This setting is used by Aygshell, the LAP, and can be used by any application.

AuthenticationReset

Description

Specifies whether or not the user is allowed to reset authentication on the device.

Registry Location

HKLM\Comm\Security\Policy\LASSD\AuthReset [AuthenticationReset]

Type

REG_DWORD

Default Value

<None>

Values

0 - Authentication Reset is disabled.

1 - Authentication Reset is enabled.

Not specified or other values are the same as 0.

Note:
This registry setting does not depend on the PasswordNotRequiredpolicy. An administrator can set AuthenticationReset=1 even if no password is required on the device.

These settings are designed for use by any Authentication Reset Component.

RequestMessage

Description

The override string to be shown as the reset message. This registry value should be set by the IT administrator, if necessary. The user will be prompted with this message before beginning the Authentication Reset process. This message should identify prerequisites for the process, such as network connectivity, and identify any potential pitfalls for the user (e.g., "this process may take several hours to complete").

If this registry key does not exist, the default reset message will be used.

Registry Location

HKLM\Comm\Security\Policy\LASSD\AuthReset [RequestMessage]

Type

REG_SZ

Default Value

<None>

RequestSuccessMessage

Description

The override string to be shown as the success message. This registry value should be set by the IT administrator, if necessary. This message will be displayed if the Authentication Reset process completes successfully.

If this registry key does not exist, a default success message will be used.

Registry Location

HKLM\Comm\Security\Policy\LASSD\AuthReset [RequestSuccessMessage]

Type

REG_SZ

Default Value

<None>

RequestFailureMessage

Description

The override string to be shown as the generic failure message. This registry value should be set by the IT administrator, if necessary. This message will be displayed if the Authentication Reset process fails.

If this registry key does not exist, a default failure message will be used.

Registry Location

HKLM\Comm\Security\Policy\LASSD\AuthReset [RequestFailureMessage]

Type

REG_SZ

Default Value

<None>

WaitMessage

Description

The override string to be shown as the wait message. This registry value should be set by the IT administrator, if necessary. This message will be displayed when the Authentication Reset Component requires a significant amount of time to perform an action, such as connecting to a remote server. The default implementation displays this message when synchronizing with the Exchange Server. 3rd-party Authentication Reset Components may choose to ignore this value.

If this registry key does not exist, a default wait message will be used.

Registry Location

HKLM\Comm\Security\Policy\LASSD\AuthReset [WaitMessage]

Type

REG_SZ

Default Value

<None>

Timeout

Description

Timeout to allow or deny Authentication Reset, in seconds. The default implementation uses this timeout while waiting for user input and connecting to the Exchange Server. If the timeout elapses, the process is canceled. 3rd-party Authentication Reset Components may choose to ignore this value or use it in any way deemed appropriate.

The default implementation uses a timeout of 120 (2 minutes) if this value is not set.

Registry Location

HKLM\Comm\Security\Policy\LASSD\AuthReset [Timeout]

Type

REG_DWORD

Default Value

120

Values

0 – No timeout is enforced.

1 - 4294967295 – Number of seconds until timeout.

These settings are used by Aygshell only.

Authentication Reset DLL

Description

The path to the DLL to use as the Authentication Reset Component. This DLL must conform to the standards outlined for Authentication Reset Components. If the DLL is not in the Windows directory, the registry value must contain the full path.

The system checks the policy value first, and if no DLL is specified, it falls back to the user value.

If neither registry key exists, no Authentication Reset Component is loaded and Authentication Reset setup and requests fail.

Registry Location

HKLM\Comm\Security\Policy\LASSD\AuthReset [Dll] (policy value)

HKLM\Comm\Security\LASSD\AuthReset [Dll] (user value)

Type

REG_SZ

Default Value

"\Windows\lap_pw.dll" (user value)

These settings are used for the Authentication Reset Component (ARC).

HashAlgorithm

Description

The identifier of the algorithm used to generate a hash of the Admin Key for integrity-checking purposes. OEMs can update this if new algorithms are installed on the device.

The ARC uses 0x800C (CALG_SHA_256) if this value is not set.

Registry Location

HKLM\Comm\Security\Policy\LASSD\AuthReset\ExchangeAR [HashAlgorithm]

Type

REG_DWORD

Default Value

<None>

Values

Algorithm identifiers are defined in Wincrypt.h. The algorithm must have the the ALG_CLASS_HASH bit set and may not include the following hash types:

ALG_SID_MD2,

ALG_SID_MD4,

ALG_SID_MD5,

ALG_SID_SHA,

ALG_SID_SHA1,

ALG_SID_MAC,

ALG_SID_RIPEMD,

ALG_SID_RIPEMD160,

ALG_SID_SSL3SHAMD5,

ALG_SID_HMAC,

ALG_SID_TLS1PRF,

ALG_SID_HASH_REPLACE_OWF

If any of the disallowed hash types are specified, the default value is used.

The algorithm must be supported by the default provider, or the provider specified by CryptoProviderName and/or CryptoProviderType.

EncryptionAlgorithm

Description

The identifier of the algorithm used for encryption. OEMs can update this if new algorithms are installed on the device.

The ARC uses 0x660E (CALG_AES_128) if this value is not set.

Registry Location

HKLM\Comm\Security\Policy\LASSD\AuthReset\ExchangeAR [EncryptionAlgorithm]

Type

REG_DWORD

Default Value

<None>

Values

Algorithm identifiers are defined in Wincrypt.h. The algorithm should denote a stream cipher. It must have the ALG_CLASS_DATA_ENCRYPT bit set and may not include the following encryption types:

ALG_SID_DES,

ALG_SID_3DES_112,

ALG_SID_3DES,

ALG_SID_DESX,

ALG_SID_RC2,

ALG_SID_RC4,

ALG_SID_SEAL,

ALG_SID_SKIPJACK,

ALG_SID_TEK,

ALG_SID_CYLINK_MEK,

ALG_SID_AES

If any of the disallowed encryption types are specified, the default value is used.

The algorithm and provider must support key lengths of 512 bits or smaller. If the default key length is greater than 512 bits, an alternate key size must be set in the upper 16 bits of this value. For example, if the default key length is 1024 bits, but the algorithm supports key lengths of 512 bits, then the value 0x02000000 is combined with the algorithm identifier in a bitwise OR operation. Notice that the upper 16 bits of 0x02000000 is 0x0200, or 512 in decimal notation. If none of the upper 16 bits are set, the default key size is generated.

The algorithm must be supported by the default provider, or the provider specified by CryptoProviderName and/or CryptoProviderType.

CryptoProviderName

Description

The name of a cryptographic services provider that supports the encryption and hashing algorithms specified. OEMs can update this if new providers are installed on the device.

The ARC uses the default provider if this value is not set (see documentation for CryptAcquireContext).

Registry Location

HKLM\Comm\Security\Policy\LASSD\AuthReset\ExchangeAR [CryptoProviderName]

Type

REG_SZ

Default Value

<None>

Values

The specified provider must be the type of provider specified in the CryptoProviderType registry value, or the default type if none exists. It must support the algorithm specified in the EncryptionAlgorithm and HashAlgorithm registry values or the default algorithms.

CryptoProviderType

Description

The identifier of a cryptographic services provider type that supports the encryption and hashing algorithms specified. OEMs can update this if new providers are installed on the device.

The ARC uses 24 (PROV_RSA_AES) if this value is not set.

Registry Location

HKLM\Comm\Security\Policy\LASSD\AuthReset\ExchangeAR [CryptoProviderType]

Type

REG_DWORD

Default Value

<None>

Values

Cryptographic service providers are defined in Wincrypt.h. The provider must support the algorithm specified in the EncryptionAlgorithm and HashAlgorithm registry values or the default algorithms.

RecoveryPwdLength

Description

Specifies the number of characters to include in the recovery password.

The ARC uses 20 if this value is not set.

Registry Location

HKLM\Comm\Security\Policy\LASSD\AuthReset\ExchangeAR [RecoveryPwdLength]

Type

REG_DWORD

Default Value

<None>

Values

This value must be greater than 0 and less than 2048.