Assign Default Credential Provider
This outlines how to limit the Windows desktop login options to only use TraitWare Windows Passwordless MFA. There are two steps needed to turn off the password option and set the TraitWare Windows agent at the only available login method.
The first step is to obtain the unique identifiers (CLIDs) associated with the regular Password login and also for the TraitWare Windows agent. The second step is to create group policies to enable and exclude those methods of log in using the CLIDs.
Note: TraitWare MFA Offline access is only available to Single Users. Multiple Users (Alias users) cannot utilize TraitWare Offline access.
TABLE OF CONTENTS
Get the CLIDs (for Password and TraitWare Agent)
The first step is to obtain the unique CLIDs for the standard Windows password login and also for the TraitWare Windows Agent. There are two different methods to do this: Registry Editor or Powershell. Both accomplish the same task of obtaining the CLIDs.
Method 1 - Registry Editor
- Press Windows Key + R combination, type regedit in Run dialog box and hit Enter to open the Registry Editor.
- Press the start button, type run in the search bar. Type regedit in the run dialog box. Press enter.
Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers
The list of Credential Providers will be provided. Take note of the CLSID {CLSID} for the PasswordProvider and TraitWareCredentialProvider. These values will be used in the Group Policy Editor section.
Keep the Registry Editor open and proceed to the next step.
Method 2 - Powershell
Open a Powershell Command Prompt as an Administrator.
Paste the following command into the prompt and press enter:
(Get-Item “HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers” | Get-ChildItem | Where-Object {$_.GetValue(“”) -eq “PasswordProvider”}).PSChildName
Copy the result to Notepad.
Paste the following command into the prompt and press enter:
(Get-Item “HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers” | Get-ChildItem | Where-Object {$_.GetValue(“”) -eq “TraitWareCredentialProvider”}).PSChildName
Copy the result to Notepad.
Group Policy Editor
Editing the group policies allows the password log in to be turned off while allowing the TraitWare Passwordless MFA to be enabled as the only login method.
Use either method below to open the Registry Editor
- Press Windows Key + R combination. Type gpedit.msc in Run dialog box and hit Enter to open the Registry Editor.
- Press the Start Button. Type run in the search bar. Type gpedit.msc in the run dialog box. Press enter.
Assign Default Credential Provider (TraitWare)
In the Local Group Policy Editor, go to Computer Configuration -> Administrative Templates -> System -> Logon
Locate the Setting Assign a default credential provider and double click it to edit.
Add the CLSID for the TraitWareCredentialProvider {CLSID} and select Enabled. When finished click Apply and OK.
Disable Password Sign-In
Select Exclude Credential Providers. Double click to open and edit.
Select Enabled and input the CLSID from PasswordProvider {CLSID} found in the Registry Editor step previously. Click Apply and OK.
Restart computer. TraitWare is now the sole authentication method to the machine.
To revert the settings, remove the configurations.
For any questions, email support@traitware.com.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article