This policy setting allows you to control whether a domain user can sign in using a picture password. If you enable this policy setting, a domain user can't set up or sign in with a picture password. If you disable or don't configure this policy setting, a domain user can set up and use a picture password. Note: that the user's domain password will be cached in the system vault when using this feature. Countermeasure: Enable and configure this setting if picture passwords are not desired. Potential Impact: Users will need to log on with a different credential provider. Fix: (1) GPO: Computer ConfigurationAdministrative TemplatesSystemLogonTurn off picture password sign-in (2) REG: HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsSystem!BlockDomainPicturePassword

[enabled/disabled]

(1) GPO: Computer Configuration\Administrative Templates\System\Logon\Turn off picture password sign-in (2) REG: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System!BlockDomainPicturePassword