Share via


PrimaryPasswordSetting

Configures a setting that asks users to enter their device password while using password autofill

Supported versions

  • On Windows and macOS since 93 or later

Description

The feature helps users add an additional layer of privacy to their online accounts by requiring device authentication (as a way of confirming the user's identity) before the saved password is auto-filled into a web form. This ensures that non-authorized persons can't use saved passwords for autofill. Note that this feature does not protect against locally-running malware.

This group policy configures the radio button selector that enables this feature for users. It also has a frequency control where users can specify how often they would like to be prompted for authentication.

If you set this policy to 'Automatically', disable this policy, or don't configure this policy, autofill will not have any authentication flow.

If you set this policy to 'WithDevicePassword', users will have to enter their device password (or preferred mode of authentication under Windows) to prove their identity before their password is auto filled. Authentication modes include Windows Hello, PIN, face recognition, or fingerprint. The frequency for authentication prompt will be set to 'Ask permission once per browsing session' by default. However, users can change it to the other option, which is 'Always ask permission'.

If you set this policy to 'WithCustomPrimaryPassword', users will be asked to create their custom password and then to be redirected to Settings. After the custom password is set, users can authenticate themselves using the custom password and their passwords will get auto-filled after successful authentication. The frequency for authentication prompt will be set to 'Ask permission once per browsing session' by default. However, users can change it to the other option, which is 'Always ask permission'.

If you set this policy to 'AutofillOff', saved passwords will no longer be suggested for autofill.

Policy options mapping:

  • Automatically (0) = Automatically

  • WithDevicePassword (1) = With device password

  • WithCustomPrimaryPassword (2) = With custom primary password

  • AutofillOff (3) = Autofill off

Use the preceding information when configuring this policy.

Policy options mapping:

Use this information when configuring this policy.

  • Automatically (0) = Automatically
  • WithDevicePassword (1) = With device password
  • WithCustomPrimaryPassword (2) = With custom primary password
    • On Windows and macOS since 107 or later
  • AutofillOff (3) = Autofill off
    • On Windows and macOS since 107 or later

Supported features

  • Can be mandatory: Yes
  • Can be recommended: No
  • Dynamic Policy Refresh: Yes
  • Per Profile: Yes
  • Applies to a profile that is signed in with a Microsoft account: No

Data type

  • Integer

Windows information and settings

Group Policy (ADMX) info

  • GP unique name: PrimaryPasswordSetting
  • GP name: Configures a setting that asks users to enter their device password while using password autofill
  • GP path (Mandatory): Administrative Templates/Microsoft Edge/Password manager and protection
  • GP path (Recommended): N/A
  • GP ADMX file name: MSEdge.admx

Example value

Automatically

Registry settings

  • Path (Mandatory): SOFTWARE\Policies\Microsoft\Edge
  • Path (Recommended): N/A
  • Value name: PrimaryPasswordSetting
  • Value type: REG_DWORD

Example registry value

0x00000000

Mac information and settings

  • Preference Key name: PrimaryPasswordSetting
  • Example value:
<integer>0</integer>

See also