Background
Once Passwordless sign-in has been enabled for your QP tenant, machines with the Quickpass Agent installed should display the "Technician Sign-In" tile on the machine's login screen. Depending on a local machine's and/or domain's configuration, we have seen some configurations to cause the "Technician Sign-In" tile to not appear despite the solution being enabled in the QP tenant.
This article will go in-depth with instructions on how to troubleshoot this challenge so that you may use the Passwordless MFA for technicians solution.
Prerequisites
- Privileged access to the affected system (EG: Administrator access, RMM agent running as System or Administrator)
Diagnose and Resolve
1. Confirm if the local policies referenced below are set to 'ENABLED'.
2. Open and navigate to:
Local Security Policy > Local Policies > Security Options > Interactive Logon: Don't display last signed-in
and/or
Local Security Policy > Local Policies > Security Options > Interactive Logon: Don't display username at sign-in
NOTE: To check the policy state via script, open PowerShell as Administrator and run the following PowerShell script: *
# Define the path to the registry key
$regPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
# Define the name of the registry value
$regName = "DontDisplayLastUserName"
# Get the value of the registry key
$regValue = Get-ItemProperty -Path $regPath -Name $regName -ErrorAction SilentlyContinue
# Check if the registry value exists and determine its state
if ($null -ne $regValue) {
if ($regValue.$regName -eq 1) {
Write-Host "OUTPUT: $regName is ENABLED"
} else {
Write-Host "OUTPUT: $regName is DISABLED"
}
} else {
Write-Host "OUTPUT: $regName is DISABLED"
}
* to check for the policy 'Interactive Logon: Don't display username at sign-in' via script, edit the $regname value to be "DontDisplayUserName".
Once the script has ran, note the output results to determine if the 'DontDisplayLastUsername'/'DontDisplayUserName' value is 'ENABLED' or 'DISABLED'.
3. If the policy is set to 'ENABLED', modify to set to 'DISABLED', then sign out of the affected machine and attempt to sign in using the Passwordless Technician Sign-In tile once more.
NOTE: For domain joined machines, these policies may be defined via Group Policy.
Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → Security Options → Interactive logon: Don’t display last signed-in
and/or
Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → Security Options → Interactive logon: Don’t display username at sign-in
4. Once the policy has been DISABLED, sign out of the affected machine and attempt to sign in using the Passwordless Technician Sign-In tile once more.
5. If the Passwordless Technician Sign-In tile is still missing, please contact CyberQP Support <support@cyberqp.com> for additional troubleshooting.
Comments
0 comments
Article is closed for comments.