| Option | Type | Allowed Values | Default Value | Description |
|---|---|---|---|---|
| Domain | String | The domain of the TruU service, e.g.,: “truuth.com” | ||
| IdsDomainLookup | String | any valid url | Supplies the url used for the Domain FQDN call. Should contain the domain and end in the form “url.domain”. The idsDomainLookup is used to construct our FQDN service and directly to make the FQDN call. | |
| OAuthClientId | String | Used to obtain oAuth token. This token will then be submitted as authorization for the asset enrollment | ||
| OAuthClientIdNonce | String | The nonce used in the encryption of the client id | ||
| OAuthClientSecretNonce | String | The nonce used in the encyrption of the secret | ||
| OAuthClientSecret | String | Used to obtain oAuth token. This token will then be submitted as authorization for the asset enrollment | ||
| OAuthScope | String | The scope of what the oAuth token can be used for | ||
| UseTruuForRdp | Boolean | 0 or 1 | 1 | This option controls, whether the TruU for RDP is enabled or not. It can be changed in the TruU dektop app context menu. |
| UseTruuForUac | Boolean | 0 or 1 | 1 | This option controls, whether the TruU for UAC is enabled or not. It can be changed in the TruU dektop app context menu. |
| TruuForRdpFeatureEnabled | Boolean | 0 or 1 | 1 | If set to 0, the TruU for RDP is completely disabled. |
| TruuForUacFeatureEnabled | Boolean | 0 or 1 | 1 | If set to 0, the TruU for UAC is completely disabled. |
| EnableGetStartedNotification | Boolean | 0 or 1 | 0 | The option controls whether Get Started notification is displayed for non-truu logins when there are no enrollments. |
| TokenWebRequestTimeoutMs | Int32 | 5000 | Timeout for the authentication token request operation | |
| TokenInitialRetryDelayMs | Int32 | 3000 | Delay between authentication token retry operations | |
| FirstTokenRequestDelayMs | Int32 | 300000 | Time period before first authentication token get is called | |
| BackgroundTokenRequestDelayMs | Int32 | 3600000 | When system fails to get authentication token (even with retries), it will wait this period of time before another GetToken call. | |
| TokenBufferPercentage | Int32 | 0-100 | 60 | Percentage of token expiration when the authentication token should be refreshed |
| EnrollmentTokenRetryAttempts | Int32 | 3 | Getting token retry count | |
| EnableSmartCardDriverLogs | Boolean | 0 or 1 | 0 | When set to 1 all smart card driver messages are logged (>= verbose level). When disabled only Warning and higher levels are logged. |
| SuppressThreadExceptions | Boolean | 0 or 1 | 1 | When set to 1 it prevents task’s exception escalation policy (which, by default, terminates the process) from triggering. |
| InitIntervalMs | Int32 | 10000 | The amount of time to delay before HeartBeat and PolicyCheck starts after the service has started | |
| WaitingIntervalOnPreshoutdownMs | Int32 | 15000 | An information for the system about maximum expected service stopping time. | |
| TimerIntervalLogMs | Int32 | 605000 | Interval for regular system info logging | |
| PolicyCheckIntervalMs | Int32 | 300000 | Interval for regular policy check | |
| HeartbeatIntervalMs | Int32 | 3600000 | Time interval for heartbeat when everything works as expected | |
| ShortHeartbeatIntervalMs | Int32 | 600000 | Time interval for heartbeat retry when heartbeat failed or when authentication token is missing. | |
| SendLogsTimeoutMs | Int32 | 300000 | Report to IDS send operation timeout | |
| TaskExecutionIdleTimeoutSec | Int32 | 15 | Timeout for task execution when login application calls to agent service | |
| AboutToExpirePercent | Int32 | 0-100 | 15 | Percentage of certificate validity period for a certificate to be renewed before expiration. |
| CertificateStatusCheckTimeoutMs | Int32 | 10000 | Specifies how often the certificate status should be checked | |
| authAttempts | Int32 | 8 | The number of PIN tries before user must wait for a specified period of time. | |
| timeExpiredFailedAttemptsSec | UInt32 | 3600 | If wrong PIN was entered multiple times (authAttempts option), user must wait for this period of time before trying again. | |
| EventLogStopGapSec | Int32 | 120 | When event logs are scanned for security events or system events like Suspend or Resume, events older than this amount of seconds is excluded | |
| TruUAlwaysDefaultCredentialProvider | Boolean | 0 or 1 | 0 | 1 will force the TruU Credential Provider to show even when there are no users enrolled in TruU on the computer. Enrollment requires connectivity to the domain, so keep this in mind when enabling this feature |
| PinRecoveryEnrollmentFromLoginScreen | Boolean | 0 or 1 | 0 | When this value is set to 1, the user will see a ‘Forgot PIN’ link enabling the user to enroll from the lock screen.Please note that the PIN recovery actually does a full re-enrollment after user successfully completes an Identity Verification Workflow. As this is a new enrollment, the user must have connectivity to the domain (and the user will have to re-enroll biometrics if they had been setup previously).If you would like to disable this feature, you can set this flag value to 0 |
| FaceBioEnabled | Boolean | 0 or 1 | 1 | If set to 0, face bio is completely disabled |
| FingerprintBioEnabled | Boolean | 0 or 1 | 1 | If set to 0, fingerprint bio is completey disabled |
| HideAddUserSignin | Boolean | 0 or 1 | 0 | If set to 1, Add User option on login screen is hidden |
| HideAddAccount | Boolean | 0 or 1 | 0 | When set to 1, the “Add account” menu item is hidden |
| alwaysAllowedSignInCPs | MultiString | List of CP GUIDs | Allowed credential providers for Login screen before any user is enrolled. If empty, all providers are allowed | |
| alwaysAllowedRDPCPs | MultiString | List of CP GUIDs | Allowed credential providers for RDP before any user is enrolled. If empty, all providers are allowed | |
| alwaysAllowedUACCPs | MultiString | List of CP GUIDs | Allowed credential providers for UAC before any user is enrolled. If empty, all providers are allowed | |
| enrolledAllowedSignInCPs | MultiString | List of CP GUIDs | Allowed credential providers for Login screen when any user is enrolled. If empty, all providers are allowed | |
| enrolledAllowedRDPCPs | MultiString | List of CP GUIDs | Allowed credential providers for RDP when any user is enrolled. If empty, all providers are allowed | |
| enrolledAllowedUACCPs | MultiString | List of CP GUIDs | Allowed credential providers for UAC when any user is enrolled. If empty, all providers are allowed | |
| ssoWsPortRange | Port range to be used for Nitro (SSO) | |||
| RequireFido2 | Boolean | 0 to 1 | 0 | Setting this flag to 1 will force the FIDO2 security key enrollment during user registration and the FIDO2 key will be used to log into Windows.Please use this value only if your environment is prepared to use FIDO2. |
| Fido2EnrollmentCompletionTimeoutMs | Int32 | 15000 | The wait period after the FIDO2 enrollment is finished. This is required for the changes to take effect | |
| ShouldForbidExternalCameras | Boolean | 0 or 1 | 0 | If set to 1, external cameras are not allowed |
| PrivacyUrl | String | any valid url | https://truu.ai/privacy | Specifies the URL with a policy about how biometrics are used. |
| MaxFingerprintFailureAttempts | Int32 | 4 | Number of failed fingerprint attempts before falling back to PIN | |
| NumberOfFailedFollowingFingerprintSessionsToBeReported | Int32 | 2 | The number of failed fingerprint session attempts to login in a row (1 failed session means MaxFingerprintFailureAttempts failed attepmts), after which an alert is displayed to the user once succesfuly signed in | |
| NumberOfFailedFingerprintTrackedSessionsToBeReported | Int32 | 5 | The number of failed sessions out of MaxFingerprintTrackedSessions which would cause an alert displayed to the user | |
| MaxFingerprintTrackedSessions | Int32 | 10 | Maximum number of tracked fingerprint sessions. These tracked sessions are used in combination with NumberOfFailedFingerprintTrackedSessionsToBeReported to evaluate if an alert should be displayed | |
| MaxFaceFailureAttempts | Int32 | 30 | The number of failed face recognition attempts made by WinBio before the failure is reported to the user | |
| MaxCameraStartupFailures | Int32 | 3 | Camera is started when the face is being enrolled. This is the maximum number of attempts before failure is reported to the user | |
| SwitchFaceToPinTimeoutMs | Int32 | 10000 | The timeout after which face recognition falls back to PIN if no face is recognized | |
| ShouldInsertSmartCard | Boolean | 0 or 1 | 0 | If set to 1, smart cards are used |
| DisableMaintainFocus | Boolean | 0 or 1 | 0 | If set to 1, keystrokes are not captures for pin entry into login window if not in focus. If set to 0 keystrokes are captured even when window doesn’t have focus |
| SentryHeartBeatIntervalSec | Int32 | 86400 | Interval for sending heartbeat info to sentry | |
| AuthDeviceProcessingTimeoutMs | Int32 | 10000 | Timeout for Smart Card operability check | |
| UseSecurityKeyForSignIn | Boolean | 0 or 1 | 0 | Internal Windows Key |
| EnableFIDODeviceLogon | Boolean | 0 or 1 | 0 | Internal Windows Key |
| AppsUseLightTheme | Int32 | 1 | 0 - Dark Theme, 1 - Light Theme | |
| ReloginWithTruU | Boolean | 0 or 1 | 0 | If set to 1 and user sign’s in to non-truu account, a notification will pop up saying “Lock/unlock with TruU to continue.” |
| dontdisplaylastusername | Boolean | 0 or 1 | 0 | This option controls whether the user session will be disconnected (value set to 1) or only locked (value set to 0) after successfull enrollment |
| Fido2AuthenticationTimeoutMs | Int32 | 60000 | Timeout for user verification during Fido authentication | |
| BioRecognitionTimeoutMs | Int32 | 120000 | Time period after which bio recognition (face and fingerprint) gives up during verification | |
| RemovePreviousNetVersion | String | never, always, nextSession | never | The installer executables always install new content before removing the previous installation.Applications that are running might be interrupted or crash when older runtimes are removed.To minimize the impact of updating .NET, you can specify when a previous .NET installation should be removed using a registry key. ‘never’ retains previous installations and requires manual intervention to remove previous .NET installations.‘always’ removes previous installations after the new version is installed. This is the default behavior in .NET.‘nextSession’ defers the removal until the next logon session from members in the Administrators group. |
| DisableUiccIsoReaders | Boolean | 0 or 1 | 1 | Disables sim card readers (Microsoft UICC ISO Reader) if set to 1. |
| StartLoginAppLinkAppearanceTimeoutMs | Int32 | 10000 | Timeout for the credential provider tile to appear. If it doesn’t appear within the timeout a link with text “Sign-in not appearing? Click here.” will appear | |
| brandingetag | String | Branding ETag | ||
| NetworkDiagnosticTimeoutMs | Int32 | 120000 | During enrollment when there is a network issue, the enrollment process is restarted. This interval specifies for how long the network issue must last to restart the enrollment | |
| NetworkMonitorIntervalMs | Int32 | 5000 | Interval for network diagnostic check | |
| EssMonitoringIntervalMinutes | Int32 | 5 | ESS state is checked regularly with the frequency specified by this interval. | |
| ssprUrl | String | A Self-Service Password Reset url to be displayed for the user on error screen like “Account locked”, “Password change required”, “Password expired”, … | ||
| enrollmentLearnMoreUrl | String | If key is presented and valid url inside -> “Learn more” link to this url is shown on Getting started page | ||
| enrollmentLearnMoreParagraph | String | Text to replace our text on GettingStartedPage - “Enroll in passwordless authentication today…“ | ||
| enrollmentLearnMoreLabel | String | Should replace default “Learn more” text of link on GettingStartedPage. → note: to have shown this link first you need to set reg key enrollmentLearnMoreUrl | ||
| enableNewUi | Boolean | 0 or 1 | 0 | New UI for Login switch flag |
| enableNewAccountProfileUi | Boolean | 0 or 1 | 0 | New UI for Account Profile pages switch flag |
MacOS Log Collection after PIN Lockout Modalities