Authentication Client

The Authentication Client requires installation/silent deployment. You can download the installation files here. There are no configs or msi parameters required for roll-out.

Specops Authentication Client can be configured using the administrative template in the Group Policy Management Console.

Specops Authentication Client uses ADMX files to change the Windows Registry settings to alter the way the software interacts with the system software. ADMX templates are Windows Group Policy Settings XML-based files that specify which registry keys in the Windows Registry are changed when a certain Group Policy setting is changed (ADML files are the localized XML files containing the text strings associated with the ADMX files).

ADMX templates can be used to change numerous registry keys, but this document focuses on two settings in particular connected to Specops Authentication Client: creating the Start menu shortcut; and showing/hiding the reset password link on the logon page.

Accessing the Specops ADMX templates

To access the ADMX templates associated with Specops Authentication Client, open the Group Policy Management tool, right-click the Group Policy Object you want to change, and select Edit. In the tree navigation, navigate to Computer Configuration > Policies > Administrative templates: Policy definitions (ADMX files) > Specops Authentication Client. There you will find all the ADMX templates associated with Specops Authentication Client.

Hiding the reset password link on the logon page

Start menu shortcut creation


Location:General Client settings > Create start menu shortcuts to enroll/change/reset

With Specops Authentication Client installed, when a user logs in to Windows, start menu shortcuts to enroll, reset and change password are created. These are convenience shortcuts for users to easily use Specops uReset or Specops Password Reset. This setting allows you to hide those shortcuts, in case these should not be shown. If those shortcuts have already been created on a computer, they will be removed at next logon if this setting has been set to disabled.

  1. Open the Create start menu shortcuts to enroll/change/reset file.
  2. Select the Disabled radio button.
  3. Click OK.
    to enable the setting again, you can set the radio button to either Not configured or Enabled.
    Alt text for this image

Creating a Central Store for Group Policy Administrative Templates


The Central Store for Administrative Templates allows you to store all template files in a single location on SYSVOL where they can be accessed and presented on any server from your domain. To create a Central Store for Group Policy Administrative Templates, copy the Specops uReset Client ADMX/ADML files from %windir%\PolicyDefinitions.

The ADMX should be copied to:

[your domain]\sysvol\[your domain]\Policies\PolicyDefinitions

The ADML should be copied to:

[your domain]\sysvol\[your domain]\Policies\PolicyDefinitions\en-us

For more information about the Central Store and best practices, visit: www.support.microsoft.com/kb/929841

For help in installing the product and the Client, please refer to the Installation section.

For downloads, please refer to the Downloads section.

Dynamic Feedback UI


The dynamic feedback UI requires Windows 10 or later, or Windows Server 2016
The dynamic feedback at password change is not supported if the Group Policy setting "Interactive Logon: Do not display last username" is set to Enabled.

Specops Secured Browser


The Specops Secured Browser is used to reset passwords for a user from the Windows logon screen. It comes in two flavors, based on WebView2 and Internet Explorer browser engines, respectively. It is recommended to use the WebView2 based Secured Browser where possible.

To use the WebView2 based Secured Browser, the Specops Authentication Client WebView2 runtime must be deployed. The runtime has been tested by Specops to be compatible with the Secured Browser, and is a separate MSI from the Specops Authentication Client.

Using the WebView2 based Secured Browser is supported on Windows 10 and newer operating systems, on 64-bit architecture. Other platforms will use the Internet Explorer based Secured Browser. Note that if the WebView2 runtime isn't installed, the Secured Browser will fall back to Internet Explorer.

Usage

The WebView2 based browser supports uReset 8 and Specops Password Reset. Organizations that have not yet migrated to uReset 8 must use the Internet Explorer-based Secured Browser, and should therefore not deploy the MSI for Specops the WebView2 runtime.

Organizations using uReset 8 or Specops Password Reset

We recommend deploying the Specops Authentication Client WebView2 runtime on x64 Windows 10 or newer client computers.

Organizations using uReset 7

We recommend not deploying the Specops Authentication Client WebView2 runtime (not supported).

Organizations using Specops Password Policy only

We recommend not deploying the Specops Authentication Client WebView2 runtime (not applicable)

WebView2 Common Considerations

WebView2 distributions - Evergreen vs fixed version

Microsoft's WebView2 runtime comes in two flavors, "Evergreen standalone installer" and "Fixed version".

The Specops Authentication Client WebView2 runtime packages a Fixed version WebView2 runtime, to ensure the Microsoft WebView2 runtime is compatible and doesn't introduce breaking changes affecting the Specops Secured Browser.

Microsoft explains the different WebView2 distributions in this article.

Computers with WebView2 Evergreen installed

The Specops Authentication Client WebView2 MSI must still be deployed. Previous installations of WebView2 Evergreen do not affect the Specops Authentication Client.

Required deployment of Specops Authentication Client WebView2 MSI

To ensure the Specops Secured Browser is compatible with the WebView2 runtime used, the Specops Authentication Client WebView2 MSI needs to be deployed, even on computers where Evergreen is installed..

Compatibility with Evergreen

Installing Evergreen will not break the Specops Authentication Client. However, the Specops Authentication Client WebView2 MSI must still be deployed.