The clients are controlled by the registry keys in our location: HKLM\Software\Foray
These values are passed down through the MFA GlobalDefault or OU specific policy. In the event that you need to test a one-off functionality without affecting your whole group of computers, you can create the necessary key and its value. You can also use this map to verify what a certain key is.
It's important to note that if your currently applied policy does not have the key you are testing, it will not be modified by a client-server synchronization. If it is set in the current policy, it will be changed back to its original value the moment it synchronizes
ex. If "SharedWorkstation" is manually set to False and you perform a synchronization with the server, the value will revert back to True.
The keys below are organized by their corresponding MFA policy tab.
MFA Policies
For more information on client policies, please see our Creating An MFA Policy article.
Reg Value(s) Column Notes
Bold text represents the actual registry value, the un-bolded is the value seen in the actual policy window.
regValue: MFA policy value
DWORD values given in the table are hex and are completely customizable. The values given are suggestions and can be set differently depending on your organization's requirements.
Reg values with an asterisk (*) in front of them are the default value for that setting. Some settings that require typed input from admin in the MFA policy do not have a default value.
Logon
| Policy Setting Name | Reg Key Name | Type | Reg Value(s) | Description |
|---|---|---|---|---|
| Logon Experience | DisabledProviders | String | Please see the table below for list of tiles and their values | Controls what MFA authentication tiles appear on the lock and Shared Workstation screens |
| Disable Username and Password Tile | DisableUNPTile | String | Unlock: Only at Unlock Screen LogonUnlock: At Logon and Unlock Screens Logon: Only at Logon *None: Never disabled |
Controls when the Windows UN/PW tile appears on the Windows lock screen |
| Emergency Access | EAOptions | String | Logon: Login to device Password: Update password Unblock: Unblock & reset PIN (re-verify) |
Controls the options end users have for EA; All options enabled by default |
| RapidIdentity Windows Login | DisableSecurityModel | String | *True: Enabled False: Disabled |
Controls whether the auth tiles set by the Logon Experience appear on the Windows lock screen or not |
| PingMe requires user password | PingMeNoPassword | String | *True: Enabled False: Disabled |
User must type in their Windows password to initiate a ping to their phone |
| PingMe user allowed to re-enroll mobile app | String | *True: Enabled False: Disabled |
||
| Force dropdown to default to this domain | ForceDefaultDomain | String | User input | Automatically sets client domain |
| Allow users to update their password through the client | AllowPasswordUpdate | String | *True: Enabled False: Disabled |
cell |
| Allow the enrollment tile to create new users in server | EnrollTileNewUser | String | *True: Enabled False: Disabled |
MFA user accounts do not have to be pre-made for enrollment and are automatically added when users type their credentials at the Enrollment Tile |
| Allow the enrollment tile logon | EnrollTileLogon | String | *True: Enabled False: Disabled |
Controls |
| Risk Based Authentication | RBA | String | True: Enabled *False: Disabled |
Enables RBA |
| RBA Token Expiration (in days) | RBATimeout | DWORD | User input Must be a whole number |
Sets number of days the RBA grace period is good for |
| RBA VPN Override | RBAVPNOverride | String | True: Enabled *False: Disabled |
Defines whether or not RBA will be disabled to allow a VPN connection; Once a VPN connection is established, RBA will prompt for advanced authentication |
| RBA Show Password Only First | RBAPasswordOnlyFirst | String | True: Enabled *False: Disabled |
Requires initial logon using un/pw exclusively; if enabled, RBA triggers and requires the user to use advanced authentication to continue the logon process |
| RBA Show Notification | RBAShowNotification | String | True: Enabled *False: Disabled |
Notifies the user logging in if RBA is needed |
| RBA PIN Expiration Timeout | RBAPINExpirationValue | DWORD | 0: 0 1: 1 7: 7 14: e 30: 1e |
Enter the value to match the RBA PIN expiration type |
| RBA PIN Expiration Type | RBAPINExpirationType | DWORD | *0: Days 1: Hours 2: Minutes 3: Seconds |
Controls the type of expiration you want your RBA grace period to expire after |
Disabled Providers / Logon Experience
The following are based on Windows 10 values and might vary slightly on different installations. The Key values are what are set in DisabledProviders' string, separated by semicolons(;).
| Authentication Method Tile | Key |
|---|---|
| Username and Password | {60B78E88-EAD8-445C-9CFD-0B87F74EA6CD} |
| Contactless Card | {CBD71E03-35DE-4478-8E51-128BB10BC241} |
| Magstripe | {CB8395BC-AF05-480A-8C16-2A9A8172CE33} |
| Emergency Access | {CBB84461-28A0-4691-8BEF-A14F09C188AE} |
| Smartcard | {8FD7E19C-3BF7-489B-A72C-846AB3678C96} |
| Fingerprint | {CB7395BC-AF05-480A-8C16-2A9A8172CE33} |
| Win Bio | {BEC09223-B018-416D-A0AC-523971B639F5} |
| OTP | {CB9395BC-AF05-480A-8C16-2A9A8172CE33} |
| PingMe | {CBA395BC-AF05-480A-8C16-2A9A8172CE33} |
| Enrollment | {CBB395BC-AF05-480A-8C16-2A9A8172CE33} |
| Bluetooth | {D082E611-DD6D-4A36-9B77-EC933B3E2633} |
| FIDO | {4C131C10-372C-4EE7-A882-E2FD16DE36B2}; |
Shared Workstation
| Policy Setting Name | Reg Key Name | Type | Value(s) | Description |
|---|---|---|---|---|
| Shared Workstation | SharedWorkstation | String | True: Enabled *False: Disabled |
Shared Workstation is a secondary lock/splash screen for MFA clients after logging in on a shared Windows account |
| Back Alpha | SWBackAlpha | DWORD | 0: 0 *64: 100 |
Defines the percentage of opaqueness of the shared workstation login screen from 0 (completely transparent) to 100 (completely opaque) |
| Back Color | SWBackColor | DWORD | Use hex value for colors | Defines the color of the shared workstation login/lock screen in hexadecimal where FFFFFF is white and 000000 is black |
| Back Image | SWBackImage | String | File path of image | Sets background image of the Shared Workstation lock screen The file & location must be in the same, accessible location for all SW clients |
| Inactivity Timer (in minutes) | SWInactivityTimer | DWORD | 1: 1 5: 5 A: 10 |
Defines amount of time before the client goes back to SW lock screen after timeout |
| Inactivity Timer Action | SWInactivityLogoff | String | True: Logoff *False: Lock Workstation |
Locks or logs off of the client after the "Inactivity Timer" expires |
| Time Of Fade/Prompt Screen Before Lock (seconds) | SWInactivityPrompt | DWORD | 1e: 30 sec 3c: 60 sec 5a: 90 sec |
Defines the amount of time in seconds before the SW prompt/login tiles overtakes the screen |
| Lock On O/S Lock | SWLockOnOSLock | String | True: Enabled *False: Disabled |
Locks SW if the Windows desktop is locked |
| Idle Animation Timer (in minutes) | SWIdleAnimTimer | DWORD | 1: 1 5: 5 A: 10 |
Defines the amount of time before the SW logon tiles move randomly around the screen |
| Idle Animation Type | SWIdleAnimType | DWORD | *0: Float 1: Hide |
Defines whether to hide or float tiles once the device times out |
| Always On Top | SWAlwaysOnTop | String | *True: On False: Off |
Causes SW lock screen to stay "on top", covering any other open applications |
| Delay On Launch (seconds) | SWDelayOnLaunch | DWORD | 1e: 30 sec 3c: 60 sec 78: 120 sec |
Defines the delay in seconds before the SW lock screen comes up after the initial Windows login |
| Bypass | SWBypass | String | True: Enabled *False: Disabled |
When enabled, allows non-enrolled users the opportunity to access the desktop by adding a "Guest Logon" button beneath the standard SW login tiles |
| Generic Login | SWGenLogin | String | True: Enabled *False: Disabled |
When disabled, removes the Username and Password tile from the SW login options |
| EA Login | SWEALogin | String | True: Enabled *False: Disabled |
When disabled, removes the Emergency Access tile from the SW login options |
| Launch On Logon | SWLaunchOnLogon | Multi-String | Value must be path to application | Automatically launches defined applications when a user logs on |
| Wait On Sync | SWWaitOnSync | String | True: Enabled *False: Disabled |
Requires the user profile to sync before allowing login |
| Enforce 2-Step Authentication | SWEnforceUserMatch | String | True: Enabled *False: Disabled |
Allows only the same user that logged on to the standard desktop at initial Windows logon to logon to a SW |
| PIN Policy Rule | SWPINPolicyRule | DWORD | *0: Use User's Policy 1: Never Require PIN 2: Always Require PIN 3: On Logon Only (Not Unlock) |
Allows administrators to override user's PIN policy to Always or Never Require PIN (affects all auth methods) |
| PIN Complexity Rule | SWPinComplexityRule | DWORD | 1: No more than 3 repeated chars 2: No more than 3 consecutive chars 4: Alpha And Numeric Characters 8: Special characters 10: Numeric characters 20: Windows PW as Pin 40: Grace period |
Override all PIN policy settings when using this computer(s) |
| Card Behavior Override | SWCardBehaviorOverride | DWORD | *7fffffff: Use Default Policy 0: Do Nothing 1: Lock SW (Card Removal) 2: Logoff SW (Card Removal) 3: Lock SW (Card Tap) 4: Logoff SW (Card Tap) |
Determines or overrides locally set smart or contactless card behavior |
| Default Method | SWDefaultMethod | DWORD | 7fffffff: Last Used Method 0: Display All Available 5: UN/PW 3: Emergency Access *6: Contactless Card 4: Smartcard 9: Magstripe 8: Fingerprint a: OTP b: PingMe c: Enrollment e: Bluetooth f: FIDO |
Tells the client which auth method to display first; applies to both Windows lock screen and the SW lock screen; the other methods are still available |
| Default Domain | SWDefaultDomain | String | User input | Sets the default domain in the dropdown when using Username and Password |
| Number of logons to remember in dropdown | SWLogonHistorySize | DWORD | 3: 3 last logged on users 5: 5 last logged on users |
Logon dropdown menu will save the last X users to its list |
| Login All Windows On Logon | SWLoginAllWindowsOnLogon | String | True: Enabled *False: Disabled |
Attempts to log the current user onto all active applications for which Secured Apps templates exist |
| Close All Windows On Logoff | SWCloseAllWindowsOnLogoff | String | True: Enabled *False: Disabled |
Closes all windows when a user logs off; applications that prompt a user for feedback at logoff (ie. asking to save work) will not be shut down if no response is provided |
| Kill All Windows On Logoff | SWKillAllWindowsOnLogoff | String | True: Enabled *False: Disabled |
Closes all windows and apps at logoff, regardless of any popups or feedback requests from those applications |
| Skip App Windows On Logoff | SWSkipAppWindowsOnLogoff | Multi-string | File path of application | Used in conjunction with Kill All Windows on Logoff, applications can be omitted from the "Kill All Windows" operation |
| Citrix InstantConnect | SWCitrixInstantConnect | String | True: Enabled *False: Disabled |
Launches Citrix Online Plugin at login if present and submits the logged on users credentials |
| Citrix QLaunch Parameters | SWCitrixQLaunchParams | String | Value will be the parameters for Citrix?? | Allows administrators to define Citrix Applications to be launched at login |
| VMware InstantConnect | SWVMwareInstantConnect | String | True: Enabled *False: Disabled |
Launches VMWare View and submits the logged on user’s credentials |
| RDP InstantConnect | SWRdpInstantConnect | String | True: Enabled *False: Disabled |
Launches Microsoft Terminal Services Client and submits the logged on user’s credentials |
| RDP Server | SWRdpServer | String | Value will be the IP or URL of the computer your client(s) are connecting to | Used in conjunction with the RDP InstantConnect feature, this defines the server to be logged onto |
| RDP: Use Multiple Monitors | SWRDPUseMultiMon | String | True: Enabled *False: Disabled |
This determines whether or not RDP sessions will inhabit all available monitors in a multi-monitor configuration |
| InstantConnect Lock On Exit | SWInstantConnectLockOnExit | String | True: Enabled *False: Disabled |
Automatically locks shared workstation when any InstantConnect application is closed |
Secured Applications
| Policy Setting Name | Reg Key Name | Type | Value(s) | Description |
|---|---|---|---|---|
| Secured App Access Interval (seconds) | SAAccessInterval | DWORD | *a: 10 1e: 30 3c: 60 |
|
| Continually monitor foreground window | SAAlwaysCheck | String | *True: Enabled False: Disabled |
|
| Process background windows | SAMonitor | String | *True: Enabled False: Disabled |
|
| Timeout between re-scanning background windows (in ms) | SAMonitorTimeout | DWORD | *3e8: 1000 7d0: 2000 bb8: 3000 |
|
| Timeout between re-scanning each app (in ms) | SAMonitorAppTimeout | DWORD | *1388: 5000 2710: 10000 |
|
| How long to block input during entering of credentials (in ms) | SABlockInputTime | DWORD | 1388: 5000 2710: 10000 *3A98: 15000 |
|
| How long to wait for characters to be entered (in seconds) | SACharInputTime | DWORD | *3: 3 5: 5 a: 10 |
|
| How long to delay manually processing individual parts of credentials (in ms) | SARawInputTime | DWORD | *a: 10 1e: 30 3c: 60 |
|
| Remote Applications Port | RemoteAppsPort | DWORD | *2802: 10242 | |
| Remote Applications Request Timeout (in ms) | RemoteAppsRequestTimeout | DWORD | *ea60: 60000 | |
| *Remote Application UI Timeout (in ms) | RemoteAppsRequestUITimeout | DWORD | *ea60: 60000 |
Server/Sync
| Policy Setting Name | Reg Key Name | Type | Value(s) | Description |
|---|---|---|---|---|
| Service URL | ServiceURL | String | User input | Allows the input of multiple MFA servers for failover instances; also used to point clients to a new/different MFA server (ie. server migrations) |
| Service Timeout (in ms) | ServiceTimeout | DWORD | *20000 | Defines the amount of time the client will continue to attempt to sync with the server |
| Service Low Bandwidth Timeout (in minutes) | ServiceLowBandwidthTimeout | DWORD | *a: 10 1e: 30 3c: 60 |
Defines the amount of time in minutes before which RapidIdentity server checks for Low-Bandwidth service |
| Force Refresh of Policy (in hours) | PolicyTimeout | DWORD | *2: 2 c: 12 18: 24 |
Defines length of time clients automatically perform a server sync to pull the latest policy settings |
| Failover Check Interval (in minutes) | FailoverCheckInterval | DWORD | *2 | Defines the amount of time in minutes before RapidIdentity server checks for failover |
| Check for Service Long Response Separately | ServiceLongResponse | String | True: Enabled *False: Disabled |
Defines whether or not the MFA Server will check for a long server response and act accordingly |
| Enrollment Station | EnrollmentStation | String | True: Enabled *False: Disabled |
When enabled, prevents user data from being added to the local cache after enrollment |
| Always Online Mode | AlwaysOnline | String | True: Enabled *False: Disabled |
When enabled, this setting deletes the local user profile cache, requiring the system to have access to the server upon next logon; typically used for setting up Enrollment Stations |
| VPN Username | VPNUsername | String | User input: username | NetMotion VPN Credentials |
| VPN Domain | VPNDomain | String | User input: domain name | NetMotion VPN Credentials |
| VPN Password | VPNPassword | String | The password set for the "VPN Username" | NetMotion VPN Credentials |
| VPN Timeout (in seconds) | VPNTimeout | DWORD | *3c: 60 5a: 90 78: 120 |
Hardware
| Policy Setting Name | Reg Key Name | Type | Value(s) | Description |
|---|---|---|---|---|
| Enable Magstripe | EnableMagstripe | String | True: Enabled *False: Disabled |
|
| Magstripe ID | MagstripeID | Multi-string | VID & PID of device | Allows administrators to enter the specific VID and PID hardware identifiers for Magstripe readers; multiple entries should be placed on different lines |
| Magstripe Device | MagDevice | Multi-string | hidredir: Magtek Wedge magtek: Magtek HID isdc_rs: Panasonic Integrated toughbook: Panasonic Toughbook User input: Custom |
To enable your device(s), check your respective option; for generic keyboard output devices, select Magtek |
| Magstripe Timeout (ms) | MagstripeTO | DWORD | 4e20: 20 9c40: 40 ea60: 60 |
Defines the duration of time that RapidIdentity Client will wait before submitting transmitted magstripe data; many readers submit data with a carriage return at the end, but for those that do not, enable a small timeout, 1000ms, to ensure the data is submitted |
| Bio Device | BioDevice | String | aes: AES\Fujitsu bcom: Broadcom lumi: Lumidigm External dpuau: Digital Persona U or External U upek: wbf: Compatible WBF Devices ftr: Futronics biokey: Bio-Key Software |
Dropdown list of the supported types of Fingerprint sensors |
| Bio Device Filter | BioDeviceFilter | String | True: Enabled *False: Disabled |
Typically used for older biometric devices as they become non-responsive after a certain amount of time; when this is enabled, this will attempt to restart the device to make it ready when using biometrics |
| Bio Identify | BioIdentify | String | True: Enabled *False: Disabled |
Used with UPEK devices |
| Allow Unauthenticated One-To-Many Biometric Match | BioAnyUserSync | String | True: Enabled *False: Disabled |
Allows Users to enroll/register on one brand of the biometric reader while authenticating against another |
| RF Device | RFDevice | String | Getac GetacNFC GetacRX10 Getac:15693 Getac:cuid Getac:getac Getac:mifare Getacrx10:cuid Getacrx10:getac Getacrx10:mifare Getacrx10:15693 *Waveid Waveid:All Waveid:USB Waveid:COM |
The default policy is WaveID for PCProx; set to GETAC to support F110 Tablet embedded readers |
| Restart RFID communications when suspend/resume machine | RFIDPowerRestart | String | True: Enabled *False: Disabled |
|
| Bluetooth Device Config | BTDevice | String | bluesoleil:500;10 | This setting allows administrators to enable Bluetooth and define the period in milliseconds between signal checks (default: 500) with the number of checks over which the Bluetooth signal is averaged (default: 10); after pairing, the default values can be modified |
| Bluetooth Lock Prompt Type | BTLockPromptType | DWORD | *0: No prompt 1: Prompt with countdown 2: Prompt with keypress cancellation 3: Prompt with password cancellation |
|
| Bluetooth Lock Prompt Timeout (in seconds) | BTLockPromptTime | DWORD | 4e20: 20 9c40: 40 ea60: 60 |
Defines lenght of time the BT lock prompt will stay active; no default time is given |
Workstation Autologin
| Policy Setting Name | Reg Key Name | Type | Value(s) | Description |
|---|---|---|---|---|
| User interaction when shutdown initiated | RALogoffType | DWORD | *0: Prompt Before Logoff 1: Force Logoff 2: Prompt Before Locking Desktop 3: Force Locking Desktop |
Defines MFA client behavior before a device shutdown |
| Machine behavior when shutdown initiated | RASleepType | DWORD | *0: Hibernate 1: Sleep 2: Shutdown |
|
| Allow user to cancel a logoff | RALogoffCancel | String | True: Enabled *False: Disabled |
Allows user to cancel an initiated logoff of the client |
| Time allowed for user to cancel a logoff (in seconds) | RALogoffTime | DWORD | *1e: 30 3c: 60 5a: 90 |
Controls window of time to allow user to cancel a logoff that has started; must have "Allow user to cancel a logoff" enabled |
| Time to allow Windows to login user before auto locking desktop (in seconds) | RAAutoLockTime | DWORD | *3c: 60 5a: 90 78: 120 |
General
| Policy Setting Name | Reg Key Name | Type | Value(s) | Description |
|---|---|---|---|---|
| Sounds | SoundsEnabled | String | *True: Enabled False: Disabled |
Enable or disable MFA Client generated sounds on computers |
| Tray Icon | --- | --- | *Enabled Disabled |
Controls visibility of Identity Automation's logo in the client's icon tray on the taskbar |
| Splash Screen | SuppressSplashScreen | String | *True: Enabled False: Disabled |
Controls the blue “Please wait… Operation in progress” splash screen that appears on computers |
| Log Level | LogLevel | DWORD | *0: Off 1: Errors 2: Messages 3: Everything |
Turns logs on/off and controls the level of data captured |
| Log Scope | LogScope | String | Please see the table below for list of log scope options, their values, and definitions | |
| Log Folder Size (in kilobytes) | LogFolderSize | DWORD | *1024kb | Sets cap size of log(.bak) files before creating a new one |
| Suppress UI | SuppressAppUI | String | True: Enabled *False: Disabled |
Controls whether users can access the RI desktop application |
| Suppress Gina Logo | SuppressGinaLogo | String | True: Enabled *False: Disabled |
This is a legacy setting and should no longer be used/enabled |
| Client Enrollment Save Password Time (in seconds) | EnrollmentPassTime | DWORD | *78: 120 b4: 180 f0: 240 |
Defines the amount of time a user’s password is saved before being discarded |
| Enroll Smartcards on Client as Contactless | EnrollSCAsPROX | String | True: Enabled *False: Disabled |
Defines whether Smart Cards are enrolled on client machines as Contactless Cards |
| Client Enrollment Type | EnrollmentType | String | *Partial: Partial Full: Full |
Partial: only partial method enrollments are required Full: all assigned methods must be enrolled at once |
Log Scope
Check the box next to the each option you need your client logs to gather. The "Reg Values" are saved to the LogScope string and separated by commas (,).
The "Log Level" option DOES NOT need to be enabled in the MFA policy in conjuction with "Log Scope". If you are troubleshooting individual MFA client(s) and not wanting to enable client logging across your entire environment, you can still use Log Scope (through the policy or direct registry input) to limit the types of activity being logged.
| Log Scope Option | Reg Value |
|---|---|
| Common | Common |
| Client | Client |
| Service | Service |
| ServiceCtrl | ServiceCtrl |
| Shared Workstation | SW |
| Secured Apps | SA |
| Credential Providers | CP |
| Hardware | HW |
| Remote Secured Apps Service | RSAS |
| Remote Secured Apps Client | RSAC |
| Remote Secured Apps Monitor | RSAM |
| Remote Secured Apps Transport Logs | RSAT |