We recently discovered an issue with the with the Lync 2013\Skype for Business GPO (Group Policy Object) that controls a user’s ability to save their password. The Group Policy setting in question is SavePassword and is used to control the ability to prevent users from checking the “Save my password” box. Prior to this update, the SavePassword GPO would uncheck the “Save my password” checkbox, but would leave the box exposed so that users could simply recheck the box.
This issue was resolved with the addition of a new GPO titled AllowSavePassword as detailed in KB 3086665. This new setting must be used IN COMBINATION with the SavePassword GPO as described in the KB. The AllowSavePassword registry when set in proper combination with SavePassword, will remove the “Save my password” checkbox from the Sign In UI.
This update is included as part of the September 2015 update for Lync 2013 and Skype for Business, MS15-097: Description of the security update for Microsoft Lync 2013 (Skype for Business)
You may need to perform additional steps if you wish to force users to enter credentials every time they log in to Lync or Skype for Business. Lync\Sfb saves a certificate in the users Personal certificate store, and this certificate (if present) may need to be removed to prevent the client from automatically logging in. This certificate can be viewed using the certificate MMC, should be of type Client Authentication, and will contain the users SIP address (for example, firstname.lastname@example.org). The certutil utility can also be used to view and delete certificates.
We strongly encourage you to test this GPO, any associated registry keys, and any other modifications (including modification or removal of any certificates) in your lab or test environment.
You can find the Office 2013 Administrative Templates here.
The Office 2016 Administrative Templates can be found here.
Author Credit for this post: Tom Misiak