> ## Documentation Index
> Fetch the complete documentation index at: https://docs.truu.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# TruU Policy Settings for Windows Authenticator

## **Account Management URL**

**Description:** Specifies the URL for the TruU Account Management Service (TAMS). When Configured , this enables the Account Management Service Integration, allowing users to manage their accounts through TruU.

**Registry Key:** HKLM\Software\Policies\TruU\Authenticator\AccountManagementUrl

**Default Setting:** Not configured (no URL).

**Type:** String

**Options:**

**• Not Configured or Disabled:** Account Management Service integration is not active

**• Enabled:** Enter a valid URL pointing to your TAMS web server (e.g., [https://webserver.truu.ai/](https://webserver.truu.ai/)). The default agent installs on port 443; update the URL if a custom port is used.

**Policy Path:**

Computer Configuration → Administrative Templates → TruU → Authenticator → AccountManagementUrl

## **Account Unlock Request Period**

**Description:** Controls how frequently a single account unlock operation can be repeated. This rate-limiting setting prevents rapid repeated unlock attempts by enforcing a minimum wait period between requests

**Registry Key:** HKLM\Software\Policies\TruU\Authenticator\\**AccountUnlockRequestPeriodSeconds**

**Default Setting:** 259,200 seconds (72 hours).

**Type:** Int32

**Options:**

**• Not Configured or Disabled:** The default period of 259,200 seconds (72 hours) is enforced.

**• Enabled:** Set an integer value (in seconds) to define the minimum time between unlock attempts for a single account. o Example: A value of 3600 enforces at least 1 hour between each unlock attempt.

**Policy Path:**

Computer Configuration → Administrative Templates → TruU → Authenticator → AccountUnlockRequestPeriodSeconds

## **Always Allowed RDP Credentials Providers**

**Description:** Specifies which credentials providers are permitted for RDP connections before any user is enrolled in TruU. Restricts authentication methods available during RDP sign-in for unenrolled users

**Registry Key:** HKLM\Software\Policies\TruU\Authenticator\alwaysAllowedRDPCPs

**Default Setting:** No restriction (all credential providers allowed).

**Type:** MultiString

**Options:**\
**• Not Configured or Disabled:** No restrictions applied — all available credential providers may be used for RDP. \
**• Enabled:** Provide a list of credential provider GUIDs that are permitted for RDP. Only the listed providers will be available. \
o Example: Configuring only the TruU GUID means no other credential provider can be used for RDP.

**Policy Path:**

Computer Configuration → Administrative Templates → TruU → Authenticator → alwaysAllowedRDPCPs

## **Always Allowed Sign-in Credential Providers**

**Description:** Specifies which credential providers are permitted on the Windows Login Screen before any user is enrolled in TruU. Restricts which authentication methods can be used at the sign-in screen for unenrolled users.

**Registry Key:** HKLM\Software\Policies\TruU\Authenticator\alwaysAllowedSignInCPs

**Default Setting:** No restriction (all credential providers allowed).

**Type:** MultiString

**Options:**\
• Not Configured or Disabled: No restrictions applied — all credential providers may be used at the login screen. \
• Enabled: Provide a list of credential provider GUIDs permitted for login screen sign in. Only the listed providers will be available. \
o Example: Configuring only the TruU GUID means no other credential provider can be used at the login screen.

**Policy Path:** Computer Configuration → Administrative Templates → TruU → Authenticator → alwaysAllowedSignInCPs

## **Always Allowed UAC Credential Providers**

**Description:** Specifies which credential providers are permitted for User Account Control (UAC) prompts before any user is enrolled in TruU. Restricts which authentication methods can be used for UAC elevation for unenrolled users.

**Registry Key:** HKLM\Software\Policies\TruU\Authenticator\alwaysAllowedUACCPs Default Setting: No restriction (all credential providers allowed).

**Type:** MultiString

**Options:** \
**• Not Configured or Disabled:** No restrictions applied — all credential providers may be used for UAC.\
**• Enabled:** Provide a list of credential provider GUIDs permitted for UAC prompts. Only the listed providers will be available.

 Example: Configuring only the TruU GUID means no other credential provider can be used for UAC.

**Policy Path:** Computer Configuration → Administrative Templates → TruU → Authenticator → alwaysAllowedUACCPs

## **Authentication Attempts**

**Description:** Controls the number of incorrect PIN attempts a user can make before being locked out and required to wait for a cooldown period before trying again.

**Registry Key:** HKLM\Software\Policies\TruU\Authenticator\authAttempts

**Default Setting:** 8 attempts. \
**Type:** Int32 \
**Options:**

**• Not Configured or Disabled:** The default limit of 8 attempts is enforced. \
**• Enabled:** Set an integer value to define the number of failed PIN attempts before the cooldown period is triggered. \
 Works in conjunction with the AuthCooldownSeconds policy to define the lockout duration. \
\
**Policy Path:**\
Computer Configuration → Administrative Templates → TruU → Authenticator → authAttempts

## **Authentication Cooldown Seconds**

**Description:** Sets the duration (in seconds) a user must wait after exceeding the maximum number of failed PIN attempts before they can try again.

**Registry Key:** HKLM\Software\Policies\TruU\Authenticator\AuthCooldownSeconds Default Setting: 1,800 seconds (30 minutes).

**Type:** Int32

**Options:** \
• Not Configured or Disabled: The default cooldown of 1,800 seconds (30 minutes) is enforced. \
• Enabled: Set an integer value (in seconds) to define the wait period after too many failed PIN attempts. \
 Works in conjunction with the authAttempts policy which defines how many failures trigger the cooldown. \
\
**Policy Path:**\
Computer Configuration → Administrative Templates → TruU → Authenticator → AuthCooldownSeconds

## **Disable Add Biometrics Notifications**

**Description:** Controls the behavior of the Windows Toast notification, prompting users to add biometric enrollment. Allows administrators to suppress or limit how often this notification appears.

**Registry Key:** HKLM\Software\Policies\TruU\Authenticator\DisableAddBioNotifications

**Default Setting:** 0 (notification appears at every sign-in).

**Type:** Int32

**Options:** \
• Not Configured or Disabled: The notification appears at every user sign-in (value 0). \
• Enabled: Set the value to control notification behavior:

 0 — Notification appears at every sign-in. \
 1 — Notification appears only once. \
 2 — Notification is fully disabled. \
\
**Policy Path:** Computer Configuration → Administrative Templates → TruU → Authenticator → DisableAddBioNotifications

## **Enable Authenticator**

**Description:** Controls whether the TruU Windows Agent is active. When disabled, the agent's core features like login provider, enrollment, and notifications are all turned off.

**Registry Key:** HKLM\Software\Policies\TruU\Authenticator\EnableAuthenticator

**Default Setting:** 1 (enabled).

**Type:** Boolean

**Options:** \
• Not Configured or Disabled (0): The TruU Windows Agent is inactive. \
• Enabled (1): The TruU Windows Agent is active, enabling login provider functionality, enrollment, and notifications.

**Policy Path:** Computer Configuration → Administrative Templates → TruU → Authenticator → EnableAuthenticator

## **Enable CAuth**

**Description:** Controls whether the Continuous Authentication (CAuth) feature is active. CAuth periodically prompts users to re-authenticate while signed in. \
\
**Registry Key:** HKLM\Software\Policies\TruU\Authenticator\EnableCAuth

**Default Setting:** 0 (CAuth disabled).

**Type:** Boolean

**Options:**

**• Not Configured or Disabled (0):** CAuth is disabled; users will not be prompted for continuous re-authentication.

**• Enabled (1):** CAuth is active and will prompt users for re-authentication based on the ReauthTimeoutSec interval.

**Policy Path:** Computer Configuration → Administrative Templates → TruU → Authenticator → EnableCAuth

## **Enable Get Started Notification**

**Description:** Controls whether a 'Get Started' notification is displayed for users who have not yet enrolled in TruU when signing in with a non-TruU credential provider. \
\
**Registry Key:** HKLM\Software\Policies\TruU\Authenticator\EnableGetStartedNotification \
\
**Default Setting:** 0 (notification not shown).

**Type:** Boolean

**Options:** \
**• Not Configured or Enabled (1):** The Get Started notification is shown to unenrolled users to prompt them to enroll. \
**• Disabled (0):** The Get Started notification is suppressed and will not be shown. \
\
**Policy Path:** Computer Configuration → Administrative Templates → TruU → Authenticator → EnableGetStartedNotification

## **Enrolled Allowed RDP Credential Providers**

**Description:** Specifies which credential providers are permitted for RDP connections for users who are already enrolled in TruU. Restricts authentication methods available during RDP sign-in for enrolled users.

**Registry Key:** HKLM\Software\Policies\TruU\Authenticator\enrolledAllowedRDPCPs

**Default Setting:** No restriction (all credential providers allowed).

**Type:** MultiString

**Options:** \
• Not Configured or Disabled: No restrictions applied — all credential providers may be used for RDP by enrolled users. \
• Enabled: Provide a list of credential provider GUIDs permitted for RDP for enrolled users. Only the listed providers will be available.

**Policy Path:** Computer Configuration → Administrative Templates → TruU → Authenticator → enrolledAllowedRDPCPs

## **Enrolled Allowed Sign-In Credentials Providers**

**Description:** Specifies which credential providers are permitted on the Windows Login Screen for users who are already enrolled in TruU. \
\
**Registry Key:** HKLM\Software\Policies\TruU\Authenticator\enrolledAllowedSignInCPs \
\
**Default Setting:** No restriction (all credential providers allowed). \
\
**Type:** MultiString

**Options:** \
**• Not Configured or Disabled:** No restrictions applied — all credential providers may be used at the login screen by enrolled users. \
**• Enabled:** Provide a list of credential provider GUIDs permitted for login screen sign-in for enrolled users. \
\
**Policy Path:** Computer Configuration → Administrative Templates → TruU → Authenticator → enrolledAllowedSignInCPs

## **Enrolled Allowed UAC Credential Providers**

**Description:** Specifies which credential providers are permitted for UAC prompts for users who are already enrolled in TruU. \
\
**Registry Key:** HKLM\Software\Policies\TruU\Authenticator\enrolledAllowedUACCPs

**Default Setting:** No restriction (all credential providers allowed).

**Type:** MultiString

**Options:** \
**• Not Configured or Disabled:** No restrictions applied — all credential providers may be used for UAC by enrolled users. \
**• Enabled:** Provide a list of credential provider GUIDs permitted for UAC prompts for enrolled users. \
\
**Policy Path:** Computer Configuration → Administrative Templates → TruU → Authenticator → enrolledAllowedUACCPs

## **Enrolled Learn More Label**

**Description:** Customizes the text of the 'Learn More' hyperlink displayed on the Getting Started enrollment page. Requires the enrollmentLearnMoreUrl key to be set for the link to appear. \
\
**Registry Key:** HKLM\Software\Policies\TruU\Authenticator\enrollmentLearnMoreLabel \
\
**Default Setting:** Default TruU label text. \
\
**Type:** String \
\
**Options:** \
**• Not Configured or Disabled:** The default TruU 'Learn more' link text is displayed. \
**• Enabled:** Enter custom text to replace the default 'Learn more' label shown on the Getting Started page.

**Policy Path:** Computer Configuration → Administrative Templates → TruU → Authenticator → enrollmentLearnMoreLabel

## **Enrollment Learn More Paragraph**

**Description:** Customizes the descriptive paragraph text shown on the Getting Started enrollment page, replacing the default TruU enrollment description. \
\
**Registry Key:** HKLM\Software\Policies\TruU\Authenticator\enrollmentLearnMoreParagraph \
\
**Default Setting:** Default TruU paragraph text. \
\
**Type:** String \
\
**Options:** \
**• Not Configured or Disabled:** The default TruU enrollment description text is displayed. \
**• Enabled:** Enter custom text to replace the default paragraph on the Getting Started page (e.g., 'Enroll in passwordless authentication today'). \
\
**Policy Path:** Computer Configuration → Administrative Templates → TruU → Authenticator → enrollmentLearnMoreParagraph

## **Enrollment Learn More URL**

**Description:** Specifies a custom URL for the 'Learn More' link on the Getting Started enrollment page. Use this to point users to internal help documentation or a custom enrollment guide. \
\
**Registry Key:** HKLM\Software\Policies\TruU\Authenticator\enrollmentLearnMoreUrl \
\
**Default Setting:** No URL configured (link not shown). \
\
**Type:** String \
\
**Options:** \
**• Not Configured or Disabled:** No 'Learn More' link is displayed on the Getting Started page. \
**• Enabled:** Enter a valid URL. A 'Learn More' link pointing to this URL will appear on the Getting Started page. \
\
**Policy Path:** Computer Configuration → Administrative Templates → TruU → Authenticator → enrollmentLearnMoreUrl

## **Face Biometrics Enabled**

**Description:** Controls whether facial biometrics are available for TruU enrollment and authentication. When enabled, users can enroll their face to log on to the operating system.

**Registry Key:** HKLM\Software\Policies\TruU\Authenticator\FaceBioEnabled \
\
**Default Setting:** 1 (face biometrics enabled). \
\
**Type:** Boolean \
\
**Options:** \
**• Not Configured or Enabled (1):** Facial biometrics are available; users can enroll and use their face to authenticate. \
**• Disabled (0):** Facial biometrics are not available for TruU authentication. \
\
**Policy Path:** Computer Configuration → Administrative Templates → TruU → Authenticator → FaceBioEnabled  **Registry Key:** HKLM\Software\Policies\TruU\Authenticator\FaceBioEnabled \
\
**Default Setting:** 1 (face biometrics enabled). \
\
**Type:** Boolean \
\
**Options:** \
**• Not Configured or Enabled (1):** Facial biometrics are available; users can enroll and use their face to authenticate. \
**• Disabled (0):** Facial biometrics are not available for TruU authentication. \
\
**Policy Path:** Computer Configuration → Administrative Templates → TruU → Authenticator → FaceBioEnabled

## **Fingerprint Biometrics Enabled**

**Description:** Controls whether fingerprint biometrics are available for TruU enrollment and authentication. When enabled, users can enroll their fingerprint to log on to the operating system. \
\
**Registry Key:** HKLM\Software\Policies\TruU\Authenticator\FingerprintBioEnabled \
\
**Default Setting:** 1 (fingerprint biometrics enabled). \
\
**Type:** Boolean

**Options:** \
**• Not Configured or Enabled (1):** Fingerprint biometrics are available; users can enroll and use their fingerprint to authenticate. \
**• Disabled (0):** Fingerprint biometrics are not available for TruU authentication. \
\
**Policy Path:** Computer Configuration → Administrative Templates → TruU → Authenticator → FingerprintBioEnabled

## **Hide Add Account**

**Description:** Controls whether the 'Add Account' option is visible in the TruU system tray menu for users who have already enrolled.

**Registry Key:** HKLM\Software\Policies\TruU\Authenticator\HideAddAccount

**Default Setting:** 0 (Add Account is visible). \
\
**Type:** Boolean \
\
**Options:** \
**• Not Configured or Disabled (0):** 'Add Account' is visible in the system tray menu for all users. \
**• Enabled (1):** 'Add Account' is hidden from the system tray menu for users who are already enrolled. \
\
**Policy Path:** Computer Configuration → Administrative Templates → TruU → Authenticator → HideAddAccount

## **Hide Add User at Sign-In**

**Description:** Controls whether the 'Add User' option is visible on the TruU Windows Sign-In UI for enrolled users.

**Registry Key:** HKLM\Software\Policies\TruU\Authenticator\HideAddUserSignin \
\
**Default Setting:** 0 (Add User is visible). \
\
**Type:** Boolean \
\
**Options:** \
**• Not Configured or Disabled (0):** 'Add User' is shown on the Sign-In UI. \
**• Enabled (1):** 'Add User' is hidden from the Sign-In UI if a user is already enrolled. \
\
**Policy Path:** Computer Configuration → Administrative Templates → TruU → Authenticator → HideAddUserSignin

## **Install or Update Updater Service**

**Description:** Controls whether the TruU Updater Service is installed or updated automatically by the Windows Agent.

**Registry Key:** HKLM\Software\Policies\TruU\Authenticator\InstallOrUpdateUpdaterService \
\
**Default Setting:** 0 (Updater Service not auto-installed). \
\
**Type:** Boolean \
\
**Options:** \
**• Not Configured or Disabled (0):** The Updater Service will not be installed or updated by the agent. \
**• Enabled (1):** The Updater Service will be automatically installed or updated by the agent. \
\
**Policy Path:** Computer Configuration → Administrative Templates → TruU → Authenticator → InstallOrUpdateUpdaterService

## **Maximum Fingerprint Failure Attempts**

**Description:** Sets the number of consecutive failed fingerprint attempts allowed before the system falls back to PIN authentication. \
\
**Registry Key:** HKLM\Software\Policies\TruU\Authenticator\MaxFingerprintFailureAttempts \
\
**Default Setting:** 4 attempts. \
\
**Type:** Int32 \
\
**Options:** \
**• Not Configured or Disabled:** After 4 failed fingerprint attempts, the system falls back to PIN.\
**• Enabled:** Set a value between 1 and 10 to define how many failed fingerprint attempts are allowed before the PIN fallback is triggered. \
\
**Policy Path:** Computer Configuration → Administrative Templates → TruU → Authenticator → MaxFingerprintFailureAttempts

## **PIN Recovery Enrollment from Login Screen**

**Description:** Controls whether users see a 'Forgot PIN' link on the lock screen, allowing them to recover or re-enroll their PIN without administrator assistance.

**Registry Key:** HKLM\Software\Policies\TruU\Authenticator\PinRecoveryEnrollmentFromLoginScreen \
\
**Default Setting:** 0 (PIN recovery not shown). \
\
**Type:** Boolean \
\
**Options:** \
**• Not Configured or Disabled (0):** Users will not see the 'Forgot PIN' option on the lock screen. \
**• Enabled (1):** A 'Forgot PIN' link is displayed, allowing users to re-enroll their PIN from the lock screen. \
\
**Policy Path:** Computer Configuration → Administrative Templates → TruU → Authenticator → PinRecoveryEnrollmentFromLoginScreen

## **Privacy URL**

**Description**: Specifies a custom URL pointing to your organization's privacy policy regarding biometric data usage. This URL is displayed to users within the TruU agent. \
\
**Registry Key:** HKLM\Software\Policies\TruU\Authenticator\PrivacyUrl \
\
**Default Setting:** [https://truu.ai/privacy](https://truu.ai/privacy). \
\
**Type:** String \
\
**Options:** \
**• Not Configured or Disabled:** The default TruU privacy URL ([https://truu.ai/privacy](https://truu.ai/privacy)) is used.\
**• Enabled:** Enter a valid URL to replace the default privacy policy link with your organization's own privacy policy. \
\
**Default Setting:** [https://truu.ai/privacy](https://truu.ai/privacy). \
\
**Policy Path:** Computer Configuration → Administrative Templates → TruU → Authenticator → PrivacyUrl

## **Re-Authentication Timeout Seconds**

**Description:** Sets the countdown duration (in seconds) for the CAuth re-authentication prompt. If the user does not authenticate within this window, the session is affected. Used in conjunction with EnableCAuth. \
\
**Registry Key:** HKLM\Software\Policies\TruU\Authenticator\ReauthTimeoutSec \
\
**Default Setting:** 30 seconds. \
\
**Type:** Int32 \
\
**Options:** \
**• Not Configured or Disabled:** The default timeout of 30 seconds is used. \
**• Enabled:** Set an integer value (in seconds) to define the countdown duration for the re authentication prompt. \
 Lower values give users less time to respond to the re-authentication prompt. \
\
**Policy Path:** Computer Configuration → Administrative Templates → TruU → Authenticator → ReauthTimeoutSec

## **Re-Login with TruU Notification**

**Description:** Controls whether a notification is shown to users who were previously enrolled with TruU, prompting them to lock and unlock with TruU after a Windows Agent upgrade. \
\
**Registry Key:** HKLM\Software\Policies\TruU\Authenticator\ReloginWithTruU \
\
**Default Setting:** 1 (notification shown). \
\
**Type:** Boolean \
\
**Options:** \
**• Not Configured or Enabled (1):** The notification 'Lock/unlock with TruU to continue' is displayed after an agent upgrade for previously enrolled users. \
**• Disabled (0):** The notification is suppressed and will not be shown after an upgrade.

**Policy Path:** Computer Configuration → Administrative Templates → TruU → Authenticator → ReloginWithTruU

## **Self-Service Password Reset URL**

**Description:** Specifies a URL for the Self-Service Password Reset (SSPR) portal. This link is displayed to users on error screens such as account locked, password change required, or password expired. \
\
**Registry Key:** HKLM\Software\Policies\TruU\Authenticator\ssprUrl \
\
**Default Setting:** No URL configured (link not shown). \
\
**Type:** String \
\
**Options:** \
**• Not Configured or Disabled:** No SSPR link is shown on error screens. \
**• Enabled:** Enter a valid URL to your organization's SSPR portal. The link will appear on relevant error screens to help users self-resolve credential issues. \
\
**Policy Path:** Computer Configuration → Administrative Templates → TruU → Authenticator → ssprUrl

## **Time Expired Failed Attempts Seconds**

**Description:** Sets the duration (in seconds) a user must wait after exceeding the maximum number of failed PIN attempts (defined by authAttempts) before being allowed to try again. \
\
**Registry Key:** HKLM\Software\Policies\TruU\Authenticator\timeExpiredFailedAttemptsSec \
\
**Default Setting:** Default system value. \
\
**Type:** Int32 \
\
**Options:** \
**• Not Configured or Disabled:** The default wait period applies after too many failed PIN attempts. \
**• Enabled:** Set a value (in seconds) to define how long the user must wait before retrying after exceeding the failed attempt limit. \
\
**Policy Path:** Computer Configuration → Administrative Templates → TruU → Authenticator → timeExpiredFailedAttemptsSec

## **TruU for RDP Feature Enabled**

**Description:** Controls whether TruU authentication is available for Remote Desktop Protocol (RDP) connections. \
\
**Registry Key:** HKLM\Software\Policies\TruU\Authenticator\TruuForRdpFeatureEnabled \
\
**Default Setting:** 1 (TruU for RDP enabled). \
\
**Type:** Boolean \
\
**Options:** \
**• Not Configured or Enabled (1):** TruU can be used for RDP authentication. \
**• Disabled (0):** TruU for RDP is completely disabled; users cannot authenticate via TruU over RDP. \
\
**Policy Path:** Computer Configuration → Administrative Templates → TruU → Authenticator → TruuForRdpFeatureEnabled

## **TruU for UAC Feature Enabled**

**Description:** Controls whether TruU authentication is available for User Account Control (UAC) elevation prompts. \
\
**Registry Key:** HKLM\Software\Policies\TruU\Authenticator\TruuForUacFeatureEnabled \
\
**Default Setting:** 1 (TruU for UAC enabled). \
\
**Type:** Boolean \
\
**Options:**\
**• Not Configured or Enabled (1):** TruU can be used for UAC authentication prompts. \
\
**• Disabled (0):** TruU for UAC is completely disabled; users cannot authenticate via TruU at UAC prompts. \
\
**Policy Path:** Computer Configuration → Administrative Templates → TruU → Authenticator → TruuForUacFeatureEnabled \\
