Date Comment
Current Version (v. 2) May 06, 2022 19:55 Khedron de León
v. 1 Oct 30, 2021 05:15 Nilesh Doiphode
Was this article helpful?
0 out of 0 found this helpful