Regarding the issue of being unable to enforce secondary authentication for the Administrator under the "Other User" tile(windows 10 X64)
I am developing a custom Windows Credential Provider with the main functionality of enforcing secondary authentication when a user logs in as Administrator, while also recording the user's login logs. Initially, I disabled the default PasswordProvider to force all local users to use my provider. My provider would then determine the user type: Administrator accounts would undergo 2FA, while regular users would use password authentication. This approach was straightforward to implement, and the experience for non-Administrator accounts remained unchanged from the original. Additionally, my provider performed its job well.
However, the issue became more complex after the computer was joined to a domain controller. After joining the domain, the "Other User" tile appeared on the login screen. Under this tile, users can log in with any account, including the Administrator, and I am unable to enforce 2FA authentication for the Administrator user.
I have attempted the following solutions to address the "Other User" tile issue, but none have succeeded:
Disabled the default PasswordProvider and implemented a custom "Other User" tile. This solution required significant effort and would drastically alter the user experience. Additionally, I couldn't guarantee the stability of certain default functionalities, so I abandoned it halfway.
Prevented the use of the Administrator account under the "Other User" tile. I searched extensively for documentation, but Windows doesn’t seem to have a mechanism to achieve this.
Intercepted messages from the PasswordProvider to force the use of my custom provider when the username was Administrator. However, Credential Providers appear to be isolated, and I couldn’t intercept information from other providers within my custom provider.
How should I resolve this issue? I look forward to hearing any valuable insights. Thank you.
