> ## Documentation Index > Fetch the complete documentation index at: https://docs.truu.ai/llms.txt > Use this file to discover all available pages before exploring further. # How to Disable Password Login on Windows > This is a step by step guidea as to how one configured the operating system to exclude the password credential provider, thereby preventing users from logging in using their username and password. Instead, users authenticate through TruU, using biometrics or TruU PIN # Option 1: Excluding the Password Credential Provider ### Pros: * **Streamlined User Experience**: Users can benefit from a more seamless sign-in experience when using modern authentication methods like Truu * **Passwordless**: Eliminates the risk of password-based attacks such as phishing and brute force entirely. ### Cons: * **Limited use cases**: Users cannot use this method for Remote Desktop Protocol (RDP), "Run as another user" scenarios, or administrative logins. ### End User Experience * Observing the behavior associated with the excluded password credential provider is straightforward. To do so, simply start a configured Windows 10 or Windows 11 device and click on "Sign-in options". This will display the available credential providers based on the excluded credential providers’ configuration. ## Disable using Microsoft Intune Configuring the exclusion of the password credential provider by using the Settings catalog 1. Open the Microsoft Endpoint Manager admin center portal and navigate to the "Devices" tab, then "Windows", then click on "Configuration profiles". 2. On the Windows | Configuration profiles blade, click **Create profile** 3. Then, provide the following information and click **Create** 1. **Platform**: Select “Windows 10 and later” to create a profile for Windows 10 devices 2. **Profile**: Select "Settings catalog" to select the required setting from the catalog 4. On the "Basics" page, provide the following information and click **Next** 1. **Name**: Provide a name for the profile to distinguish it from other similar profiles 2. **Description**: (Optional) Provide a description for the profile to further differentiate profiles 3. **Platform**: (Greyed out) Windows 10 and later 5. On the Configuration settings page, as shown below, perform the following actions 1. Click **Add Settings** and then, 1. Select *Administrative Templates* as a category 2. Select **System**, then *Logon* as a subcategory 3. Select *Exclude credential providers* as a setting 2. Switch the slider with Exclude credential providers to Enable, provide the CLSID of the password credential provider (60b78e88-ead8-445c-9cfd-0b87f74ea6cd) with **Exclude the following credential providers** and click **Next** **NOTE**: When multiple credential providers should be excluded, add the different CLSIDs separated with a comma. 6. On the “Scope tags” page, configure the required scope tags and click **Next** 7. On the “Assignments” page, configure the assignment and click **Next** 8. On the “Review + create” page, verify the configuration and click **Create** ## Disable using Group Policy 1. Navigate to the “Computer Configuration” tab, then “Administrative Templates”, “System”, and select “Logon”. 2. Find the policy named “Exclude credential providers” on the right side. 3. Right-click on **Exclude credential providers**, click **Edit**, and then: 1. Click **Enabled**. 2. Enter the CLSID 60b78e88-ead8-445c-9cfd-0b87f74ea6cd to exclude the password credential provider. **Registry Modification Method**: 1. Open the Registry Editor (regedit). 2. Navigate to HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers. 3. Find the key with the CLSID 60b78e88-ead8-445c-9cfd-0b87f74ea6cd (password credential provider). 4. Rename or delete the key to disable it. # Option 2: Enforcing Smart Card logon to the OS using TruU ## Pros: * **Selective Password Usage**: Passwords are only required for local administrative accounts, while all other logins to the OS are passwordless. * **Enhanced Security**: Eliminates the risks associated with weak or compromised passwords ## Cons: * **Implementation limitations**: Azure/Intune environments require custom scripting as there is currently no Group Policy Object (GPO) support available. ## End User experience ### Enforce using Group Policy 1. Navigate to the “Computer Configuration” tab, then select “Administrative Templates”, then “Windows Components”, and then select “Windows Hello for Business”. 2. Find the policy named “Use Windows Hello for business certificates as smart card” and set it to **Enabled**. This ensures that the smart card service is active. **NOTE**: Ensure that user accounts are set up for smart card authentication. Each user who needs to log in with a smart card should have a corresponding smart card certificate issued. ## Enforce using Microsoft Intune 1. Open the Microsoft Endpoint Manager admin center portal navigate to the “Reports” tab, then go to “Endpoint analytics”, and select “Proactive remediations”. 2. On the “Proactive remediations” dropdown, click **Create script package** to open the “Create custom script wizard.” 3. On the “Basics” page, provide the following information and click **Next** 1. Name: Provide a valid name for the custom script package to distinguish it from other similar script packages 4. On the Settings page, provide the following information and click **Next** 1. Detection script file: Create and select the following detection script to detect the status of the Windows Hello for Business configuration 2. Detection script: \[Greyed out] 3. Remediation script file: Create and select the following remediation script to remediate the Windows Hello for Business configuration 4. Remediation script: 1. ``` $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" $registryValueName = "scforceoption" $registryValueData = "1" if((Test-Path $registryPath)) { if(Get-ItemProperty -Path $registryPath -Name $registryValueName -ErrorAction Ignore) { if((Get-ItemPropertyValue -Path $registryPath -Name $registryValueName -ErrorAction Ignore)-eq $registryValueData) { Write-Host "Windows Hello for Business is required" exit 0 } else { Write-Host "Windows Hello for Business is currently not required" exit 1 } } else { Write-Host "Windows Hello for Business is currently not required" exit 1 } } else { Write-Host "Windows Hello for Business is currently not required" exit 1 } ``` 5. Run this script using the logged-on credentials: Select **No** as value to make sure that the script runs in SYSTEM context 6. Enforce script signature check: Select **No** as value to make sure that the signature of the script is not checked 7. Run script in 64-bit PowerShell: Select **Yes** as value to make sure that the script runs in 64-bit, if possible 8. ``` $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" $registryValueName = "scforceoption" $registryValueData = "1" try { if(!(Test-Path $registryPath)) { New-Item -Path $registryPath -Force New-ItemProperty -Path $registryPath -Name $registryValueName -Value $registryValueData -PropertyType DWORD -Force Write-Host "Successfully configured Windows Hello for Business as required" } else { New-ItemProperty -Path $registryPath -Name $registryValueName -Value $registryValueData -PropertyType DWORD -Force Write-Host "Successfully configured Windows Hello for Business as required" } } catch { $errorMessage = $_.Exception.Message Write-Error $errorMessage exit 1 } ``` 5. On the “Scope tags” page, configure the required scope tags click **Next** 6. On the “Assignments page”, provide the following information and click **Next** 1. Assign to: Select the assigned group and configure the schedule by clicking on the **three dots** 2. Schedule: Select the recurrence frequency by choosing between "Once, Daily, or Hourly" 7. On the “Review + create” page, verify the information and click **Create** *** [TruU's Kerberos Behavior on MacOS](/docs/truus-kerberos-behavior-on-macos) [TruU's Interaction with External Cameras](/docs/external-camera-interaction)