Home > Products > Windows Passwords > Reset Windows Password > Screenshots > Logon policy options
Logon policy options
25.12.2020
Happy Holidays!
Merry Christmas and Happy New Year
24.12.2020
Open Office Password Cracker v2.7
Support for new GPU devices, 'My Office' documents
14.12.2020
Office password recovery tools
Support for NVidia RTX 3XXX GPu devices
01.12.2020
Reset Windows Password v9.9
Support for Windows 10 20H2, logon policy editor

Articles and video

You may find it helpful to read our articles on Windows security and password recovery examples. Video section contains a number of movies about our programs in action

Reset Windows Password:
logon policy editor


You can use the settings to change the way users log on to Windows. For example, display last logged on user name, assign a default domain for logon, turn on/off passwordless sign-in, etc.
 

Selecting data source

Edit logon policy options

First, choose SAM and SYSTEM registry files that were found by the program or specify paths to them manually if the Reset Windows Password failed to find ones.

 

Changing logon policy options

Logon policy editor

Once the files are selected, you can alter any available logon options. Click the << APPLY CHANGES >> button to apply and save the changes. The options affect all local users of the target system.

 
Be careful, altering any value of the password policy will affect all security of the Windows system!

 

The setting of the Domain group:

Name Description
Allow users to select when a password is required when resuming from connected standby This setting allows you to control whether a user can change the time before a password is required when a Connected Standby device screen turns off. If you enable this setting, a user on a Connected Standby device can change the amount of time after the device's screen turns off before a password is required when waking the device. If you disable this setting, a user cannot change the amount of time after the device's screen turns off before a password is required when waking the device. Instead, a password is required immediately after the screen turns off.
Default domain for logon Specifies a default logon domain, which might be a different domain than the domain to which the computer is joined.
Do not enumerate connected users on domain-joined computers If you enable this setting, the Logon UI will not enumerate any connected users on domain-joined computers.
Enumerate local users on domain-joined computers If you enable this setting, Logon UI will enumerate all local users on domain-joined computers.
Turn off picture password sign-in for domain users This setting allows you to control whether a domain user can sign in using a picture password.
Turn on convenience PIN sign-in for domain users If you enable this setting, a domain user can set up and sign in with a convenience PIN. Note: The user's domain password will be cached in the system vault when using this feature.
Report when logon server was not available during user logon This setting controls whether the logged-on user should be notified if the logon server could not be contacted during logon and he has been logged on using previously stored account information.

 

The setting of the Local group:

Name Description
Use classic (old-style) logon Always use classic logon interface scheme.
Do not show account details on sign-in If set, prevents the user from showing account details (email address or user name) on the sign-in screen.
Display information about previous logons during user logon If you enable this setting, a message appears after the user logs on that displays the date and time of the last successful logon by that user, the date and time of the last unsuccessful logon attempted with that user name, and the number of unsuccessful logons since the last successful logon by that user.
Dynamic Lock If you enable this setting, Windows will enable dynamic lock for all users on managed devices and users will not be allowed to disable the dynamic lock on their accounts.
Turn on security key sign-in If you enable this setting, users can sign in with external security keys.
Enable usage of FIDO devices to sign on This setting allows users to use a FIDO device, such as a phone, NFC card, to sign on to a desktop computer running Windows 10.
Use phone sign-in If you enable this setting, phone sign-in will be enabled, allowing the use of a phone as a companion device for desktop authentication.
Enable passwordless sign-in for Microsoft accounts If you enable this setting, Windows will allow passwordless sign-in (for Microsoft accounts only): both password and picture password authentication methods will be turned off.
Do not display the password reveal button If you enable this setting, the password reveal button will not be displayed after a user types a password in the password entry text box.
Prevent the use of security questions for local accounts If you turn this setting on, local users won't be able to set up and use security questions to reset their passwords.
Allow companion device for secondary authentication If you enable or do not configure this setting, users can authenticate to Windows Hello using a companion device. Such as a phone, fitness band, or IoT device.
Software Secure Attention Sequence This setting controls whether or not the software can simulate the Secure Attention Sequence (SAS).
The mode of automatically signing in and locking last interactive user after a restart or cold boot This setting controls the configuration under which an automatic restart and sign on and lock occurs after a restart or cold boot.
Sign-in and lock last interactive user automatically after a restart This setting controls whether a device will automatically sign in and lock the last interactive user after the system restarts or after a shutdown and cold boot. This only occurs if the last interactive user didn't sign out before the restart or shutdown.‚Äč

 

The setting of the Misc group:

Name Description
Always use custom logon background If you enable this policy setting, the logon screen always attempts to load a custom background instead of the Windows-branded logon background.
Show clear logon background This setting disables the acrylic blur effect on logon background image.
Do not display the Getting Started welcome screen at logon If you enable this setting, the welcome screen is hidden from the user logging on to the system.
Turn off app notifications on the lock screen This setting allows you to prevent app notifications from appearing on the lock screen.
Show first sign-in animation This setting allows you to control whether users see the first sign-in animation when signing in to the computer for the first time.
Turn off Windows Startup sound Turn off Windows sounds during authentication.
Do not process the legacy run list This setting ignores the customized run list (programs and services that the system starts).
Do not process the run once list If you enable this setting, the system ignores the list of additional programs and documents that are started automatically the next time the system starts. The customized run-once lists are stored in the registry in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\runOnce.
Hide entry points for Fast User Switching This setting allows you to hide the Switch User interface in the Logon UI, the Start menu, and the Task Manager.
Block all consumer Microsoft account user authentication If this setting is enabled, all applications and services on the device are prevented from using Microsoft accounts for authentication.
Default credential provider Assign a specified credential provider as the default credential provider.
Exclude credential providers This setting allows the administrator to exclude the specified credential providers from use during authentication.

 

The setting of the Network group:

Name Description
Always wait for the network at computer startup and logon Determines whether computers wait for the network to be fully initialized during startup and user logon. By default, computers do not wait for the network to be fully initialized at startup and logon.
Do not display network selection UI If you enable this setting, the PC's network connectivity state cannot be changed without signing into Windows.

 

The setting of the Biometrics group:

Name Description
Allow domain users to log on using biometrics If you enable or do not configure this setting, Windows allows domain users to log on to a domain-joined computer using biometrics.
Allow users to log on using biometrics If you enable or do not configure this setting, all users can log on to a local Windows-based computer and can elevate permissions with UAC using biometrics.
Allow the use of biometrics If you enable or do not configure this setting, the Windows Biometric Service is available, and users can run applications that use biometrics on Windows.
Configure enhanced anti-spoofing If you enable this setting, Windows requires all users on managed devices to use enhanced anti-spoofing for Windows Hello face authentication. This disables Windows Hello face authentication on devices that do not support enhanced anti-spoofing.
Specify a timeout for fast user switching events This setting specifies the number of seconds a pending fast user switch event will remain active before the switch is initiated. By default, a fast user switch event is active for 10 seconds before becoming inactive.

 

The setting of the PIN group:

Name Description
PIN expiration This setting specifies the period of time in days (between 1 and 730) that a PIN can be used before the system requires the user to change it.
PIN history This setting specifies the number of past PINs that can be associated with a user account that can't be reused. The value must be between 0 to 50 PINs.
Maximum PIN length Maximum PIN length configures the maximum number of characters allowed for the PIN. The largest number you can configure for this policy setting is 127.
Minimum PIN length Minimum PIN length configures the minimum number of characters required for the PIN. The lowest number you can configure for this policy setting is 4.
Require digits If you enable or do not configure this setting, Windows requires users to include at least one digit in their PIN.
Require lowercase letters If you enable this setting, Windows requires users to include at least one lowercase letter in their PIN.
Require special characters If you enable this policy setting, Windows requires users to include at least one special character in their PIN.
Require uppercase letters If you enable this policy setting, Windows requires users to include at least one uppercase letter in their PIN.

 

The setting of the Windows Hello group:

Name Description
Allow enumeration of emulated smart card for all users Windows prevents users on the same computer from enumerating provisioned Windows Hello for Business credentials for other users. If you enable this setting, Windows allows all users of the computer to enumerate all Windows Hello for Business credentials, but still require each user to provide their own factors for authentication.
Device unlock factors A First unlock factor credential providers.
Device unlock factors B Second unlock factor credential providers.
Device unlock rules Signal rules for device unlock.
Dynamic lock factors If you enable this setting, these signal rules will be evaluated to detect user absence and automatically lock the device.
Dynamic lock rules Signal rules for the dynamic lock.
Turn off smart card emulation If you enable this setting, Windows Hello for Business provisions Windows Hello for Business credentials that are not compatible with smart card applications.
Use a hardware security device If you enable this setting, Windows Hello for Business provisioning only occurs on devices with usable 1.2 or 2.0 TPMs. You can optionally exclude security devices, which prevents Windows Hello for Business provisioning from using those devices.
Do not use the tpm1.2 security devices Exclude TPM 1.2 security devices.
Use biometrics If you enable or do not configure this setting, Windows Hello for Business allows the use of biometric gestures.
Use certificate for on-premises authentication If you enable this setting, Windows Hello for Business enrolls a sign-in certificate that is used for on-premises authentication.
Use PIN Recovery If you enable this setting, Windows Hello for Business uses the PIN recovery service.
Use Windows Hello for Business certificates as smart card certificates If you enable this setting, applications use Windows Hello for Business certificates as smart card certificates. Biometric factors are unavailable when a user is asked to authorize the use of the certificate's private key.
Use Windows Hello for Business If you enable this setting, the device provisions Windows Hello for Business using keys or certificates for all users.
Do not start Windows Hello provisioning after sign-in If you enable this setting, Windows Hello for Business does not automatically start provisioning after the user has signed in.

 

The setting of the TPM group:

Name Description
The level of TPM owner authorization information available to the operating system This policy setting configures how much of the TPM owner authorization information is stored in the registry of the local computer. Depending on the amount of TPM owner authorization information stored locally, the operating system and TPM-based applications can perform certain TPM actions that require TPM owner authorization without requiring the user to enter the TPM owner password. You can choose to have the operating system store either the full TPM owner authorization value, the TPM administrative delegation blob plus the TPM user delegation blob, or none. If you enable this policy setting, Windows will store the TPM owner authorization in the registry of the local computer according to the operating system managed TPM authentication setting you chose.
Configure the system to clear the TPM if it is not in a ready state This policy setting configures the system to prompt the user to clear the TPM if the TPM is detected to be in any state other than Ready. This policy will take effect only if the system's TPM is in a state other than Ready, including if the TPM is "Ready, with reduced functionality". The prompt to clear the TPM will start occurring after the next reboot, upon user login only if the logged-in user is part of the Administrators group for the system. The prompt can be dismissed but will reappear after every reboot and login until the policy is disabled or until the TPM is in a Ready state.
Configure the system to use legacy Dictionary Attack Prevention Parameters setting for TPM 2.0 This policy setting configures the TPM to use the Dictionary Attack Prevention Parameters (lockout threshold and recovery time) to the values that were used for Windows 10 Version 1607 and below. Setting this policy will take effect only if a) the TPM was originally prepared using a version of Windows after Windows 10 Version 1607 and b) the System has a TPM 2.0. Note that enabling this policy will only take effect after the TPM maintenance task runs (which typically happens after a system restart). Once this policy has been enabled on a system and has taken effect (after a system restart), disabling it will have no impact, and the system's TPM will remain configured using the legacy Dictionary Attack Prevention parameters, regardless of the value of this group policy. The only way for the disabled setting of this policy to take effect on a system where it was once enabled is to a) disable it from group policy and b)clear the TPM on the system.
Ignore the default list of blocked TPM commands If you enable this policy setting, Windows will ignore the computer's default list of blocked TPM commands and will only block those TPM commands specified by Group Policy or the local list.
Ignore the local list of blocked TPM commands If you enable this policy setting, Windows will ignore the computer's local list of blocked TPM commands and will only block those TPM commands specified by Group Policy or the default list.
Standard User Individual Lockout Threshold This policy setting allows you to manage the maximum number of authorization failures for each standard user for the Trusted Platform Module (TPM). If the number of authorization failures for the user within the duration for Standard User Lockout Duration equals this value, the standard user is prevented from sending commands to the Trusted Platform Module (TPM) that require authorization. This setting helps administrators prevent the TPM hardware from entering a lockout mode because it slows the speed standard users can send commands requiring authorization to the TPM. If this value is not configured, a default value of 4 is used.
Standard User Lockout Duration This policy setting allows you to manage the duration in minutes for counting standard user authorization failures for Trusted Platform Module (TPM) commands requiring authorization. If the number of TPM commands with an authorization failure within the duration equals a threshold, a standard user is prevented from sending commands requiring authorization to the TPM. If this value is not configured, a default value of 480 minutes (8 hours) is used.
Standard User Total Lockout Threshold This policy setting allows you to manage the maximum number of authorization failures for all standard users for the Trusted Platform Module (TPM). If the total number of authorization failures for all standard users within the duration for Standard User Lockout Duration equals this value, all standard users are prevented from sending commands to the Trusted Platform Module (TPM) that require authorization. This setting helps administrators prevent the TPM hardware from entering a lockout mode because it slows the speed standard users can send commands requiring authorization to the TPM. If this value is not configured, a default value of 9 is used.
Turn on TPM backup to Active Directory Domain Services (1 of 2) If you enable these 2 settings, TPM owner information will be automatically and silently backed up to AD DS when you use Windows to set or change a TPM owner password.
Turn on TPM backup to Active Directory Domain Services (2 of 2) If you enable these 2 settings, TPM owner information will be automatically and silently backed up to AD DS when you use Windows to set or change a TPM owner password.
 
Note that some options may be shown as inactive. It depends on the version of the selected Operating System.