Account Management URL
Description: Specifies the URL for the TruU Account Management Service (TAMS). When Configured , this enables the Account Management Service Integration, allowing users to manage their accounts through TruU. Registry Key: HKLM\Software\Policies\TruU\Authenticator\AccountManagementUrl Default Setting: Not configured (no URL). Type: String Options: • Not Configured or Disabled: Account Management Service integration is not active • Enabled: Enter a valid URL pointing to your TAMS web server (e.g., https://webserver.truu.ai/). The default agent installs on port 443; update the URL if a custom port is used. Policy Path: Computer Configuration → Administrative Templates → TruU → Authenticator → AccountManagementUrlAccount Unlock Request Period
Description: Controls how frequently a single account unlock operation can be repeated. This rate-limiting setting prevents rapid repeated unlock attempts by enforcing a minimum wait period between requests Registry Key: HKLM\Software\Policies\TruU\Authenticator\AccountUnlockRequestPeriodSeconds Default Setting: 259,200 seconds (72 hours). Type: Int32 Options: • Not Configured or Disabled: The default period of 259,200 seconds (72 hours) is enforced. • Enabled: Set an integer value (in seconds) to define the minimum time between unlock attempts for a single account. o Example: A value of 3600 enforces at least 1 hour between each unlock attempt. Policy Path: Computer Configuration → Administrative Templates → TruU → Authenticator → AccountUnlockRequestPeriodSecondsAlways Allowed RDP Credentials Providers
Description: Specifies which credentials providers are permitted for RDP connections before any user is enrolled in TruU. Restricts authentication methods available during RDP sign-in for unenrolled users Registry Key: HKLM\Software\Policies\TruU\Authenticator\alwaysAllowedRDPCPs Default Setting: No restriction (all credential providers allowed). Type: MultiString Options:• Not Configured or Disabled: No restrictions applied — all available credential providers may be used for RDP.
• Enabled: Provide a list of credential provider GUIDs that are permitted for RDP. Only the listed providers will be available.
o Example: Configuring only the TruU GUID means no other credential provider can be used for RDP. Policy Path: Computer Configuration → Administrative Templates → TruU → Authenticator → alwaysAllowedRDPCPs
Always Allowed Sign-in Credential Providers
Description: Specifies which credential providers are permitted on the Windows Login Screen before any user is enrolled in TruU. Restricts which authentication methods can be used at the sign-in screen for unenrolled users. Registry Key: HKLM\Software\Policies\TruU\Authenticator\alwaysAllowedSignInCPs Default Setting: No restriction (all credential providers allowed). Type: MultiString Options:• Not Configured or Disabled: No restrictions applied — all credential providers may be used at the login screen.
• Enabled: Provide a list of credential provider GUIDs permitted for login screen sign in. Only the listed providers will be available.
o Example: Configuring only the TruU GUID means no other credential provider can be used at the login screen. Policy Path: Computer Configuration → Administrative Templates → TruU → Authenticator → alwaysAllowedSignInCPs
Always Allowed UAC Credential Providers
Description: Specifies which credential providers are permitted for User Account Control (UAC) prompts before any user is enrolled in TruU. Restricts which authentication methods can be used for UAC elevation for unenrolled users. Registry Key: HKLM\Software\Policies\TruU\Authenticator\alwaysAllowedUACCPs Default Setting: No restriction (all credential providers allowed). Type: MultiString Options:• Not Configured or Disabled: No restrictions applied — all credential providers may be used for UAC.
• Enabled: Provide a list of credential provider GUIDs permitted for UAC prompts. Only the listed providers will be available. Example: Configuring only the TruU GUID means no other credential provider can be used for UAC. Policy Path: Computer Configuration → Administrative Templates → TruU → Authenticator → alwaysAllowedUACCPs
Authentication Attempts
Description: Controls the number of incorrect PIN attempts a user can make before being locked out and required to wait for a cooldown period before trying again. Registry Key: HKLM\Software\Policies\TruU\Authenticator\authAttempts Default Setting: 8 attempts.Type: Int32
Options: • Not Configured or Disabled: The default limit of 8 attempts is enforced.
• Enabled: Set an integer value to define the number of failed PIN attempts before the cooldown period is triggered.
Works in conjunction with the AuthCooldownSeconds policy to define the lockout duration.
Policy Path:
Computer Configuration → Administrative Templates → TruU → Authenticator → authAttempts
Authentication Cooldown Seconds
Description: Sets the duration (in seconds) a user must wait after exceeding the maximum number of failed PIN attempts before they can try again. Registry Key: HKLM\Software\Policies\TruU\Authenticator\AuthCooldownSeconds Default Setting: 1,800 seconds (30 minutes). Type: Int32 Options:• Not Configured or Disabled: The default cooldown of 1,800 seconds (30 minutes) is enforced.
• Enabled: Set an integer value (in seconds) to define the wait period after too many failed PIN attempts.
Works in conjunction with the authAttempts policy which defines how many failures trigger the cooldown.
Policy Path:
Computer Configuration → Administrative Templates → TruU → Authenticator → AuthCooldownSeconds
Disable Add Biometrics Notifications
Description: Controls the behavior of the Windows Toast notification, prompting users to add biometric enrollment. Allows administrators to suppress or limit how often this notification appears. Registry Key: HKLM\Software\Policies\TruU\Authenticator\DisableAddBioNotifications Default Setting: 0 (notification appears at every sign-in). Type: Int32 Options:• Not Configured or Disabled: The notification appears at every user sign-in (value 0).
• Enabled: Set the value to control notification behavior: 0 — Notification appears at every sign-in.
1 — Notification appears only once.
2 — Notification is fully disabled.
Policy Path: Computer Configuration → Administrative Templates → TruU → Authenticator → DisableAddBioNotifications
Enable Authenticator
Description: Controls whether the TruU Windows Agent is active. When disabled, the agent’s core features like login provider, enrollment, and notifications are all turned off. Registry Key: HKLM\Software\Policies\TruU\Authenticator\EnableAuthenticator Default Setting: 1 (enabled). Type: Boolean Options:• Not Configured or Disabled (0): The TruU Windows Agent is inactive.
• Enabled (1): The TruU Windows Agent is active, enabling login provider functionality, enrollment, and notifications. Policy Path: Computer Configuration → Administrative Templates → TruU → Authenticator → EnableAuthenticator
Enable CAuth
Description: Controls whether the Continuous Authentication (CAuth) feature is active. CAuth periodically prompts users to re-authenticate while signed in.Registry Key: HKLM\Software\Policies\TruU\Authenticator\EnableCAuth Default Setting: 0 (CAuth disabled). Type: Boolean Options: • Not Configured or Disabled (0): CAuth is disabled; users will not be prompted for continuous re-authentication. • Enabled (1): CAuth is active and will prompt users for re-authentication based on the ReauthTimeoutSec interval. Policy Path: Computer Configuration → Administrative Templates → TruU → Authenticator → EnableCAuth
Enable Get Started Notification
Description: Controls whether a ‘Get Started’ notification is displayed for users who have not yet enrolled in TruU when signing in with a non-TruU credential provider.Registry Key: HKLM\Software\Policies\TruU\Authenticator\EnableGetStartedNotification
Default Setting: 0 (notification not shown). Type: Boolean Options:
• Not Configured or Enabled (1): The Get Started notification is shown to unenrolled users to prompt them to enroll.
• Disabled (0): The Get Started notification is suppressed and will not be shown.
Policy Path: Computer Configuration → Administrative Templates → TruU → Authenticator → EnableGetStartedNotification
Enrolled Allowed RDP Credential Providers
Description: Specifies which credential providers are permitted for RDP connections for users who are already enrolled in TruU. Restricts authentication methods available during RDP sign-in for enrolled users. Registry Key: HKLM\Software\Policies\TruU\Authenticator\enrolledAllowedRDPCPs Default Setting: No restriction (all credential providers allowed). Type: MultiString Options:• Not Configured or Disabled: No restrictions applied — all credential providers may be used for RDP by enrolled users.
• Enabled: Provide a list of credential provider GUIDs permitted for RDP for enrolled users. Only the listed providers will be available. Policy Path: Computer Configuration → Administrative Templates → TruU → Authenticator → enrolledAllowedRDPCPs
Enrolled Allowed Sign-In Credentials Providers
Description: Specifies which credential providers are permitted on the Windows Login Screen for users who are already enrolled in TruU.Registry Key: HKLM\Software\Policies\TruU\Authenticator\enrolledAllowedSignInCPs
Default Setting: No restriction (all credential providers allowed).
Type: MultiString Options:
• Not Configured or Disabled: No restrictions applied — all credential providers may be used at the login screen by enrolled users.
• Enabled: Provide a list of credential provider GUIDs permitted for login screen sign-in for enrolled users.
Policy Path: Computer Configuration → Administrative Templates → TruU → Authenticator → enrolledAllowedSignInCPs
Enrolled Allowed UAC Credential Providers
Description: Specifies which credential providers are permitted for UAC prompts for users who are already enrolled in TruU.Registry Key: HKLM\Software\Policies\TruU\Authenticator\enrolledAllowedUACCPs Default Setting: No restriction (all credential providers allowed). Type: MultiString Options:
• Not Configured or Disabled: No restrictions applied — all credential providers may be used for UAC by enrolled users.
• Enabled: Provide a list of credential provider GUIDs permitted for UAC prompts for enrolled users.
Policy Path: Computer Configuration → Administrative Templates → TruU → Authenticator → enrolledAllowedUACCPs
Enrolled Learn More Label
Description: Customizes the text of the ‘Learn More’ hyperlink displayed on the Getting Started enrollment page. Requires the enrollmentLearnMoreUrl key to be set for the link to appear.Registry Key: HKLM\Software\Policies\TruU\Authenticator\enrollmentLearnMoreLabel
Default Setting: Default TruU label text.
Type: String
Options:
• Not Configured or Disabled: The default TruU ‘Learn more’ link text is displayed.
• Enabled: Enter custom text to replace the default ‘Learn more’ label shown on the Getting Started page. Policy Path: Computer Configuration → Administrative Templates → TruU → Authenticator → enrollmentLearnMoreLabel
Enrollment Learn More Paragraph
Description: Customizes the descriptive paragraph text shown on the Getting Started enrollment page, replacing the default TruU enrollment description.Registry Key: HKLM\Software\Policies\TruU\Authenticator\enrollmentLearnMoreParagraph
Default Setting: Default TruU paragraph text.
Type: String
Options:
• Not Configured or Disabled: The default TruU enrollment description text is displayed.
• Enabled: Enter custom text to replace the default paragraph on the Getting Started page (e.g., ‘Enroll in passwordless authentication today’).
Policy Path: Computer Configuration → Administrative Templates → TruU → Authenticator → enrollmentLearnMoreParagraph
Enrollment Learn More URL
Description: Specifies a custom URL for the ‘Learn More’ link on the Getting Started enrollment page. Use this to point users to internal help documentation or a custom enrollment guide.Registry Key: HKLM\Software\Policies\TruU\Authenticator\enrollmentLearnMoreUrl
Default Setting: No URL configured (link not shown).
Type: String
Options:
• Not Configured or Disabled: No ‘Learn More’ link is displayed on the Getting Started page.
• Enabled: Enter a valid URL. A ‘Learn More’ link pointing to this URL will appear on the Getting Started page.
Policy Path: Computer Configuration → Administrative Templates → TruU → Authenticator → enrollmentLearnMoreUrl
Face Biometrics Enabled
Description: Controls whether facial biometrics are available for TruU enrollment and authentication. When enabled, users can enroll their face to log on to the operating system. Registry Key: HKLM\Software\Policies\TruU\Authenticator\FaceBioEnabledDefault Setting: 1 (face biometrics enabled).
Type: Boolean
Options:
• Not Configured or Enabled (1): Facial biometrics are available; users can enroll and use their face to authenticate.
• Disabled (0): Facial biometrics are not available for TruU authentication.
Policy Path: Computer Configuration → Administrative Templates → TruU → Authenticator → FaceBioEnabled Registry Key: HKLM\Software\Policies\TruU\Authenticator\FaceBioEnabled
Default Setting: 1 (face biometrics enabled).
Type: Boolean
Options:
• Not Configured or Enabled (1): Facial biometrics are available; users can enroll and use their face to authenticate.
• Disabled (0): Facial biometrics are not available for TruU authentication.
Policy Path: Computer Configuration → Administrative Templates → TruU → Authenticator → FaceBioEnabled
Fingerprint Biometrics Enabled
Description: Controls whether fingerprint biometrics are available for TruU enrollment and authentication. When enabled, users can enroll their fingerprint to log on to the operating system.Registry Key: HKLM\Software\Policies\TruU\Authenticator\FingerprintBioEnabled
Default Setting: 1 (fingerprint biometrics enabled).
Type: Boolean Options:
• Not Configured or Enabled (1): Fingerprint biometrics are available; users can enroll and use their fingerprint to authenticate.
• Disabled (0): Fingerprint biometrics are not available for TruU authentication.
Policy Path: Computer Configuration → Administrative Templates → TruU → Authenticator → FingerprintBioEnabled
Hide Add Account
Description: Controls whether the ‘Add Account’ option is visible in the TruU system tray menu for users who have already enrolled. Registry Key: HKLM\Software\Policies\TruU\Authenticator\HideAddAccount Default Setting: 0 (Add Account is visible).Type: Boolean
Options:
• Not Configured or Disabled (0): ‘Add Account’ is visible in the system tray menu for all users.
• Enabled (1): ‘Add Account’ is hidden from the system tray menu for users who are already enrolled.
Policy Path: Computer Configuration → Administrative Templates → TruU → Authenticator → HideAddAccount
Hide Add User at Sign-In
Description: Controls whether the ‘Add User’ option is visible on the TruU Windows Sign-In UI for enrolled users. Registry Key: HKLM\Software\Policies\TruU\Authenticator\HideAddUserSigninDefault Setting: 0 (Add User is visible).
Type: Boolean
Options:
• Not Configured or Disabled (0): ‘Add User’ is shown on the Sign-In UI.
• Enabled (1): ‘Add User’ is hidden from the Sign-In UI if a user is already enrolled.
Policy Path: Computer Configuration → Administrative Templates → TruU → Authenticator → HideAddUserSignin
Install or Update Updater Service
Description: Controls whether the TruU Updater Service is installed or updated automatically by the Windows Agent. Registry Key: HKLM\Software\Policies\TruU\Authenticator\InstallOrUpdateUpdaterServiceDefault Setting: 0 (Updater Service not auto-installed).
Type: Boolean
Options:
• Not Configured or Disabled (0): The Updater Service will not be installed or updated by the agent.
• Enabled (1): The Updater Service will be automatically installed or updated by the agent.
Policy Path: Computer Configuration → Administrative Templates → TruU → Authenticator → InstallOrUpdateUpdaterService
Maximum Fingerprint Failure Attempts
Description: Sets the number of consecutive failed fingerprint attempts allowed before the system falls back to PIN authentication.Registry Key: HKLM\Software\Policies\TruU\Authenticator\MaxFingerprintFailureAttempts
Default Setting: 4 attempts.
Type: Int32
Options:
• Not Configured or Disabled: After 4 failed fingerprint attempts, the system falls back to PIN.
• Enabled: Set a value between 1 and 10 to define how many failed fingerprint attempts are allowed before the PIN fallback is triggered.
Policy Path: Computer Configuration → Administrative Templates → TruU → Authenticator → MaxFingerprintFailureAttempts
PIN Recovery Enrollment from Login Screen
Description: Controls whether users see a ‘Forgot PIN’ link on the lock screen, allowing them to recover or re-enroll their PIN without administrator assistance. Registry Key: HKLM\Software\Policies\TruU\Authenticator\PinRecoveryEnrollmentFromLoginScreenDefault Setting: 0 (PIN recovery not shown).
Type: Boolean
Options:
• Not Configured or Disabled (0): Users will not see the ‘Forgot PIN’ option on the lock screen.
• Enabled (1): A ‘Forgot PIN’ link is displayed, allowing users to re-enroll their PIN from the lock screen.
Policy Path: Computer Configuration → Administrative Templates → TruU → Authenticator → PinRecoveryEnrollmentFromLoginScreen
Privacy URL
Description: Specifies a custom URL pointing to your organization’s privacy policy regarding biometric data usage. This URL is displayed to users within the TruU agent.Registry Key: HKLM\Software\Policies\TruU\Authenticator\PrivacyUrl
Default Setting: https://truu.ai/privacy.
Type: String
Options:
• Not Configured or Disabled: The default TruU privacy URL (https://truu.ai/privacy) is used.
• Enabled: Enter a valid URL to replace the default privacy policy link with your organization’s own privacy policy.
Default Setting: https://truu.ai/privacy.
Policy Path: Computer Configuration → Administrative Templates → TruU → Authenticator → PrivacyUrl
Re-Authentication Timeout Seconds
Description: Sets the countdown duration (in seconds) for the CAuth re-authentication prompt. If the user does not authenticate within this window, the session is affected. Used in conjunction with EnableCAuth.Registry Key: HKLM\Software\Policies\TruU\Authenticator\ReauthTimeoutSec
Default Setting: 30 seconds.
Type: Int32
Options:
• Not Configured or Disabled: The default timeout of 30 seconds is used.
• Enabled: Set an integer value (in seconds) to define the countdown duration for the re authentication prompt.
Lower values give users less time to respond to the re-authentication prompt.
Policy Path: Computer Configuration → Administrative Templates → TruU → Authenticator → ReauthTimeoutSec
Re-Login with TruU Notification
Description: Controls whether a notification is shown to users who were previously enrolled with TruU, prompting them to lock and unlock with TruU after a Windows Agent upgrade.Registry Key: HKLM\Software\Policies\TruU\Authenticator\ReloginWithTruU
Default Setting: 1 (notification shown).
Type: Boolean
Options:
• Not Configured or Enabled (1): The notification ‘Lock/unlock with TruU to continue’ is displayed after an agent upgrade for previously enrolled users.
• Disabled (0): The notification is suppressed and will not be shown after an upgrade. Policy Path: Computer Configuration → Administrative Templates → TruU → Authenticator → ReloginWithTruU
Self-Service Password Reset URL
Description: Specifies a URL for the Self-Service Password Reset (SSPR) portal. This link is displayed to users on error screens such as account locked, password change required, or password expired.Registry Key: HKLM\Software\Policies\TruU\Authenticator\ssprUrl
Default Setting: No URL configured (link not shown).
Type: String
Options:
• Not Configured or Disabled: No SSPR link is shown on error screens.
• Enabled: Enter a valid URL to your organization’s SSPR portal. The link will appear on relevant error screens to help users self-resolve credential issues.
Policy Path: Computer Configuration → Administrative Templates → TruU → Authenticator → ssprUrl
Time Expired Failed Attempts Seconds
Description: Sets the duration (in seconds) a user must wait after exceeding the maximum number of failed PIN attempts (defined by authAttempts) before being allowed to try again.Registry Key: HKLM\Software\Policies\TruU\Authenticator\timeExpiredFailedAttemptsSec
Default Setting: Default system value.
Type: Int32
Options:
• Not Configured or Disabled: The default wait period applies after too many failed PIN attempts.
• Enabled: Set a value (in seconds) to define how long the user must wait before retrying after exceeding the failed attempt limit.
Policy Path: Computer Configuration → Administrative Templates → TruU → Authenticator → timeExpiredFailedAttemptsSec
TruU for RDP Feature Enabled
Description: Controls whether TruU authentication is available for Remote Desktop Protocol (RDP) connections.Registry Key: HKLM\Software\Policies\TruU\Authenticator\TruuForRdpFeatureEnabled
Default Setting: 1 (TruU for RDP enabled).
Type: Boolean
Options:
• Not Configured or Enabled (1): TruU can be used for RDP authentication.
• Disabled (0): TruU for RDP is completely disabled; users cannot authenticate via TruU over RDP.
Policy Path: Computer Configuration → Administrative Templates → TruU → Authenticator → TruuForRdpFeatureEnabled
TruU for UAC Feature Enabled
Description: Controls whether TruU authentication is available for User Account Control (UAC) elevation prompts.Registry Key: HKLM\Software\Policies\TruU\Authenticator\TruuForUacFeatureEnabled
Default Setting: 1 (TruU for UAC enabled).
Type: Boolean
Options:
• Not Configured or Enabled (1): TruU can be used for UAC authentication prompts.
• Disabled (0): TruU for UAC is completely disabled; users cannot authenticate via TruU at UAC prompts.
Policy Path: Computer Configuration → Administrative Templates → TruU → Authenticator → TruuForUacFeatureEnabled \

