SafeGuard Enterprise: How to hide credential providers from the Windows Logon User Interface using Windows Group Policy

  • ID de l'article 114190
  • Mis à jour : 26 nov. 2013

After installation of SafeGuard Enterprise, several credential providers are available to logon from the Windows logon user interface. This article explains how to hide certain credential providers from the Windows logon user interface.
This way, you can ensure that only the SafeGuard Enterprise credential provider is available for logon.

Known to apply to the following Sophos product(s) and version(s)

SafeGuard Device Encryption 5.60.0

Operating systems
Windows 7

What To Do

To hide the Microsoft Windows 7 default credential providers after installation of SafeGuard Enterprise, a Windows Group Policy setting has to be configured, using either the local group policy editor (gpedit.msc) or the group policy management console (gpmc.msc).

  1. Modify an existing group policy or create a new one and navigate to the "Exclude credential providers" setting: 
    Computer Configuration | Policies | Administrative Templates | System | Logon | Exclude credential providers.
  2. Open the properties of the group policy setting, set the policy to "Enabled"
  3. Use the "Exclude the following credential providers" field to exclude specific credential providers. Enter the comma separated-CLSIDs for multiple credential providers to be excluded from use during the authentication process.

    If you just want to hide a certain credential provider, the following is a list of default Windows 7 credential providers CLSIDs:

    Credential Provider
    CLSID
    GenericProvider  {25CBB996-92ED-457e-B28C-4774084BD562}
    NPProvider  {3dd6bec0-8193-4ffe-ae25-e08e39ea4063}
    VaultCredProvider  {503739d0-4c5e-4cfd-b3ba-d881334f0df2}
    PasswordProvider  {6f45dc1e-5384-457a-bc13-2cd81b0d28ed}
    Password Provider\LogonPasswordReset   
     {8841d728-1a76-4682-bb6f-a9ea53b4b3ba}
    Smartcard Credential Provider  {8bf9a910-a8ff-457f-999f-a5ca10b4a885}
    Smartcard Pin Provider  {94596c7e-3744-41ce-893e-bbf09122f76a}
    WinBio Credential Provider  {AC3AC249-E820-4343-A65B-377AC634DC09}
    CertCredProvider  {e74e57b0-6c6d-44d5-9cda-fb2df5ed7435}

     

    On a system with SafeGuard Enterprise installed, all other credential providers may be hidden using the following string:
    {503739d0-4c5e-4cfd-b3ba-d881334f0df2},{6f45dc1e-5384-457a-bc13-2cd81b0d28ed},{8841d728-1a76-4682-bb6f-a9ea53b4b3ba},{8bf9a910-a8ff-457f-999f-a5ca10b4a885},{94596c7e-3744-41ce-893e-bbf09122f76a},{AC3AC249-E820-4343-A65B-377AC634DC09},{e74e57b0-6c6d-44d5-9cda-fb2df5ed7435}

    After applying the setting, only the SafeGuard Enterprise credential providers are shown during the authentication process.

  4. To check for additionally installed 3rd party credential providers, open up the registry on the Windows 7 machine and browse to following location: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers]. Check for any 3rd party credential provider you want to hide and write down the providers CLSID. Configure the CLSID in the above mentioned group policy to hide the 3rd party credential provider.< li>

Note:

  • Hiding credential providers via group policy also applies to UAC and RunAs authentication dialog boxes
  • Hiding the GenericProvider {25CBB996-92ED-457e-B28C-4774084BD562} and the NPProvider {3dd6bec0-8193-4ffe-ae25-e08e39ea4063} may result in a state, where authentication against websites or applications that require "Basic Authentication (HTTP 401 Challenge)" or "Digest Authentication (HTTP 401 Challenge)" may fail
  • Make sure you unhide the hidden credential providers again if you plan to remove SafeGuard Enterprise from your system. If you leave them hidden, following removal of SafeGuard Enterprise, the Windows Logon User Interface does not provide you with a credential provider to authenticate, and the Windows credential providers remain hidden.
  • To allow the authentication to a website in IE 10, at least one additional CredentialProvider besides the SafeGuard CP must be enabled.

 
Si vous avez besoin de plus d'informations ou d'instructions, veuillez contacter le support technique.

Évaluez cet article

Très mauvais Excellent

Commentaires