3 January 2018
3 January 2018

Disable nFront Password Filter Client via GPO or script


If you need to quickly disable the client due to a software conflict or network issue you can do so via a script or via GPO.  You may also use the GPO approach to pre-deploy the client to all of your workstations and let it sit dormant until you go live on a specific date (in which case you clear the GPO option).


The client is disabled by one registry value.  When it is disabled the end-user will use the regular Windows password change process. 


HKLM\Software\Policies\Altus\PassfiltProClient\disable, REG_DWORD (32-bit), value=1


How to disable via a script


Below is a batch file that adds the registry value to a range of IP addresses.  It will go from through and add the value. 


FOR /L %%i IN (1,1,254) DO REG ADD \\10.0.0.%%i\HKLM\Software\Policies\Altus\PassfiltProClient /v disable /t REG_DWORD /d 1

How to disable via GPO


At the domain level create a new GPO.  If the workstations are you are targeting (to disable the client) are in a specific OU you can target the OU instead of the domain .  Give it an easily recognized name  like "nFront Client Options".

nFront Client Options GPO

Click the Edit button to edit the GPO.  Go to Computer Configuration + right-click Administrative Templates + Add/Remove Templates.  Select the nFront-Password-Filter-client-options.adm template.  Click close on the Add/Remove Templates dialog.

Add template for client options

The GPO editor will now show a section for "nFront Password Filter - Client Options" under the Administrative Templates section.  There will be only one policy.  Edit the policy and check the box to "Disable nFront Password Filter Client".

Disable Client

This GPO pushes a few registry settings to all client machines.  It will set HKLM\Software\Policies\Altus\PassfiltProClient\disable, REG_DWORD, value=1. 

Affected Products

nFront Password Filter Client, Windows (all versions)