Policy CSP - Accounts


Accounts policies

Accounts/AllowAddingNonMicrosoftAccountsManually
Accounts/AllowMicrosoftAccountConnection
Accounts/AllowMicrosoftAccountSignInAssistant
Accounts/DomainNamesForEmailSync
Accounts/RestrictToEnterpriseDeviceAuthenticationOnly

Accounts/AllowAddingNonMicrosoftAccountsManually

Edition Windows 10 Windows 11
Home No No
Pro Yes Yes
Windows SE No Yes
Enterprise Yes Yes
Education Yes Yes

Scope:

  • Device

Specifies whether user is allowed to add email accounts other than Microsoft account.

Most restricted value is 0.

Note

 This policy will only block UI/UX-based methods for adding non-Microsoft accounts.

The following list shows the supported values:

  • 0 - Not allowed.
  • 1 (default) - Allowed.

Accounts/AllowMicrosoftAccountConnection

Edition Windows 10 Windows 11
Home No No
Pro Yes Yes
Windows SE No Yes
Business Yes Yes
Enterprise Yes Yes
Education Yes Yes

Scope:

  • Device

Specifies whether the user is allowed to use a Microsoft account for non-email related connection authentication and services.

Most restricted value is 0.

The following list shows the supported values:

  • 0 - Not allowed.
  • 1 (default) - Allowed.

Accounts/AllowMicrosoftAccountSignInAssistant

Edition Windows 10 Windows 11
Home No No
Pro Yes Yes
Windows SE No Yes
Business Yes Yes
Enterprise Yes Yes
Education Yes Yes

Scope:

  • Device

Added in Windows 10, version 1703. Allows IT Admins the ability to disable the "Microsoft Account Sign-In Assistant" (wlidsvc) NT service.

Note

 If the Microsoft account service is disabled, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See Feature updates are not being offered while other updates are.

Note

If the Microsoft account service is disabled, the Subscription Activation feature will not work properly and your users will not be able to “step-up” from Windows 10 Pro to Windows 10 Enterprise, because the Microsoft account ticket for license authentication cannot be generated. The machine will remain on Windows 10 Pro and no error will be displayed in the Activation Settings app.

The following list shows the supported values:

  • 0 - Disabled.
  • 1 (default) - Manual start.

Accounts/DomainNamesForEmailSync

Edition Windows 10 Windows 11
Home No No
Pro Yes Yes
Windows SE No Yes
Business Yes Yes
Enterprise Yes Yes
Education Yes Yes

Scope:

  • Device

The following list shows the supported values:


Accounts/RestrictToEnterpriseDeviceAuthenticationOnly

Edition Windows 10 Windows 11
Home No No
Pro No Yes
Business No Yes
Enterprise No Yes
Education No Yes

Scope:

  • Device

Added in Windows 11, version 22H2. This setting determines whether to only allow enterprise device authentication for the Microsoft Account Sign-in Assistant service (wlidsvc). By default, this setting is disabled and allows both user and device authentication. When the value is set to 1, we only allow device authentication and block user authentication.

Most restricted value is 1.

The following list shows the supported values:

  • 0 (default) - Allow both device and user authentication.
  • 1 - Only allow device authentication. Block user authentication.

Policy CSP