Policy Settings & Client Registry Values
  • 20 Jun 2024
  • 14 Minutes to read
  • Contributors
  • Dark
    Light

Policy Settings & Client Registry Values

  • Dark
    Light

Article summary

The clients are controlled by the registry keys in our location: HKLM\Software\Foray
 
These values are passed down through the MFA GlobalDefault or OU specific policy. In the event that you need to test a one-off functionality without affecting your whole group of computers, you can create the necessary key and its value. You can also use this map to verify what a certain key is.
 
It's important to note that if your currently applied policy does not have the key you are testing, it will not be modified by a client-server synchronization. If it is set in the current policy, it will be changed back to its original value the moment it synchronizes
 
ex. If "SharedWorkstation" is manually set to False and you perform a synchronization with the server, the value will revert back to True.
 
The keys below are organized by their corresponding MFA policy tab.

MFA Policies

For more information on client policies, please see our Creating An MFA Policy article.

Reg Value(s) Column Notes

Bold text represents the actual registry value, the un-bolded is the value seen in the actual policy window.
regValue: MFA policy value

DWORD values given in the table are hex and are completely customizable. The values given are suggestions and can be set differently depending on your organization's requirements.

Reg values with an asterisk (*) in front of them are the default value for that setting. Some settings that require typed input from admin in the MFA policy do not have a default value.

Logon

Policy Setting NameReg Key NameTypeReg Value(s)Description
Logon ExperienceDisabledProvidersStringPlease see the table below for list of tiles and their valuesControls what MFA authentication tiles appear on the lock and Shared Workstation screens
Disable Username and Password TileDisableUNPTileStringUnlock: Only at Unlock Screen
LogonUnlock: At Logon and Unlock Screens
Logon: Only at Logon
*None: Never disabled
Controls when the Windows UN/PW tile appears on the Windows lock screen
Emergency AccessEAOptionsStringLogon: Login to device
Password: Update password
Unblock: Unblock & reset PIN (re-verify)
Controls the options end users have for EA; All options enabled by default
RapidIdentity Windows LoginDisableSecurityModelString*True: Enabled
False: Disabled
Controls whether the auth tiles set by the Logon Experience appear on the Windows lock screen or not
PingMe requires user passwordPingMeNoPasswordString*True: Enabled
False: Disabled
User must type in their Windows password to initiate a ping to their phone
PingMe user allowed to re-enroll mobile appString*True: Enabled
False: Disabled
Force dropdown to default to this domainForceDefaultDomainStringUser inputAutomatically sets client domain
Allow users to update their password through the clientAllowPasswordUpdateString*True: Enabled
False: Disabled
cell
Allow the enrollment tile to create new users in serverEnrollTileNewUserString*True: Enabled
False: Disabled
MFA user accounts do not have to be pre-made for enrollment and are automatically added when users type their credentials at the Enrollment Tile
Allow the enrollment tile logonEnrollTileLogonString*True: Enabled
False: Disabled
Controls
Risk Based AuthenticationRBAStringTrue: Enabled
*False: Disabled
Enables RBA
RBA Token Expiration (in days)RBATimeoutDWORDUser input
Must be a whole number
Sets number of days the RBA grace period is good for
RBA VPN OverrideRBAVPNOverrideStringTrue: Enabled
*False: Disabled
Defines whether or not RBA will be disabled to allow a VPN connection; Once a VPN connection is established, RBA will prompt for advanced authentication
RBA Show Password Only FirstRBAPasswordOnlyFirstStringTrue: Enabled
*False: Disabled
Requires initial logon using un/pw exclusively; if enabled, RBA triggers and requires the user to use advanced authentication to continue the logon process
RBA Show NotificationRBAShowNotificationStringTrue: Enabled
*False: Disabled
Notifies the user logging in if RBA is needed
RBA PIN Expiration TimeoutRBAPINExpirationValueDWORD0: 0
1: 1
7: 7
14: e
30: 1e
Enter the value to match the RBA PIN expiration type
RBA PIN Expiration TypeRBAPINExpirationTypeDWORD*0: Days
1: Hours
2: Minutes
3: Seconds
Controls the type of expiration you want your RBA grace period to expire after

Disabled Providers / Logon Experience

The following are based on Windows 10 values and might vary slightly on different installations. The Key values are what are set in DisabledProviders' string, separated by semicolons(;).

Authentication Method TileKey
Username and Password{60B78E88-EAD8-445C-9CFD-0B87F74EA6CD}
Contactless Card{CBD71E03-35DE-4478-8E51-128BB10BC241}
Magstripe{CB8395BC-AF05-480A-8C16-2A9A8172CE33}
Emergency Access{CBB84461-28A0-4691-8BEF-A14F09C188AE}
Smartcard{8FD7E19C-3BF7-489B-A72C-846AB3678C96}
Fingerprint{CB7395BC-AF05-480A-8C16-2A9A8172CE33}
Win Bio{BEC09223-B018-416D-A0AC-523971B639F5}
OTP{CB9395BC-AF05-480A-8C16-2A9A8172CE33}
PingMe{CBA395BC-AF05-480A-8C16-2A9A8172CE33}
Enrollment{CBB395BC-AF05-480A-8C16-2A9A8172CE33}
Bluetooth{D082E611-DD6D-4A36-9B77-EC933B3E2633}
FIDO{4C131C10-372C-4EE7-A882-E2FD16DE36B2};

Shared Workstation

Policy Setting NameReg Key NameTypeValue(s)Description
Shared WorkstationSharedWorkstationStringTrue: Enabled
*False: Disabled
Shared Workstation is a secondary lock/splash screen for MFA clients after logging in on a shared Windows account
Back AlphaSWBackAlphaDWORD0: 0
*64: 100
Defines the percentage of opaqueness of the shared workstation login screen from 0 (completely transparent) to 100 (completely opaque)
Back ColorSWBackColorDWORDUse hex value for colorsDefines the color of the shared workstation login/lock screen in hexadecimal where FFFFFF is white and 000000 is black
Back ImageSWBackImageStringFile path of imageSets background image of the Shared Workstation lock screen
The file & location must be in the same, accessible location for all SW clients
Inactivity Timer (in minutes)SWInactivityTimerDWORD1: 1
5: 5
A: 10
Defines amount of time before the client goes back to SW lock screen after timeout
Inactivity Timer ActionSWInactivityLogoffStringTrue: Logoff
*False: Lock Workstation
Locks or logs off of the client after the "Inactivity Timer" expires
Time Of Fade/Prompt Screen Before Lock (seconds)SWInactivityPromptDWORD1e: 30 sec
3c: 60 sec
5a: 90 sec
Defines the amount of time in seconds before the SW prompt/login tiles overtakes the screen
Lock On O/S LockSWLockOnOSLockStringTrue: Enabled
*False: Disabled
Locks SW if the Windows desktop is locked
Idle Animation Timer (in minutes)SWIdleAnimTimerDWORD1: 1
5: 5
A: 10
Defines the amount of time before the SW logon tiles move randomly around the screen
Idle Animation TypeSWIdleAnimTypeDWORD*0: Float
1: Hide
Defines whether to hide or float tiles once the device times out
Always On TopSWAlwaysOnTopString*True: On
False: Off
Causes SW lock screen to stay "on top", covering any other open applications
Delay On Launch (seconds)SWDelayOnLaunchDWORD1e: 30 sec
3c: 60 sec
78: 120 sec
Defines the delay in seconds before the SW lock screen comes up after the initial Windows login
BypassSWBypassStringTrue: Enabled
*False: Disabled
When enabled, allows non-enrolled users the opportunity to access the desktop by adding a "Guest Logon" button beneath the standard SW login tiles
Generic LoginSWGenLoginStringTrue: Enabled
*False: Disabled
When disabled, removes the Username and Password tile from the SW login options
EA LoginSWEALoginStringTrue: Enabled
*False: Disabled
When disabled, removes the Emergency Access tile from the SW login options
Launch On LogonSWLaunchOnLogonMulti-StringValue must be path to applicationAutomatically launches defined applications when a user logs on
Wait On SyncSWWaitOnSyncStringTrue: Enabled
*False: Disabled
Requires the user profile to sync before allowing login
Enforce 2-Step AuthenticationSWEnforceUserMatchStringTrue: Enabled
*False: Disabled
Allows only the same user that logged on to the standard desktop at initial Windows logon to logon to a SW
PIN Policy RuleSWPINPolicyRuleDWORD*0: Use User's Policy
1: Never Require PIN
2: Always Require PIN
3: On Logon Only (Not Unlock)
Allows administrators to override user's PIN policy to Always or Never Require PIN (affects all auth methods)
PIN Complexity RuleSWPinComplexityRuleDWORD1: No more than 3 repeated chars
2: No more than 3 consecutive chars
4: Alpha And Numeric Characters
8: Special characters
10: Numeric characters
20: Windows PW as Pin
40: Grace period
Override all PIN policy settings when using this computer(s)
Card Behavior OverrideSWCardBehaviorOverrideDWORD*7fffffff: Use Default Policy
0: Do Nothing
1: Lock SW (Card Removal)
2: Logoff SW (Card Removal)
3: Lock SW (Card Tap)
4: Logoff SW (Card Tap)
Determines or overrides locally set smart or contactless card behavior
Default MethodSWDefaultMethodDWORD7fffffff: Last Used Method
0: Display All Available
5: UN/PW
3: Emergency Access
*6: Contactless Card
4: Smartcard
9: Magstripe
8: Fingerprint
a: OTP
b: PingMe
c: Enrollment
e: Bluetooth
f: FIDO
Tells the client which auth method to display first; applies to both Windows lock screen and the SW lock screen; the other methods are still available
Default DomainSWDefaultDomainStringUser inputSets the default domain in the dropdown when using Username and Password
Number of logons to remember in dropdownSWLogonHistorySizeDWORD3: 3 last logged on users
5: 5 last logged on users
Logon dropdown menu will save the last X users to its list
Login All Windows On LogonSWLoginAllWindowsOnLogonStringTrue: Enabled
*False: Disabled
Attempts to log the current user onto all active applications for which Secured Apps templates exist
Close All Windows On LogoffSWCloseAllWindowsOnLogoffStringTrue: Enabled
*False: Disabled
Closes all windows when a user logs off; applications that prompt a user for feedback at logoff (ie. asking to save work) will not be shut down if no response is provided
Kill All Windows On LogoffSWKillAllWindowsOnLogoffStringTrue: Enabled
*False: Disabled
Closes all windows and apps at logoff, regardless of any popups or feedback requests from those applications
Skip App Windows On LogoffSWSkipAppWindowsOnLogoffMulti-stringFile path of applicationUsed in conjunction with Kill All Windows on Logoff, applications can be omitted from the "Kill All Windows" operation
Citrix InstantConnectSWCitrixInstantConnectStringTrue: Enabled
*False: Disabled
Launches Citrix Online Plugin at login if present and submits the logged on users credentials
Citrix QLaunch ParametersSWCitrixQLaunchParamsStringValue will be the parameters for Citrix??Allows administrators to define Citrix Applications to be launched at login
VMware InstantConnectSWVMwareInstantConnectStringTrue: Enabled
*False: Disabled
Launches VMWare View and submits the logged on user’s credentials
RDP InstantConnectSWRdpInstantConnectStringTrue: Enabled
*False: Disabled
Launches Microsoft Terminal Services Client and submits the logged on user’s credentials
RDP ServerSWRdpServerStringValue will be the IP or URL of the computer your client(s) are connecting toUsed in conjunction with the RDP InstantConnect feature, this defines the server to be logged onto
RDP: Use Multiple MonitorsSWRDPUseMultiMonStringTrue: Enabled
*False: Disabled
This determines whether or not RDP sessions will inhabit all available monitors in a multi-monitor configuration
InstantConnect Lock On ExitSWInstantConnectLockOnExitStringTrue: Enabled
*False: Disabled
Automatically locks shared workstation when any InstantConnect application is closed

Secured Applications

Policy Setting NameReg Key NameTypeValue(s)Description
Secured App Access Interval (seconds)SAAccessIntervalDWORD*a: 10
1e: 30
3c: 60
Continually monitor foreground windowSAAlwaysCheckString*True: Enabled
False: Disabled
Process background windowsSAMonitorString*True: Enabled
False: Disabled
Timeout between re-scanning background windows (in ms)SAMonitorTimeoutDWORD*3e8: 1000
7d0: 2000
bb8: 3000
Timeout between re-scanning each app (in ms)SAMonitorAppTimeoutDWORD*1388: 5000
2710: 10000
How long to block input during entering of credentials (in ms)SABlockInputTimeDWORD1388: 5000
2710: 10000
*3A98: 15000
How long to wait for characters to be entered (in seconds)SACharInputTimeDWORD*3: 3
5: 5
a: 10
How long to delay manually processing individual parts of credentials (in ms)SARawInputTimeDWORD*a: 10
1e: 30
3c: 60
Remote Applications PortRemoteAppsPortDWORD*2802: 10242
Remote Applications Request Timeout (in ms)RemoteAppsRequestTimeoutDWORD*ea60: 60000
*Remote Application UI Timeout (in ms)RemoteAppsRequestUITimeoutDWORD*ea60: 60000

Server/Sync

Policy Setting NameReg Key NameTypeValue(s)Description
Service URLServiceURLStringUser inputAllows the input of multiple MFA servers for failover instances; also used to point clients to a new/different MFA server (ie. server migrations)
Service Timeout (in ms)ServiceTimeoutDWORD*20000Defines the amount of time the client will continue to attempt to sync with the server
Service Low Bandwidth Timeout (in minutes)ServiceLowBandwidthTimeoutDWORD*a: 10
1e: 30
3c: 60
Defines the amount of time in minutes before which RapidIdentity server checks for Low-Bandwidth service
Force Refresh of Policy (in hours)PolicyTimeoutDWORD*2: 2
c: 12
18: 24
Defines length of time clients automatically perform a server sync to pull the latest policy settings
Failover Check Interval (in minutes)FailoverCheckIntervalDWORD*2Defines the amount of time in minutes before RapidIdentity server checks for failover
Check for Service Long Response SeparatelyServiceLongResponseStringTrue: Enabled
*False: Disabled
Defines whether or not the MFA Server will check for a long server response and act accordingly
Enrollment StationEnrollmentStationStringTrue: Enabled
*False: Disabled
When enabled, prevents user data from being added to the local cache after enrollment
Always Online ModeAlwaysOnlineStringTrue: Enabled
*False: Disabled
When enabled, this setting deletes the local user profile cache, requiring the system to have access to the server upon next logon; typically used for setting up Enrollment Stations
VPN UsernameVPNUsernameStringUser input: usernameNetMotion VPN Credentials
VPN DomainVPNDomainStringUser input: domain nameNetMotion VPN Credentials
VPN PasswordVPNPasswordStringThe password set for the "VPN Username"NetMotion VPN Credentials
VPN Timeout (in seconds)VPNTimeoutDWORD*3c: 60
5a: 90
78: 120

Hardware

Policy Setting NameReg Key NameTypeValue(s)Description
Enable MagstripeEnableMagstripeStringTrue: Enabled
*False: Disabled
Magstripe IDMagstripeIDMulti-stringVID & PID of deviceAllows administrators to enter the specific VID and PID hardware identifiers for Magstripe readers; multiple entries should be placed on different lines
Magstripe DeviceMagDeviceMulti-stringhidredir: Magtek Wedge
magtek: Magtek HID
isdc_rs: Panasonic Integrated
toughbook: Panasonic Toughbook

User input: Custom
To enable your device(s), check your respective option; for generic keyboard output devices, select Magtek
Magstripe Timeout (ms)MagstripeTODWORD4e20: 20
9c40: 40
ea60: 60
Defines the duration of time that RapidIdentity Client will wait before submitting transmitted magstripe data; many readers submit data with a carriage return at the end, but for those that do not, enable a small timeout, 1000ms, to ensure the data is submitted
Bio DeviceBioDeviceStringaes: AES\Fujitsu
bcom: Broadcom
lumi: Lumidigm External
dpuau: Digital Persona U or External U
upek:
wbf: Compatible WBF Devices
ftr: Futronics
biokey: Bio-Key Software
Dropdown list of the supported types of Fingerprint sensors
Bio Device FilterBioDeviceFilterStringTrue: Enabled
*False: Disabled
Typically used for older biometric devices as they become non-responsive after a certain amount of time; when this is enabled, this will attempt to restart the device to make it ready when using biometrics
Bio IdentifyBioIdentifyStringTrue: Enabled
*False: Disabled
Used with UPEK devices
Allow Unauthenticated One-To-Many Biometric MatchBioAnyUserSyncStringTrue: Enabled
*False: Disabled
Allows Users to enroll/register on one brand of the biometric reader while authenticating against another
RF DeviceRFDeviceStringGetac
GetacNFC
GetacRX10
Getac:15693
Getac:cuid
Getac:getac
Getac:mifare
Getacrx10:cuid
Getacrx10:getac
Getacrx10:mifare
Getacrx10:15693
*Waveid
Waveid:All
Waveid:USB
Waveid:COM
The default policy is WaveID for PCProx; set to GETAC to support F110 Tablet embedded readers
Restart RFID communications when suspend/resume machineRFIDPowerRestartStringTrue: Enabled
*False: Disabled
Bluetooth Device ConfigBTDeviceStringbluesoleil:500;10This setting allows administrators to enable Bluetooth and define the period in milliseconds between signal checks (default: 500) with the number of checks over which the Bluetooth signal is averaged (default: 10); after pairing, the default values can be modified
Bluetooth Lock Prompt TypeBTLockPromptTypeDWORD*0: No prompt
1: Prompt with countdown
2: Prompt with keypress cancellation
3: Prompt with password cancellation
Bluetooth Lock Prompt Timeout (in seconds)BTLockPromptTimeDWORD4e20: 20
9c40: 40
ea60: 60
Defines lenght of time the BT lock prompt will stay active; no default time is given

Workstation Autologin

Policy Setting NameReg Key NameTypeValue(s)Description
User interaction when shutdown initiatedRALogoffTypeDWORD*0: Prompt Before Logoff
1: Force Logoff
2: Prompt Before Locking Desktop
3: Force Locking Desktop
Defines MFA client behavior before a device shutdown
Machine behavior when shutdown initiatedRASleepTypeDWORD*0: Hibernate
1: Sleep
2: Shutdown
Allow user to cancel a logoffRALogoffCancelStringTrue: Enabled
*False: Disabled
Allows user to cancel an initiated logoff of the client
Time allowed for user to cancel a logoff (in seconds)RALogoffTimeDWORD*1e: 30
3c: 60
5a: 90
Controls window of time to allow user to cancel a logoff that has started; must have "Allow user to cancel a logoff" enabled
Time to allow Windows to login user before auto locking desktop (in seconds)RAAutoLockTimeDWORD*3c: 60
5a: 90
78: 120

General

Policy Setting NameReg Key NameTypeValue(s)Description
SoundsSoundsEnabledString*True: Enabled
False: Disabled
Enable or disable MFA Client generated sounds on computers
Tray Icon------*Enabled
Disabled
Controls visibility of Identity Automation's logo in the client's icon tray on the taskbar
Splash ScreenSuppressSplashScreenString*True: Enabled
False: Disabled
Controls the blue “Please wait… Operation in progress” splash screen that appears on computers
Log LevelLogLevelDWORD*0: Off
1: Errors
2: Messages
3: Everything
Turns logs on/off and controls the level of data captured
Log ScopeLogScopeStringPlease see the table below for list of log scope options, their values, and definitions
Log Folder Size (in kilobytes)LogFolderSizeDWORD*1024kbSets cap size of log(.bak) files before creating a new one
Suppress UISuppressAppUIStringTrue: Enabled
*False: Disabled
Controls whether users can access the RI desktop application
Suppress Gina LogoSuppressGinaLogoStringTrue: Enabled
*False: Disabled
Controls the appearance of the HID logo within the Logon Experience
This is a legacy setting and should no longer be used/enabled
Client Enrollment Save Password Time (in seconds)EnrollmentPassTimeDWORD*78: 120
b4: 180
f0: 240
Defines the amount of time a user’s password is saved before being discarded
Enroll Smartcards on Client as ContactlessEnrollSCAsPROXStringTrue: Enabled
*False: Disabled
Defines whether Smart Cards are enrolled on client machines as Contactless Cards
Client Enrollment TypeEnrollmentTypeString*Partial: Partial
Full: Full
Partial: only partial method enrollments are required
Full: all assigned methods must be enrolled at once

Log Scope

Check the box next to the each option you need your client logs to gather. The "Reg Values" are saved to the LogScope string and separated by commas (,).

The "Log Level" option DOES NOT need to be enabled in the MFA policy in conjuction with "Log Scope". If you are troubleshooting individual MFA client(s) and not wanting to enable client logging across your entire environment, you can still use Log Scope (through the policy or direct registry input) to limit the types of activity being logged.

Log Scope OptionReg Value
CommonCommon
ClientClient
ServiceService
ServiceCtrlServiceCtrl
Shared WorkstationSW
Secured AppsSA
Credential ProvidersCP
HardwareHW
Remote Secured Apps ServiceRSAS
Remote Secured Apps ClientRSAC
Remote Secured Apps MonitorRSAM
Remote Secured Apps Transport LogsRSAT

Was this article helpful?