product icon

How do I hide all other Windows credential providers except for LastPass Workstation MFA?

    As a LastPass admin, you can exclude other credential providers from the Windows logon screen so that Workstation MFA is the only available sign-in method for your users.

    Attention: The steps outlined below only apply to Workstation MFA version and earlier. All newer versions support the allowance of multiple credential providers to be used. Learn how to update to the latest version.
    Note: This feature requires an account with the LastPass Business + Advanced MFA add-on. How do I upgrade my LastPass Business account with an add-on?
    Notice: This method uses Group Policy to exclude competing credential providers. Admins can also achieve this manually by editing the Registry directly for testing.
    About this task: To exclude other Windows credential providers, do the following:
    1. In Windows Explorer, open the Local Group Policy Editor.
    2. Navigate to Computer Configuration > Administrative Templates > System > Logon.
    3. Right-click the Exclude credential providers setting > Edit.
    4. Click Enabled.
    5. In the "Exclude the following credential providers" field, enter the comma-separated Class IDs (CLSIDs) for excluding multiple credential providers during authentication (CLSIDs listed below).
      Important: You only need to provide the class IDs (CLSIDs) of the credential providers that already appear for your end users.
    6. Click OK to save changes.
    Results: You have hidden all Windows credential providers for your users except for LastPass Workstation MFA.
    What to do next: You can use gpupdate to force your policy change immediately, otherwise you can wait for the standard distribution process.

    Windows 10 default credential providers

    Review the default credential providers and their associated class IDs (CLSIDs) below.

    Attention: The following credential provider class ID is added by the MSI installer after you install LastPass Workstation MFA: {516F27A5-725B-4477-9273-B3B4D8915ADB}
    Credential Provider Class ID (CLSID)
    Smartcard Reader Selection Provider {1b283861-754f-4022-ad47-a5eaaa618894}
    Smartcard WinRT Provider {1ee7337f-85ac-45e2-a23c-37c753209769}
    PicturePasswordLogonProvider {2135f72a-90b5-4ed3-a7f1-8bb705ac276a}
    GenericProvider {25CBB996-92ED-457e-B28C-4774084BD562}
    NPProvider {3dd6bec0-8193-4ffe-ae25-e08e39ea4063}
    CngCredUICredentialProvider {600e7adb-da3e-41a4-9225-3c0399e88c0c}
    PasswordProvider {60b78e88-ead8-445c-9cfd-0b87f74ea6cd}
    PasswordProvider\LogonPasswordReset {8841d728-1a76-4682-bb6f-a9ea53b4b3ba}
    FaceCredentialProvider {8AF662BF-65A0-4D0A-A540-A338A999D36F}
    Smartcard Credential Provider {8FD7E19C-3BF7-489B-A72C-846AB3678C96}
    Smartcard Pin Provider {94596c7e-3744-41ce-893e-bbf09122f76a}
    WinBio Credential Provider {BEC09223-B018-416D-A0AC-523971B639F5}
    IrisCredentialProvider {C885AA15-1764-4293-B82A-0586ADD46B35}
    PINLogonProvider {cb82ea12-9f71-446d-89e1-8d0924e1256e}
    NGC Credential Provider {D6886603-9D2F-4EB2-B667-1971041FA96B}
    CertCredProvider {e74e57b0-6c6d-44d5-9cda-fb2df5ed7435}
    WLIDCredentialProvider {F8A0B131-5F68-486c-8040-7E8FC3C85BB6}
    TrustedSignal Credential Provider {27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}
    Automatic Redeployment Credential Provider {01A30791-40AE-4653-AB2E-FD210019AE88}
    Secondary Authentication Factor Credential Provider {48B4E58D-2791-456C-9091-D524C6C706F2}
    Cloud Experience Credential Provider {C5D7540A-CD51-453B-B22B-05305BA03F07}
    FIDO Credential Provider {F8A1793B-7873-4046-B2A7-1F318747F427}