none
In Windows 8 Pro, is there a way that I can enable Picture Password for domain users ?

    Question

  • For remote/travelling Windows 8 Pro users who are joined to a Windows domain, is there a way to allow them to log in via a Picture Password?  It sure makes the user's life experience harder if they have to enter a complex password via the on-screen keyboard.  I would prefer them to use Windows Tablets that other less secure tablet devices.

    I have tried changing the setting of Turn off picture password sign-in but this option is still not giving them the option to create a picture password.  Are there other options that I need to know about, GPO settings, etc?

    I have found the below two web sites that indicate that "picture password is disabled in remote and network scenarios".  Is this true? And is there a way to override this option ? 

    Setting the Tablet no to password lock the screen on wakeup after sleep would be far less secure than using a Picture Password.  However when setting "Require a password on wakeup" to "no", the user was still prompted for a password on wakeup.

    "Also, picture password is disabled in remote and network scenarios, preventing network attacks against the feature."

    http://blogs.msdn.com/b/b8/archive/2011/12/16/signing-in-with-a-picture-password.aspx 
     

    "Picture login cannot be used in remote and network scenarios."
    http://www.electronista.com/articles/11/12/16/microsoft.details.picture.password.in.windows.8/#ixzz2FYfmouio


    Thursday, December 20, 2012 3:46 AM

All replies

  • Indeed, picture password will be disabled on a domain joined machine. Please try to add the following registry values to check the result.

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
    "AllowDomainPicturePassword"=dword:00000001
    "AllowDomainPINLogon"=dword:00000001


    Niki Han
    TechNet Community Support

    Friday, December 21, 2012 7:28 AM
    Moderator
  • Niki,

    Thanks for the information, sadly this does not work for me.  But it did help be track down the below group policies and sadly these too do not work for me.

    While there are those that report that AllowDomainPicturePassword = 1 does work for them, I can find no information that suggests that this is a valid Windows 8 settings (certainly not in Group Policy), maybe it existed in Beta version of Windows 8 Pro?

    I still cannot find an option in "PC Settings", "Users" for setting a Picture Password.  I do not even see the option, some suggested it would exist but be greyed out when it is disabled?

    http://www.thewindowsclub.com/activate-deactivate-picture-password-sign-in-windows-8  (they have an error in the last part of their explaination)

    My understanding of logic is that if "BlockDomainPicturePassword" is set to '0' then the Domain Picture Password is not blocked, that is it will be enabled.  But if "BlockDomainPicturePassword" is set to '1' then I have blocked the Domain Picture Password from being used, in otherwords, disabled it.  I have tried both settings (1 and 0) but neighter allowed the Picture Password option to be seen.

    Turn on PIN sign-in  

    Machine   System\Logon  

    HKLM\Software\Policies\Microsoft\Windows\System!AllowDomainPINLogon  

    At least Windows Server 2012, Windows 8 or Windows RT  

    This policy setting allows you to control whether a domain user can sign in using a PIN. If you enable this policy setting, a domain user can set up and sign in with a PIN. If you disable or don't configure this policy setting, a domain user can't set up and use a PIN. Note that the user's domain password will be cached in the system vault when using this feature. 

    Turn off picture password sign-in  

    Machine   System\Logon  

    HKLM\Software\Policies\Microsoft\Windows\System!BlockDomainPicturePassword  

    At least Windows Server 2012, Windows 8 or Windows RT   This policy setting allows you to control whether a domain user can sign in using a picture password. If you enable this policy setting, a domain user can't set up or sign in with a picture password.  If you disable or don't configure this policy setting, a domain user can set up and use a picture password. Note that the user's domain password will be cached in the system vault when using this feature. 

    Friday, December 21, 2012 8:26 AM