Information
This policy setting allows you to control whether a domain user can sign in using a picture password.
The recommended state for this setting is: Enabled
Note: If the picture password feature is permitted, the user's domain password is cached in the system vault when using it.
Picture passwords bypass the requirement for a typed complex password. In a shared work environment, a simple shoulder surf where someone observed the on-screen gestures would allow that person to gain access to the system without the need to know the complex password. Vertical monitor screens with an image are much more visible at a distance than horizontal key strokes, increasing the likelihood of a successful observation of the mouse gestures.
Solution
To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled
Administrative Templates\System\Logon\Turn off picture password sign-in
Impact:
Users will not be able to set up or sign in with a picture password.