Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Configures a setting that asks users to enter their device password while using password autofill
Supported versions
- On Windows and macOS since 93 or later
Description
The feature helps users add an additional layer of privacy to their online accounts by requiring device authentication (as a way of confirming the user's identity) before the saved password is auto-filled into a web form. This ensures that non-authorized persons can't use saved passwords for autofill. Note that this feature does not protect against locally-running malware.
This group policy configures the radio button selector that enables this feature for users. It also has a frequency control where users can specify how often they would like to be prompted for authentication.
If you set this policy to 'Automatically', disable this policy, or don't configure this policy, autofill will not have any authentication flow.
If you set this policy to 'WithDevicePassword', users will have to enter their device password (or preferred mode of authentication under Windows) to prove their identity before their password is auto filled. Authentication modes include Windows Hello, PIN, face recognition, or fingerprint. The frequency for authentication prompt will be set to 'Ask permission once per browsing session' by default. However, users can change it to the other option, which is 'Always ask permission'.
If you set this policy to 'WithCustomPrimaryPassword', users will be asked to create their custom password and then to be redirected to Settings. After the custom password is set, users can authenticate themselves using the custom password and their passwords will get auto-filled after successful authentication. The frequency for authentication prompt will be set to 'Ask permission once per browsing session' by default. However, users can change it to the other option, which is 'Always ask permission'.
If you set this policy to 'AutofillOff', saved passwords will no longer be suggested for autofill.
Policy options mapping:
Automatically (0) = Automatically
WithDevicePassword (1) = With device password
WithCustomPrimaryPassword (2) = With custom primary password
AutofillOff (3) = Autofill off
Use the preceding information when configuring this policy.
Policy options mapping:
Use this information when configuring this policy.
- Automatically (0) = Automatically
- WithDevicePassword (1) = With device password
- WithCustomPrimaryPassword (2) = With custom primary password
- AutofillOff (3) = Autofill off
Supported features
- Can be mandatory: Yes
- Can be recommended: No
- Dynamic Policy Refresh: Yes
- Per Profile: Yes
- Applies to a profile that is signed in with a Microsoft account: No
Data type
- Integer
Windows information and settings
Group Policy (ADMX) info
- GP unique name: PrimaryPasswordSetting
- GP name: Configures a setting that asks users to enter their device password while using password autofill
- GP path (Mandatory): Administrative Templates/Microsoft Edge/Password manager and protection
- GP path (Recommended): N/A
- GP ADMX file name: MSEdge.admx
Example value
Automatically
Registry settings
- Path (Mandatory): SOFTWARE\Policies\Microsoft\Edge
- Path (Recommended): N/A
- Value name: PrimaryPasswordSetting
- Value type: REG_DWORD
Example registry value
0x00000000
Mac information and settings
- Preference Key name: PrimaryPasswordSetting
- Example value:
<integer>0</integer>