SafeGuard Enterprise: How to hide Credential Providers from the Windows Logon User Interface using Windows Group Policy

  • Article ID: 114190
  • Rating:
  • 7 customers rated this article 4.6 out of 6
  • Updated: 23 Oct 2015

After installation of the SafeGuard Enterprise Client, several Credential Providers are available to logon from the Windows logon user interface. This article explains how to hide certain credential providers from the Windows logon user interface.

This way, you can ensure that only the SafeGuard Enterprise credential provider is available for logon.

Known to apply to the following Sophos product(s) and version(s)
SafeGuard File Encryption
SafeGuard Device Encryption
SafeGuard BitLocker Client

Operating systems
Windows 7,
Windows 8.1,
Windows 10

What To Do

To hide the default Microsoft Windows Credential Providers after installation of SafeGuard Enterprise, a Windows Group Policy setting has to be configured, using either the local group policy editor (gpedit.msc) or the group policy management console (gpmc.msc):

  1. Modify an existing group policy or create a new group policy and navigate to the "Exclude credential providers" setting: Computer Configuration | Policies | Administrative Templates | System | Logon | Exclude credential providers.

  2. Open the properties of the group policy setting and set the policy to "Enabled".

  3. Use the "Exclude the following credential providers" field to exclude specific Credential Providers. Enter the comma-separated CLSIDs for multiple Credential Providers to be excluded from use during the authentication process.

    For Windows 7:

    On a Windows 7 system with SafeGuard Enterprise Client installed, Windows Password Provider and Smartcard Credential Provider appear next to the SafeGuard Credential Provider during the login. Windows Password and Smartcard Credential Provider can be excluded from the login interface using the following string:

    {6f45dc1e-5384-457a-bc13-2cd81b0d28ed},{8bf9a910-a8ff-457f-999f-a5ca10b4a885}

    After applying the change in the group policy and rebooting the system, only the SafeGuard Enterprise Credential Provider will be shown during the authentication process.

    Depending on the current Operating System configuration and existing authentication mechanisms (e.g. Biometirc Devices), other Windows Credential Providers may still be visible. The following is a list of default Windows 7 Credential Providers CLSIDs and can be used as a reference, to hide other Credential Providers using the group policy as well:

    Credential Provider
    CLSID
    GenericProvider  {25CBB996-92ED-457e-B28C-4774084BD562}
    NPProvider  {3dd6bec0-8193-4ffe-ae25-e08e39ea4063}
    VaultCredProvider  {503739d0-4c5e-4cfd-b3ba-d881334f0df2}
    PasswordProvider  {6f45dc1e-5384-457a-bc13-2cd81b0d28ed}
    Password Provider\LogonPasswordReset   
     {8841d728-1a76-4682-bb6f-a9ea53b4b3ba}
    Smartcard Credential Provider  {8bf9a910-a8ff-457f-999f-a5ca10b4a885}
    Smartcard Pin Provider  {94596c7e-3744-41ce-893e-bbf09122f76a}
    WinBio Credential Provider  {AC3AC249-E820-4343-A65B-377AC634DC09}
    CertCredProvider  {e74e57b0-6c6d-44d5-9cda-fb2df5ed7435}

     

    For Windows 8.1:

    On a Windows 8.1 system with SafeGuard Enterprise Client installed, Windows Password Provider and Smartcard Credential Provider appear next to the SafeGuard Credential Provider during the login. Windows Password and Smartcard Credential Provider can be excluded from the login interface using the following string:

    {60b78e88-ead8-445c-9cfd-0b87f74ea6cd},{8FD7E19C-3BF7-489B-A72C-846AB3678C96}

    After applying the change in the group policy and rebooting the system, only the SafeGuard Enterprise Credential Provider will be shown during the authentication process.

    Depending on the current Operating System configuration and existing authentication mechanisms (e.g. Biometirc Devices), other Windows Credential Providers may still be visible. The following is a list of default Windows 8.1 Credential Providers CLSIDs and can be used as a reference, to hide other Credential Providers using the group policy as well:

    Credential Provider CLSID
    Smartcard Reader Selection Provider {1b283861-754f-4022-ad47-a5eaaa618894}
    Smartcard WinRT Provider
    {1ee7337f-85ac-45e2-a23c-37c753209769}
    PicturePasswordLogonProvider
    {2135f72a-90b5-4ed3-a7f1-8bb705ac276a}
    GenericProvider
    {25CBB996-92ED-457e-B28C-4774084BD562}
    NPProvider
    {3dd6bec0-8193-4ffe-ae25-e08e39ea4063}
    CngCredUICredentialProvider
    {600e7adb-da3e-41a4-9225-3c0399e88c0c}
    PasswordProvider {60b78e88-ead8-445c-9cfd-0b87f74ea6cd}
    PasswordProvider\LogonPasswordReset {8841d728-1a76-4682-bb6f-a9ea53b4b3ba}
    Smartcard Credential Provider {8FD7E19C-3BF7-489B-A72C-846AB3678C96}
    Smartcard Pin Provider {94596c7e-3744-41ce-893e-bbf09122f76a}
    WinBio Credential Provider {BEC09223-B018-416D-A0AC-523971B639F5}
    PINLogonProvider {cb82ea12-9f71-446d-89e1-8d0924e1256e}
    CertCredProvider {e74e57b0-6c6d-44d5-9cda-fb2df5ed7435}
    WLIDCredentialProvider {F8A0B131-5F68-486c-8040-7E8FC3C85BB6}


    For Windows 10:

    On a Windows 10system with SafeGuard Enterprise Client installed, Windows Password Provider and Smartcard Credential Provider appear next to the SafeGuard Credential Provider during the login. Windows Password and Smartcard Credential Provider can be excluded from the login interface using the following string:

    {60b78e88-ead8-445c-9cfd-0b87f74ea6cd},{8FD7E19C-3BF7-489B-A72C-846AB3678C96}

    After applying the change in the group policy and rebooting the system, only the SafeGuard Enterprise Credential Provider will be shown during the authentication process.

    Depending on the current Operating System configuration and existing authentication mechanisms (e.g. Biometirc Devices), other Windows Credential Providers may still be visible. The following is a list of default Windows 10 Credential Providers CLSIDs and can be used as a reference, to hide other Credential Providers using the group policy as well:

    Credential Provider CLSID
    Smartcard Reader Selection Provider {1b283861-754f-4022-ad47-a5eaaa618894}
    Smartcard WinRT Provider {1ee7337f-85ac-45e2-a23c-37c753209769}
    PicturePasswordLogonProvider {2135f72a-90b5-4ed3-a7f1-8bb705ac276a}
    GenericProvider {25CBB996-92ED-457e-B28C-4774084BD562}
    NPProvider {3dd6bec0-8193-4ffe-ae25-e08e39ea4063}
    CngCredUICredentialProvider {600e7adb-da3e-41a4-9225-3c0399e88c0c}
    PasswordProvider {60b78e88-ead8-445c-9cfd-0b87f74ea6cd}
    PasswordProvider\LogonPasswordReset {8841d728-1a76-4682-bb6f-a9ea53b4b3ba}
    FaceCredentialProvider {8AF662BF-65A0-4D0A-A540-A338A999D36F}
    Smartcard Credential Provider {8FD7E19C-3BF7-489B-A72C-846AB3678C96}
    Smartcard Pin Provider {94596c7e-3744-41ce-893e-bbf09122f76a}
    WinBio Credential Provider {BEC09223-B018-416D-A0AC-523971B639F5}
    IrisCredentialProvider {C885AA15-1764-4293-B82A-0586ADD46B35}
    PINLogonProvider {cb82ea12-9f71-446d-89e1-8d0924e1256e}
    NGC Credential Provider {D6886603-9D2F-4EB2-B667-1971041FA96B}
    CertCredProvider {e74e57b0-6c6d-44d5-9cda-fb2df5ed7435}
    WLIDCredentialProvider {F8A0B131-5F68-486c-8040-7E8FC3C85BB6}

     

  4. To check for additionally installed 3rd party credential providers, open up the registry and browse to following location:[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers].

    Check for any 3rd party Credential Provider you want to hide and copy the providers CLSID. Configure the CLSID in the above mentioned group policy to hide the 3rd party Credential Provider from the Windows login interface.

Note:

  • Hiding credential providers via group policy also applies to UAC and RunAs authentication dialog boxes
  • Hiding the 'Password Provider', 'GenericProvider' and / or 'NPProvider' may result in a state, where authentication against websites or applications that require Basic / Digest / Windows Authentication (HTTP 401 Challenge) may fail
  • Make sure you unhide the hidden credential providers again if you plan to remove SafeGuard Enterprise Client from your system. If you leave them hidden, following removal of SafeGuard Enterprise, the Windows Logon User Interface does not provide you with a Credential Provider to authenticate, and the Windows Credential Providers remain hidden.
  • To allow the authentication to a website in Internet Explorer 10, at least one additional Credential Provider besides the SafeGuard Credential Provider must be enabled.

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments