Contents x
    Policy Settings & Client Registry Values
    • 20 Jun 2024
    • 14 Minutes to read
    • Contributors
    • Print
    • Dark
      Light
    Contents

    Policy Settings & Client Registry Values

    • Updated on 20 Jun 2024
    • 14 Minutes to read
    • Contributors
    • Print
    • Dark
      Light
    Article summary

    The clients are controlled by the registry keys in our location: HKLM\Software\Foray
     
    These values are passed down through the MFA GlobalDefault or OU specific policy. In the event that you need to test a one-off functionality without affecting your whole group of computers, you can create the necessary key and its value. You can also use this map to verify what a certain key is.
     
    It's important to note that if your currently applied policy does not have the key you are testing, it will not be modified by a client-server synchronization. If it is set in the current policy, it will be changed back to its original value the moment it synchronizes
     
    ex. If "SharedWorkstation" is manually set to False and you perform a synchronization with the server, the value will revert back to True.
     
    The keys below are organized by their corresponding MFA policy tab.

    MFA Policies

    For more information on client policies, please see our Creating An MFA Policy article.

    Reg Value(s) Column Notes

    Bold text represents the actual registry value, the un-bolded is the value seen in the actual policy window.
    regValue: MFA policy value

    DWORD values given in the table are hex and are completely customizable. The values given are suggestions and can be set differently depending on your organization's requirements.

    Reg values with an asterisk (*) in front of them are the default value for that setting. Some settings that require typed input from admin in the MFA policy do not have a default value.

    Logon

    Policy Setting NameReg Key NameTypeReg Value(s)Description
    Logon ExperienceDisabledProvidersStringPlease see the table below for list of tiles and their valuesControls what MFA authentication tiles appear on the lock and Shared Workstation screens
    Disable Username and Password TileDisableUNPTileStringUnlock: Only at Unlock Screen
    LogonUnlock: At Logon and Unlock Screens
    Logon: Only at Logon
    *None: Never disabled    		Controls when the Windows UN/PW tile appears on the Windows lock screen
    Emergency AccessEAOptionsStringLogon: Login to device
    Password: Update password
    Unblock: Unblock & reset PIN (re-verify)    		Controls the options end users have for EA; All options enabled by default
    RapidIdentity Windows LoginDisableSecurityModelString*True: Enabled
    False: Disabled    		Controls whether the auth tiles set by the Logon Experience appear on the Windows lock screen or not
    PingMe requires user passwordPingMeNoPasswordString*True: Enabled
    False: Disabled    		User must type in their Windows password to initiate a ping to their phone
    PingMe user allowed to re-enroll mobile appString*True: Enabled
    False: Disabled
    Force dropdown to default to this domainForceDefaultDomainStringUser inputAutomatically sets client domain
    Allow users to update their password through the clientAllowPasswordUpdateString*True: Enabled
    False: Disabled    		cell
    Allow the enrollment tile to create new users in serverEnrollTileNewUserString*True: Enabled
    False: Disabled    		MFA user accounts do not have to be pre-made for enrollment and are automatically added when users type their credentials at the Enrollment Tile
    Allow the enrollment tile logonEnrollTileLogonString*True: Enabled
    False: Disabled    		Controls
    Risk Based AuthenticationRBAStringTrue: Enabled
    *False: Disabled    		Enables RBA
    RBA Token Expiration (in days)RBATimeoutDWORDUser input
    Must be a whole number    		Sets number of days the RBA grace period is good for
    RBA VPN OverrideRBAVPNOverrideStringTrue: Enabled
    *False: Disabled    		Defines whether or not RBA will be disabled to allow a VPN connection; Once a VPN connection is established, RBA will prompt for advanced authentication
    RBA Show Password Only FirstRBAPasswordOnlyFirstStringTrue: Enabled
    *False: Disabled    		Requires initial logon using un/pw exclusively; if enabled, RBA triggers and requires the user to use advanced authentication to continue the logon process
    RBA Show NotificationRBAShowNotificationStringTrue: Enabled
    *False: Disabled    		Notifies the user logging in if RBA is needed
    RBA PIN Expiration TimeoutRBAPINExpirationValueDWORD0: 0
    1: 1
    7: 7
    14: e
    30: 1e    		Enter the value to match the RBA PIN expiration type
    RBA PIN Expiration TypeRBAPINExpirationTypeDWORD*0: Days
    1: Hours
    2: Minutes
    3: Seconds    		Controls the type of expiration you want your RBA grace period to expire after

    Disabled Providers / Logon Experience

    The following are based on Windows 10 values and might vary slightly on different installations. The Key values are what are set in DisabledProviders' string, separated by semicolons(;).

    Authentication Method TileKey
    Username and Password{60B78E88-EAD8-445C-9CFD-0B87F74EA6CD}
    Contactless Card{CBD71E03-35DE-4478-8E51-128BB10BC241}
    Magstripe{CB8395BC-AF05-480A-8C16-2A9A8172CE33}
    Emergency Access{CBB84461-28A0-4691-8BEF-A14F09C188AE}
    Smartcard{8FD7E19C-3BF7-489B-A72C-846AB3678C96}
    Fingerprint{CB7395BC-AF05-480A-8C16-2A9A8172CE33}
    Win Bio{BEC09223-B018-416D-A0AC-523971B639F5}
    OTP{CB9395BC-AF05-480A-8C16-2A9A8172CE33}
    PingMe{CBA395BC-AF05-480A-8C16-2A9A8172CE33}
    Enrollment{CBB395BC-AF05-480A-8C16-2A9A8172CE33}
    Bluetooth{D082E611-DD6D-4A36-9B77-EC933B3E2633}
    FIDO{4C131C10-372C-4EE7-A882-E2FD16DE36B2};

    Shared Workstation

    Policy Setting NameReg Key NameTypeValue(s)Description
    Shared WorkstationSharedWorkstationStringTrue: Enabled
    *False: Disabled    		Shared Workstation is a secondary lock/splash screen for MFA clients after logging in on a shared Windows account
    Back AlphaSWBackAlphaDWORD0: 0
    *64: 100    		Defines the percentage of opaqueness of the shared workstation login screen from 0 (completely transparent) to 100 (completely opaque)
    Back ColorSWBackColorDWORDUse hex value for colorsDefines the color of the shared workstation login/lock screen in hexadecimal where FFFFFF is white and 000000 is black
    Back ImageSWBackImageStringFile path of imageSets background image of the Shared Workstation lock screen
    The file & location must be in the same, accessible location for all SW clients
    Inactivity Timer (in minutes)SWInactivityTimerDWORD1: 1
    5: 5
    A: 10    		Defines amount of time before the client goes back to SW lock screen after timeout
    Inactivity Timer ActionSWInactivityLogoffStringTrue: Logoff
    *False: Lock Workstation    		Locks or logs off of the client after the "Inactivity Timer" expires
    Time Of Fade/Prompt Screen Before Lock (seconds)SWInactivityPromptDWORD1e: 30 sec
    3c: 60 sec
    5a: 90 sec    		Defines the amount of time in seconds before the SW prompt/login tiles overtakes the screen
    Lock On O/S LockSWLockOnOSLockStringTrue: Enabled
    *False: Disabled    		Locks SW if the Windows desktop is locked
    Idle Animation Timer (in minutes)SWIdleAnimTimerDWORD1: 1
    5: 5
    A: 10    		Defines the amount of time before the SW logon tiles move randomly around the screen
    Idle Animation TypeSWIdleAnimTypeDWORD*0: Float
    1: Hide    		Defines whether to hide or float tiles once the device times out
    Always On TopSWAlwaysOnTopString*True: On
    False: Off    		Causes SW lock screen to stay "on top", covering any other open applications
    Delay On Launch (seconds)SWDelayOnLaunchDWORD1e: 30 sec
    3c: 60 sec
    78: 120 sec    		Defines the delay in seconds before the SW lock screen comes up after the initial Windows login
    BypassSWBypassStringTrue: Enabled
    *False: Disabled    		When enabled, allows non-enrolled users the opportunity to access the desktop by adding a "Guest Logon" button beneath the standard SW login tiles
    Generic LoginSWGenLoginStringTrue: Enabled
    *False: Disabled    		When disabled, removes the Username and Password tile from the SW login options
    EA LoginSWEALoginStringTrue: Enabled
    *False: Disabled    		When disabled, removes the Emergency Access tile from the SW login options
    Launch On LogonSWLaunchOnLogonMulti-StringValue must be path to applicationAutomatically launches defined applications when a user logs on
    Wait On SyncSWWaitOnSyncStringTrue: Enabled
    *False: Disabled    		Requires the user profile to sync before allowing login
    Enforce 2-Step AuthenticationSWEnforceUserMatchStringTrue: Enabled
    *False: Disabled    		Allows only the same user that logged on to the standard desktop at initial Windows logon to logon to a SW
    PIN Policy RuleSWPINPolicyRuleDWORD*0: Use User's Policy
    1: Never Require PIN
    2: Always Require PIN
    3: On Logon Only (Not Unlock)    		Allows administrators to override user's PIN policy to Always or Never Require PIN (affects all auth methods)
    PIN Complexity RuleSWPinComplexityRuleDWORD1: No more than 3 repeated chars
    2: No more than 3 consecutive chars
    4: Alpha And Numeric Characters
    8: Special characters
    10: Numeric characters
    20: Windows PW as Pin
    40: Grace period
    		Override all PIN policy settings when using this computer(s)
    Card Behavior OverrideSWCardBehaviorOverrideDWORD*7fffffff: Use Default Policy
    0: Do Nothing
    1: Lock SW (Card Removal)
    2: Logoff SW (Card Removal)
    3: Lock SW (Card Tap)
    4: Logoff SW (Card Tap)    		Determines or overrides locally set smart or contactless card behavior
    Default MethodSWDefaultMethodDWORD7fffffff: Last Used Method
    0: Display All Available
    5: UN/PW
    3: Emergency Access
    *6: Contactless Card
    4: Smartcard
    9: Magstripe
    8: Fingerprint
    a: OTP
    b: PingMe
    c: Enrollment
    e: Bluetooth
    f: FIDO
    		Tells the client which auth method to display first; applies to both Windows lock screen and the SW lock screen; the other methods are still available
    Default DomainSWDefaultDomainStringUser inputSets the default domain in the dropdown when using Username and Password
    Number of logons to remember in dropdownSWLogonHistorySizeDWORD3: 3 last logged on users
    5: 5 last logged on users    		Logon dropdown menu will save the last X users to its list
    Login All Windows On LogonSWLoginAllWindowsOnLogonStringTrue: Enabled
    *False: Disabled    		Attempts to log the current user onto all active applications for which Secured Apps templates exist
    Close All Windows On LogoffSWCloseAllWindowsOnLogoffStringTrue: Enabled
    *False: Disabled    		Closes all windows when a user logs off; applications that prompt a user for feedback at logoff (ie. asking to save work) will not be shut down if no response is provided
    Kill All Windows On LogoffSWKillAllWindowsOnLogoffStringTrue: Enabled
    *False: Disabled    		Closes all windows and apps at logoff, regardless of any popups or feedback requests from those applications
    Skip App Windows On LogoffSWSkipAppWindowsOnLogoffMulti-stringFile path of applicationUsed in conjunction with Kill All Windows on Logoff, applications can be omitted from the "Kill All Windows" operation
    Citrix InstantConnectSWCitrixInstantConnectStringTrue: Enabled
    *False: Disabled    		Launches Citrix Online Plugin at login if present and submits the logged on users credentials
    Citrix QLaunch ParametersSWCitrixQLaunchParamsStringValue will be the parameters for Citrix??Allows administrators to define Citrix Applications to be launched at login
    VMware InstantConnectSWVMwareInstantConnectStringTrue: Enabled
    *False: Disabled    		Launches VMWare View and submits the logged on user’s credentials
    RDP InstantConnectSWRdpInstantConnectStringTrue: Enabled
    *False: Disabled    		Launches Microsoft Terminal Services Client and submits the logged on user’s credentials
    RDP ServerSWRdpServerStringValue will be the IP or URL of the computer your client(s) are connecting toUsed in conjunction with the RDP InstantConnect feature, this defines the server to be logged onto
    RDP: Use Multiple MonitorsSWRDPUseMultiMonStringTrue: Enabled
    *False: Disabled    		This determines whether or not RDP sessions will inhabit all available monitors in a multi-monitor configuration
    InstantConnect Lock On ExitSWInstantConnectLockOnExitStringTrue: Enabled
    *False: Disabled    		Automatically locks shared workstation when any InstantConnect application is closed

    Secured Applications

    Policy Setting NameReg Key NameTypeValue(s)Description
    Secured App Access Interval (seconds)SAAccessIntervalDWORD*a: 10
    1e: 30
    3c: 60
    Continually monitor foreground windowSAAlwaysCheckString*True: Enabled
    False: Disabled
    Process background windowsSAMonitorString*True: Enabled
    False: Disabled
    Timeout between re-scanning background windows (in ms)SAMonitorTimeoutDWORD*3e8: 1000
    7d0: 2000
    bb8: 3000
    Timeout between re-scanning each app (in ms)SAMonitorAppTimeoutDWORD*1388: 5000
    2710: 10000
    How long to block input during entering of credentials (in ms)SABlockInputTimeDWORD1388: 5000
    2710: 10000
    *3A98: 15000
    How long to wait for characters to be entered (in seconds)SACharInputTimeDWORD*3: 3
    5: 5
    a: 10
    How long to delay manually processing individual parts of credentials (in ms)SARawInputTimeDWORD*a: 10
    1e: 30
    3c: 60
    Remote Applications PortRemoteAppsPortDWORD*2802: 10242
    Remote Applications Request Timeout (in ms)RemoteAppsRequestTimeoutDWORD*ea60: 60000
    *Remote Application UI Timeout (in ms)RemoteAppsRequestUITimeoutDWORD*ea60: 60000

    Server/Sync

    Policy Setting NameReg Key NameTypeValue(s)Description
    Service URLServiceURLStringUser inputAllows the input of multiple MFA servers for failover instances; also used to point clients to a new/different MFA server (ie. server migrations)
    Service Timeout (in ms)ServiceTimeoutDWORD*20000Defines the amount of time the client will continue to attempt to sync with the server
    Service Low Bandwidth Timeout (in minutes)ServiceLowBandwidthTimeoutDWORD*a: 10
    1e: 30
    3c: 60    		Defines the amount of time in minutes before which RapidIdentity server checks for Low-Bandwidth service
    Force Refresh of Policy (in hours)PolicyTimeoutDWORD*2: 2
    c: 12
    18: 24    		Defines length of time clients automatically perform a server sync to pull the latest policy settings
    Failover Check Interval (in minutes)FailoverCheckIntervalDWORD*2Defines the amount of time in minutes before RapidIdentity server checks for failover
    Check for Service Long Response SeparatelyServiceLongResponseStringTrue: Enabled
    *False: Disabled    		Defines whether or not the MFA Server will check for a long server response and act accordingly
    Enrollment StationEnrollmentStationStringTrue: Enabled
    *False: Disabled    		When enabled, prevents user data from being added to the local cache after enrollment
    Always Online ModeAlwaysOnlineStringTrue: Enabled
    *False: Disabled    		When enabled, this setting deletes the local user profile cache, requiring the system to have access to the server upon next logon; typically used for setting up Enrollment Stations
    VPN UsernameVPNUsernameStringUser input: usernameNetMotion VPN Credentials
    VPN DomainVPNDomainStringUser input: domain nameNetMotion VPN Credentials
    VPN PasswordVPNPasswordStringThe password set for the "VPN Username"NetMotion VPN Credentials
    VPN Timeout (in seconds)VPNTimeoutDWORD*3c: 60
    5a: 90
    78: 120

    Hardware

    Policy Setting NameReg Key NameTypeValue(s)Description
    Enable MagstripeEnableMagstripeStringTrue: Enabled
    *False: Disabled
    Magstripe IDMagstripeIDMulti-stringVID & PID of deviceAllows administrators to enter the specific VID and PID hardware identifiers for Magstripe readers; multiple entries should be placed on different lines
    Magstripe DeviceMagDeviceMulti-stringhidredir: Magtek Wedge
    magtek: Magtek HID
    isdc_rs: Panasonic Integrated
    toughbook: Panasonic Toughbook

    User input: Custom    		To enable your device(s), check your respective option; for generic keyboard output devices, select Magtek
    Magstripe Timeout (ms)MagstripeTODWORD4e20: 20
    9c40: 40
    ea60: 60    		Defines the duration of time that RapidIdentity Client will wait before submitting transmitted magstripe data; many readers submit data with a carriage return at the end, but for those that do not, enable a small timeout, 1000ms, to ensure the data is submitted
    Bio DeviceBioDeviceStringaes: AES\Fujitsu
    bcom: Broadcom
    lumi: Lumidigm External
    dpuau: Digital Persona U or External U
    upek:
    wbf: Compatible WBF Devices
    ftr: Futronics
    biokey: Bio-Key Software    		Dropdown list of the supported types of Fingerprint sensors
    Bio Device FilterBioDeviceFilterStringTrue: Enabled
    *False: Disabled    		Typically used for older biometric devices as they become non-responsive after a certain amount of time; when this is enabled, this will attempt to restart the device to make it ready when using biometrics
    Bio IdentifyBioIdentifyStringTrue: Enabled
    *False: Disabled    		Used with UPEK devices
    Allow Unauthenticated One-To-Many Biometric MatchBioAnyUserSyncStringTrue: Enabled
    *False: Disabled    		Allows Users to enroll/register on one brand of the biometric reader while authenticating against another
    RF DeviceRFDeviceStringGetac
    GetacNFC
    GetacRX10
    Getac:15693
    Getac:cuid
    Getac:getac
    Getac:mifare
    Getacrx10:cuid
    Getacrx10:getac
    Getacrx10:mifare
    Getacrx10:15693
    *Waveid
    Waveid:All
    Waveid:USB
    Waveid:COM    		The default policy is WaveID for PCProx; set to GETAC to support F110 Tablet embedded readers
    Restart RFID communications when suspend/resume machineRFIDPowerRestartStringTrue: Enabled
    *False: Disabled
    Bluetooth Device ConfigBTDeviceStringbluesoleil:500;10This setting allows administrators to enable Bluetooth and define the period in milliseconds between signal checks (default: 500) with the number of checks over which the Bluetooth signal is averaged (default: 10); after pairing, the default values can be modified
    Bluetooth Lock Prompt TypeBTLockPromptTypeDWORD*0: No prompt
    1: Prompt with countdown
    2: Prompt with keypress cancellation
    3: Prompt with password cancellation
    Bluetooth Lock Prompt Timeout (in seconds)BTLockPromptTimeDWORD4e20: 20
    9c40: 40
    ea60: 60    		Defines lenght of time the BT lock prompt will stay active; no default time is given

    Workstation Autologin

    Policy Setting NameReg Key NameTypeValue(s)Description
    User interaction when shutdown initiatedRALogoffTypeDWORD*0: Prompt Before Logoff
    1: Force Logoff
    2: Prompt Before Locking Desktop
    3: Force Locking Desktop    		Defines MFA client behavior before a device shutdown
    Machine behavior when shutdown initiatedRASleepTypeDWORD*0: Hibernate
    1: Sleep
    2: Shutdown
    Allow user to cancel a logoffRALogoffCancelStringTrue: Enabled
    *False: Disabled    		Allows user to cancel an initiated logoff of the client
    Time allowed for user to cancel a logoff (in seconds)RALogoffTimeDWORD*1e: 30
    3c: 60
    5a: 90    		Controls window of time to allow user to cancel a logoff that has started; must have "Allow user to cancel a logoff" enabled
    Time to allow Windows to login user before auto locking desktop (in seconds)RAAutoLockTimeDWORD*3c: 60
    5a: 90
    78: 120

    General

    Policy Setting NameReg Key NameTypeValue(s)Description
    SoundsSoundsEnabledString*True: Enabled
    False: Disabled    		Enable or disable MFA Client generated sounds on computers
    Tray Icon------*Enabled
    Disabled    		Controls visibility of Identity Automation's logo in the client's icon tray on the taskbar
    Splash ScreenSuppressSplashScreenString*True: Enabled
    False: Disabled    		Controls the blue “Please wait… Operation in progress” splash screen that appears on computers
    Log LevelLogLevelDWORD*0: Off
    1: Errors
    2: Messages
    3: Everything    		Turns logs on/off and controls the level of data captured
    Log ScopeLogScopeStringPlease see the table below for list of log scope options, their values, and definitions
    Log Folder Size (in kilobytes)LogFolderSizeDWORD*1024kbSets cap size of log(.bak) files before creating a new one
    Suppress UISuppressAppUIStringTrue: Enabled
    *False: Disabled    		Controls whether users can access the RI desktop application
    Suppress Gina LogoSuppressGinaLogoStringTrue: Enabled
    *False: Disabled    		Controls the appearance of the HID logo within the Logon Experience
    This is a legacy setting and should no longer be used/enabled
    Client Enrollment Save Password Time (in seconds)EnrollmentPassTimeDWORD*78: 120
    b4: 180
    f0: 240    		Defines the amount of time a user’s password is saved before being discarded
    Enroll Smartcards on Client as ContactlessEnrollSCAsPROXStringTrue: Enabled
    *False: Disabled    		Defines whether Smart Cards are enrolled on client machines as Contactless Cards
    Client Enrollment TypeEnrollmentTypeString*Partial: Partial
    Full: Full    		Partial: only partial method enrollments are required
    Full: all assigned methods must be enrolled at once

    Log Scope

    Check the box next to the each option you need your client logs to gather. The "Reg Values" are saved to the LogScope string and separated by commas (,).

    The "Log Level" option DOES NOT need to be enabled in the MFA policy in conjuction with "Log Scope". If you are troubleshooting individual MFA client(s) and not wanting to enable client logging across your entire environment, you can still use Log Scope (through the policy or direct registry input) to limit the types of activity being logged.

    Log Scope OptionReg Value
    CommonCommon
    ClientClient
    ServiceService
    ServiceCtrlServiceCtrl
    Shared WorkstationSW
    Secured AppsSA
    Credential ProvidersCP
    HardwareHW
    Remote Secured Apps ServiceRSAS
    Remote Secured Apps ClientRSAC
    Remote Secured Apps MonitorRSAM
    Remote Secured Apps Transport LogsRSAT
    Was this article helpful?
    What's Next