Enterprise Policies deployed despite no Group Policy being configured
Our organisation made Group Policy changes today clients relating to disabling Windows Hello on Windows 10. These seem to have had unintended effects on Firefox. Note we do not implement any Firefox specific *.admx — these Firefox Enterprise Policies seem to have been activated by some other means.
The Firefox Enterprise policies are:
- DisableFirefoxAccounts true
- PasswordManagerEnabled false
- OfferToSaveLogins false
- OfferToSaveLoginsDefault false
Upon reporting the side-effect, we rolled-back most of the Group Policy changes, only maintaining the following remnants:
Computer Policy\Administrative Templates\System/Logon
- Turn on convenience PIN sign-in
Computer Policy\Administrative Templates\Windows Components/Biometrics
- Allow domain users to log on using biometrics
- Allow the use of biometrics
- Allow users to log on using biometrics
Computer Policy\Administrative Templates\Windows Components/Windows Hello for Business
- Use biometrics
However, even with only those Group Policies being implemented, the following 2 Firefox Enterprise Policies remain active:
- OfferToSaveLogins false
- OfferToSaveLoginsDefault false
Are the above interactions between Windows Group Policy and Firefox documented or known?
Gekozen oplossing
You can inspect the Mozilla and Firefox keys with the Windows Registry Editor in HKEY_LOCAL_MACHINE and in HKEY_CURRENT_USER with the Windows Registry Editor to see whether GPO policy rules are active.
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\
- HKEY_CURRENT_USER\SOFTWARE\Policies\Mozilla\Firefox\
Note that the mere presence of the "Mozilla\Firefox\" key is sufficient to make Firefox display this notification, so if you have the Firefox key then remove it and only leave the Mozilla key or remove this key as well if it is empty.
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\ =>
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\
Alle antwoorden (5)
Also, the following behaviour within Firefox not consistent with the Firefox Enterprise Policies outlined above has changed. When I load a page for which a username and password exists in the Password Manager, the uername and password fields are not filled in by Firefox. I can go into Password Manager and manually copy and paste the values into the form, but they won't autofill.
Autofill logins and passwords is checked in about:preferences#privacy
This is looking like a bug to me. Should I post to Bugzilla?
Can you use "Fill Login" and "Fill Password" in the right-click context menu ? Are these users using the Primary Password ?
Autofill normally only works if there is only one login saved for this origin.
As a test you can temporarily set signon.debug = true and check the Browser Console for login related messages.
You can check the about:policies#active page to see whether policies are active (63+).
- Fill Login from the right-click context menu works, and automatically fills in the password without needing to select Fill Password. [Actually, I didn't know this feature exists at all, so thank you :-) I can work with the browser using this, although it remains a change from the previous and expected behaviour.]
- Nothing on the console when enabling signon.debug = true when loading a site where I have only one logon, either before or after using Fill Login from the right-click context menu.
- Output from about:policies#active is attached. Given the output, I checked Resultant Set of Policy on my Windows 10 client and noted it indeed had these 2 configured to Disabled in Group Policy, contrary to what I believed had been configured. So I reconfigured these to Not configured in Group Policy, ran gpupdate.exe /force, checked gpresult.exe to confirm they were reset, but still no change in about:policies#active To experiment, I reconfigured these to Enabled in Group Policy, ran gpupdate.exe /force, checked output of gpresult.exe had changed. But still no change in about:policies#active.
Output of gpresult.exe with the 2 policies set to 'Enabled' and 'Not configured' attached — no Mozilla/Firefox node in the 'Not configured' example since there was no Group Policy configured at all for Firefox.
Perhaps my colleague did set the 2 policies originally, but I can't explain how the change I'm making now to Group Policy isn't being picked up by Firefox. I must be missing something! What is it?
Bewerkt door Damon op
Gekozen oplossing
You can inspect the Mozilla and Firefox keys with the Windows Registry Editor in HKEY_LOCAL_MACHINE and in HKEY_CURRENT_USER with the Windows Registry Editor to see whether GPO policy rules are active.
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\
- HKEY_CURRENT_USER\SOFTWARE\Policies\Mozilla\Firefox\
Note that the mere presence of the "Mozilla\Firefox\" key is sufficient to make Firefox display this notification, so if you have the Firefox key then remove it and only leave the Mozilla key or remove this key as well if it is empty.
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\ =>
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\
I feel like a dill. Group Policies were being applied to both Computer and User, I had only checked the User. I am grateful for your assistance.