SafeGuard Enterprise: How to hide credential providers from the Windows Logon User Interface using Windows Group Policy

  • Article ID: 114190
  • Rating:
  • 7 customers rated this article 4.6 out of 6
  • Updated: 21 Apr 2015

After installation of SafeGuard Enterprise, several credential providers are available to logon from the Windows logon user interface. This article explains how to hide certain credential providers from the Windows logon user interface.
This way, you can ensure that only the SafeGuard Enterprise credential provider is available for logon.

Known to apply to the following Sophos product(s) and version(s)
SafeGuard File Encryption
SafeGuard Device Encryption
SafeGuard BitLocker Client

Operating systems
Windows 7

What To Do

To hide the Microsoft Windows 7 default credential providers after installation of SafeGuard Enterprise, a Windows Group Policy setting has to be configured, using either the local group policy editor (gpedit.msc) or the group policy management console (gpmc.msc).

  1. Modify an existing group policy or create a new one and navigate to the "Exclude credential providers" setting: 
    Computer Configuration | Policies | Administrative Templates | System | Logon | Exclude credential providers.
  2. Open the properties of the group policy setting, set the policy to "Enabled"
  3. Use the "Exclude the following credential providers" field to exclude specific credential providers. Enter the comma separated-CLSIDs for multiple credential providers to be excluded from use during the authentication process.

    If you just want to hide a certain credential provider, the following is a list of default Windows 7 credential providers CLSIDs:

    Credential Provider
    GenericProvider  {25CBB996-92ED-457e-B28C-4774084BD562}
    NPProvider  {3dd6bec0-8193-4ffe-ae25-e08e39ea4063}
    VaultCredProvider  {503739d0-4c5e-4cfd-b3ba-d881334f0df2}
    PasswordProvider  {6f45dc1e-5384-457a-bc13-2cd81b0d28ed}
    Password Provider\LogonPasswordReset   
    Smartcard Credential Provider  {8bf9a910-a8ff-457f-999f-a5ca10b4a885}
    Smartcard Pin Provider  {94596c7e-3744-41ce-893e-bbf09122f76a}
    WinBio Credential Provider  {AC3AC249-E820-4343-A65B-377AC634DC09}
    CertCredProvider  {e74e57b0-6c6d-44d5-9cda-fb2df5ed7435}


    On a system with SafeGuard Enterprise installed, all other credential providers may be hidden using the following string:

    After applying the setting, only the SafeGuard Enterprise credential providers are shown during the authentication process.

  4. To check for additionally installed 3rd party credential providers, open up the registry on the Windows 7 machine and browse to following location: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers]. Check for any 3rd party credential provider you want to hide and write down the providers CLSID. Configure the CLSID in the above mentioned group policy to hide the 3rd party credential provider.< li>


  • Hiding credential providers via group policy also applies to UAC and RunAs authentication dialog boxes
  • Hiding the GenericProvider {25CBB996-92ED-457e-B28C-4774084BD562} and the NPProvider {3dd6bec0-8193-4ffe-ae25-e08e39ea4063} may result in a state, where authentication against websites or applications that require "Basic Authentication (HTTP 401 Challenge)" or "Digest Authentication (HTTP 401 Challenge)" may fail
  • Make sure you unhide the hidden credential providers again if you plan to remove SafeGuard Enterprise from your system. If you leave them hidden, following removal of SafeGuard Enterprise, the Windows Logon User Interface does not provide you with a credential provider to authenticate, and the Windows credential providers remain hidden.
  • To allow the authentication to a website in IE 10, at least one additional CredentialProvider besides the SafeGuard CP must be enabled.

If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent