Bypassing DigitalPersona Logon Policy

In some urgent cases an administrator may need to access a client machine with DigitalPersona installed by using their admin password only, i.e. bypassing DigitalPersona logon policy. DigitalPersona allows doing that by using the following two options.

Microsoft Windows LAPS

The Windows Local Administrator Password Solution (Windows LAPS) is a Microsoft Windows feature that automatically manages and backs up the password of a local administrator account on your Azure Active Directory-joined or Windows Server Active Directory-joined devices.

You also can use Windows LAPS to automatically manage and back up the Directory Services Restore Mode (DSRM) account password on your Windows Server Active Directory domain controllers.

An authorized administrator can retrieve the DSRM password and use it. You can find more details about Microsoft LAPS at https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview.

If Microsoft LAPS policy is set by IT Administrator, your DigitalPersona software will allow you to use the Microsoft LAPS account to log on with a Windows Password only, ignoring any MFA logon policy set on this computer. The Administrator will be able to log on to a DigitalPersona client workstation with the Microsoft LAPS account and the Microsoft LAPS password.

Built-in Administrator Account

If the Microsoft LAPS GPO is not configured, the built-in Administrator account is able to bypass the DigitalPersona Logon Policy and log on using their Windows password only.

Note: This feature is hardcoded and cannot be changed.

This feature can be disabled using one of the following options.

Disable the built-in Administrator account (this account is disabled by default for domain-joined computers).
Configure the Microsoft LAPS GPO. If this GPO is configured, it has preference over the built-in Administrator, so the built-in Administrator will not be able to log on with their Windows password only.