Make SSPR from login screen to work togheter with "Interactive logon: Don't display last signed-in" policy
Even if in this document https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-sspr-windows it mentions that it interferes with SSPR this should be make to work. There are companies that use this policy across thousands of PCs for years to protect identity of logged on user when locked. Also this was Microsoft recommendation https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name
If no user is displayed, we should ask for username exactly like login prompt does with this policy applied.
Ovidiu Ben
shared this idea
Hi folks! We are reviewing this ask. We believe that this issue is addressed in Windows 10 1809 but are still investigating. Thank you for your feedback!
3 comments
-
Anonymous
commented
Does anyone know if this has been solved?
-
Anonymous
commented
Could you please confirm if this issue has been addressed in 1809 or later?
-
Anonymous
commented
@Ovidiu : I stick to your comment. But notice how MS wrote the text in the article you mentioned :
"Your implementation of this policy depends on your security requirements for displayed logon information ... revealing logged on user’s full names or domain account names might contradict your overall security policy.".
It is therefore not an MS recommendation ;-).
But technically, I wonder how someone could technically trigger an SSPR for an account at logon screen without being able to select it for obfuscation reasons... I believe even employees from MS do not use this "Don't display last signed-in" policy anymore.
Maybe MS has better ideas...