Block available credential providers via Group Policy

When enforcing Digipass authentication with the Require Digipass authentication option, certain system credential providers which are considered to be weak are actively blocked and cannot be used for authentication.

If the Enable Digipass authentication and Enable Push Notification options are not available, the Require Digipass authentication option will be deactivated.

For more information about this option, refer to the Digipass Authentication for Windows Logon User Guide.

You can use Windows Group Policy to block additional credential providers to ensure that only Digipass Authentication for Windows Logon is available for authentication.

Before you begin

Inspect the subkeys of the following registry key to verify the available credential providers:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers]

Block available credential providers via Group Policy

To block credential providers with Group Policy

1. On the domain controller, start Group Policy Management by entering gpmc.msc in a command prompt.
2. To create a new Group Policy Object:
   1. Select the domain or organizational unit for which you want to set a Group Policy in the Group Policy management tree.
   2. Select Create a GPO in this domain, and Link it here... from the context menu.
      

      Configuring DAWL via Group Policy (1) - Group Policy Management

   3. Enter a name for the new Group Policy Object.
3. Select the relevant Group Policy Object in the tree.

   Ensure the Group Policy Object is associated with the domain, site, or organizational unit whose users will be affected by the policy.

4. Select Edit... from the context menu.

   The Group Policy Object Editor is displayed.

   

   Configuring DAWL via Group Policy (2) - Group Policy Object Editor

5. Navigate to Computer Configuration > Policies > Administrative Templates > System > Logon in the Group Policy Object tree and select Exclude credential providers: to edit the settings:
   1. Select Enabled to enable the policy setting.
   2. Enter the CLSIDs for any additional credential provider you want to exclude in the Exclude the following credential providers field. To specify more than one credential provider, use a comma-separated list.
   3. Click OK.
6. Close Group Policy Object Editor when you have finished configuring the Group Policy Object.

Additional considerations

You need to disable this Group Policy setting before uninstalling Digipass Authentication for Windows Logon. Otherwise, the specified credential providers remain excluded, which might leave your users unable to authenticate and log on to the client workstations.