Configures a setting that asks users to enter their device password while using password autofill

Options

Description

This feature helps users add an additional layer of privacy to their online accounts by requiring device authentication (as a way of confirming the user's identity) before the saved password is autofilled into a web form. This layer ensures that non-authorized persons can't use saved passwords for autofill. This feature doesn't protect against locally running malware. This group policy configures the radio button selector that enables this feature for users. It also has a frequency control where users can specify how often they would like to be prompted for authentication. If you set this policy to 'Automatically', disable this policy, or don't configure this policy, autofill won't have any authentication flow. If you set this policy to 'WithDevicePassword', users have to enter their device password (or preferred mode of authentication under Windows) to prove their identity before their password is autofilled. Authentication modes include Windows Hello, PIN, face recognition, or fingerprint. The frequency for authentication prompt is set to 'Ask permission once per browsing session' by default. However, users can change it to the other option, which is 'Always ask permission'. If you set this policy to 'WithCustomPrimaryPassword', users are asked to create their custom password and to be redirected to Settings. After the custom password is set, users can authenticate themselves using the custom password and their passwords get autofilled after successful authentication. The frequency for authentication prompt is set to 'Ask permission once per browsing session' by default. However, users can change it to the other option, which is 'Always ask permission'. If you set this policy to 'AutofillOff', saved passwords are no longer suggested for autofill. The Custom Primary Password feature will be removed with Edge 149. From this version onward, the Custom Primary Password option will no longer be available. Users who currently have this setting enabled will be automatically migrated to the "Prompt for the device sign-in options" authentication method. Any associated group policies for Custom Primary Password will also be marked as obsolete. Policy options mapping: * Automatically (0) = Automatically * WithDevicePassword (1) = With device password * WithCustomPrimaryPassword (2) = With custom primary password * AutofillOff (3) = Autofill off Use the preceding information when configuring this policy.