Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Enterprise Policies deployed despite no Group Policy being configured

  • 5 majibu
  • 1 ana tatizo hili
  • 1 view
  • Last reply by Damon

more options

Our organisation made Group Policy changes today clients relating to disabling Windows Hello on Windows 10. These seem to have had unintended effects on Firefox. Note we do not implement any Firefox specific *.admx — these Firefox Enterprise Policies seem to have been activated by some other means.

The Firefox Enterprise policies are:

  • DisableFirefoxAccounts true
  • PasswordManagerEnabled false
  • OfferToSaveLogins false
  • OfferToSaveLoginsDefault false

Upon reporting the side-effect, we rolled-back most of the Group Policy changes, only maintaining the following remnants:

Computer Policy\Administrative Templates\System/Logon

  • Turn on convenience PIN sign-in

Computer Policy\Administrative Templates\Windows Components/Biometrics

  • Allow domain users to log on using biometrics
  • Allow the use of biometrics
  • Allow users to log on using biometrics

Computer Policy\Administrative Templates\Windows Components/Windows Hello for Business

  • Use biometrics

However, even with only those Group Policies being implemented, the following 2 Firefox Enterprise Policies remain active:

  • OfferToSaveLogins false
  • OfferToSaveLoginsDefault false

Are the above interactions between Windows Group Policy and Firefox documented or known?

Our organisation made Group Policy changes today clients relating to disabling Windows Hello on Windows 10. These seem to have had unintended effects on Firefox. Note we '''do not''' implement any Firefox specific *.admx — these Firefox Enterprise Policies seem to have been activated by some other means. The Firefox Enterprise policies are: * ''DisableFirefoxAccounts'' true * ''PasswordManagerEnabled'' false * ''OfferToSaveLogins'' false * ''OfferToSaveLoginsDefault'' false Upon reporting the side-effect, we rolled-back most of the Group Policy changes, only maintaining the following remnants: '''Computer Policy\Administrative Templates\System/Logon''' * Turn on convenience PIN sign-in '''Computer Policy\Administrative Templates\Windows Components/Biometrics''' * Allow domain users to log on using biometrics * Allow the use of biometrics * Allow users to log on using biometrics '''Computer Policy\Administrative Templates\Windows Components/Windows Hello for Business''' * Use biometrics However, even with only those Group Policies being implemented, the following 2 Firefox Enterprise Policies remain active: * ''OfferToSaveLogins'' false * ''OfferToSaveLoginsDefault'' false Are the above interactions between Windows Group Policy and Firefox documented or known?

Chosen solution

You can inspect the Mozilla and Firefox keys with the Windows Registry Editor in HKEY_LOCAL_MACHINE and in HKEY_CURRENT_USER with the Windows Registry Editor to see whether GPO policy rules are active.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\
  • HKEY_CURRENT_USER\SOFTWARE\Policies\Mozilla\Firefox\

Note that the mere presence of the "Mozilla\Firefox\" key is sufficient to make Firefox display this notification, so if you have the Firefox key then remove it and only leave the Mozilla key or remove this key as well if it is empty.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\ =>
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\
Read this answer in context 👍 0

All Replies (5)

more options

Also, the following behaviour within Firefox not consistent with the Firefox Enterprise Policies outlined above has changed. When I load a page for which a username and password exists in the Password Manager, the uername and password fields are not filled in by Firefox. I can go into Password Manager and manually copy and paste the values into the form, but they won't autofill.

Autofill logins and passwords is checked in about:preferences#privacy

This is looking like a bug to me. Should I post to Bugzilla?

more options

Can you use "Fill Login" and "Fill Password" in the right-click context menu ? Are these users using the Primary Password ?

Autofill normally only works if there is only one login saved for this origin.

As a test you can temporarily set signon.debug = true and check the Browser Console for login related messages.

You can check the about:policies#active page to see whether policies are active (63+).

more options
  1. Fill Login from the right-click context menu works, and automatically fills in the password without needing to select Fill Password. [Actually, I didn't know this feature exists at all, so thank you :-) I can work with the browser using this, although it remains a change from the previous and expected behaviour.]
  2. Nothing on the console when enabling signon.debug = true when loading a site where I have only one logon, either before or after using Fill Login from the right-click context menu.
  3. Output from about:policies#active is attached. Given the output, I checked Resultant Set of Policy on my Windows 10 client and noted it indeed had these 2 configured to Disabled in Group Policy, contrary to what I believed had been configured. So I reconfigured these to Not configured in Group Policy, ran gpupdate.exe /force, checked gpresult.exe to confirm they were reset, but still no change in about:policies#active To experiment, I reconfigured these to Enabled in Group Policy, ran gpupdate.exe /force, checked output of gpresult.exe had changed. But still no change in about:policies#active.

Output of gpresult.exe with the 2 policies set to 'Enabled' and 'Not configured' attached — no Mozilla/Firefox node in the 'Not configured' example since there was no Group Policy configured at all for Firefox.

Perhaps my colleague did set the 2 policies originally, but I can't explain how the change I'm making now to Group Policy isn't being picked up by Firefox. I must be missing something! What is it?

Modified by Damon

more options

Suluhisho teule

You can inspect the Mozilla and Firefox keys with the Windows Registry Editor in HKEY_LOCAL_MACHINE and in HKEY_CURRENT_USER with the Windows Registry Editor to see whether GPO policy rules are active.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\
  • HKEY_CURRENT_USER\SOFTWARE\Policies\Mozilla\Firefox\

Note that the mere presence of the "Mozilla\Firefox\" key is sufficient to make Firefox display this notification, so if you have the Firefox key then remove it and only leave the Mozilla key or remove this key as well if it is empty.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\ =>
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\
more options

I feel like a dill. Group Policies were being applied to both Computer and User, I had only checked the User. I am grateful for your assistance.