Skip to main content

Option 1: Excluding the Password Credential Provider

Pros:

  • Streamlined User Experience: Users can benefit from a more seamless sign-in experience when using modern authentication methods like Truu
  • Passwordless: Eliminates the risk of password-based attacks such as phishing and brute force entirely.

Cons:

  • Limited use cases: Users cannot use this method for Remote Desktop Protocol (RDP), “Run as another user” scenarios, or administrative logins.

End User Experience

  • Observing the behavior associated with the excluded password credential provider is straightforward. To do so, simply start a configured Windows 10 or Windows 11 device and click on “Sign-in options”. This will display the available credential providers based on the excluded credential providers’ configuration.

Disable using Microsoft Intune

Configuring the exclusion of the password credential provider by using the Settings catalog
  1. Open the Microsoft Endpoint Manager admin center portal and navigate to the “Devices” tab, then “Windows”, then click on “Configuration profiles”.
  2. On the Windows | Configuration profiles blade, click Create profile
  3. Then, provide the following information and click Create
    1. Platform: Select “Windows 10 and later” to create a profile for Windows 10 devices
    2. Profile: Select “Settings catalog” to select the required setting from the catalog
  4. On the “Basics” page, provide the following information and click Next
    1. Name: Provide a name for the profile to distinguish it from other similar profiles
    2. Description: (Optional) Provide a description for the profile to further differentiate profiles
    3. Platform: (Greyed out) Windows 10 and later
  5. On the Configuration settings page, as shown below, perform the following actions
    1. Click Add Settings and then,
      1. Select Administrative Templates as a category
      2. Select System, then Logon as a subcategory
      3. Select Exclude credential providers as a setting
    2. Switch the slider with Exclude credential providers to Enable, provide the CLSID of the password credential provider (60b78e88-ead8-445c-9cfd-0b87f74ea6cd) with Exclude the following credential providers and click Next
NOTE: When multiple credential providers should be excluded, add the different CLSIDs separated with a comma.
  1. On the “Scope tags” page, configure the required scope tags and click Next
  2. On the “Assignments” page, configure the assignment and click Next
  3. On the “Review + create” page, verify the configuration and click Create

Disable using Group Policy

  1. Navigate to the “Computer Configuration” tab, then “Administrative Templates”, “System”, and select “Logon”.
  2. Find the policy named “Exclude credential providers” on the right side.
  3. Right-click on Exclude credential providers, click Edit, and then:
    1. Click Enabled.
    2. Enter the CLSID 60b78e88-ead8-445c-9cfd-0b87f74ea6cd to exclude the password credential provider.
Registry Modification Method:
  1. Open the Registry Editor (regedit).
  2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers.
  3. Find the key with the CLSID 60b78e88-ead8-445c-9cfd-0b87f74ea6cd (password credential provider).
  4. Rename or delete the key to disable it.

Option 2: Enforcing Smart Card logon to the OS using TruU

Pros:

  • Selective Password Usage: Passwords are only required for local administrative accounts, while all other logins to the OS are passwordless.
  • Enhanced Security: Eliminates the risks associated with weak or compromised passwords

Cons:

  • Implementation limitations: Azure/Intune environments require custom scripting as there is currently no Group Policy Object (GPO) support available.

End User experience

Enforce using Group Policy

  1. Navigate to the “Computer Configuration” tab, then select “Administrative Templates”, then “Windows Components”, and then select “Windows Hello for Business”.
  2. Find the policy named “Use Windows Hello for business certificates as smart card” and set it to Enabled. This ensures that the smart card service is active.
NOTE: Ensure that user accounts are set up for smart card authentication. Each user who needs to log in with a smart card should have a corresponding smart card certificate issued.

Enforce using Microsoft Intune

  1. Open the Microsoft Endpoint Manager admin center portal navigate to the “Reports” tab, then go to “Endpoint analytics”, and select “Proactive remediations”.
  2. On the “Proactive remediations” dropdown, click Create script package to open the “Create custom script wizard.”
  3. On the “Basics” page, provide the following information and click Next
    1. Name: Provide a valid name for the custom script package to distinguish it from other similar script packages
  4. On the Settings page, provide the following information and click Next
    1. Detection script file: Create and select the following detection script to detect the status of the Windows Hello for Business configuration
    2. Detection script: [Greyed out]
    3. Remediation script file: Create and select the following remediation script to remediate the Windows Hello for Business configuration
    4. Remediation script: 
      1. $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" 
$registryValueName = "scforceoption" 
$registryValueData = "1" 
  
if((Test-Path $registryPath)) { 
    if(Get-ItemProperty -Path $registryPath -Name $registryValueName -ErrorAction Ignore) { 
        if((Get-ItemPropertyValue -Path $registryPath -Name $registryValueName -ErrorAction Ignore)-eq $registryValueData) { 
            Write-Host "Windows Hello for Business is required" 
            exit 0 
        } 
        else { 
            Write-Host "Windows Hello for Business is currently not required" 
            exit 1  
        } 
    } 
    else { 
        Write-Host "Windows Hello for Business is currently not required" 
        exit 1  
    } 
} 
else { 
    Write-Host "Windows Hello for Business is currently not required" 
    exit 1 
}
    5. Run this script using the logged-on credentials: Select No as value to make sure that the script runs in SYSTEM context
    6. Enforce script signature check: Select No as value to make sure that the signature of the script is not checked
    7. Run script in 64-bit PowerShell: Select Yes as value to make sure that the script runs in 64-bit, if possible
    8. $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" 
$registryValueName = "scforceoption" 
$registryValueData = "1" 
  
try { 
    if(!(Test-Path $registryPath)) { 
        New-Item -Path $registryPath -Force 
        New-ItemProperty -Path $registryPath -Name $registryValueName -Value $registryValueData -PropertyType DWORD -Force 
        Write-Host "Successfully configured Windows Hello for Business as required"  
    } 
    else { 
        New-ItemProperty -Path $registryPath -Name $registryValueName -Value $registryValueData -PropertyType DWORD -Force 
        Write-Host "Successfully configured Windows Hello for Business as required"  
    } 
} 
catch { 
    $errorMessage = $_.Exception.Message 
    Write-Error $errorMessage 
    exit 1  
}
  5. On the “Scope tags” page, configure the required scope tags click Next
  6. On the “Assignments page”, provide the following information and click Next
    1. Assign to: Select the assigned group and configure the schedule by clicking on the three dots
    2. Schedule: Select the recurrence frequency by choosing between “Once, Daily, or Hourly”
  7. On the “Review + create” page, verify the information and click Create
TruU’s Kerberos Behavior on MacOS TruU’s Interaction with External Cameras