Windows 2008 and later security settings for Credential Provider
Two security settings are required for "Foreground execution":
1. Do not require CTRL+ALT+DEL
To make interactive logon work in Windows 2008 you must disable SAS (Secure Attention Sequence). You do this by opening Administrative tools->Local Security Policy.
In the Local policies you need to enable "Interactive logon: Do not require CTRL+ALT+DEL" as in the image below:
This security setting determines whether pressing CTRL+ALT+DEL is required before a user can log on.
If this policy is enabled on a computer, a user is not required to press CTRL+ALT+DEL to log on. Not having to press CTRL+ALT+DEL leaves users susceptible to attacks that attempt to intercept the users' passwords. Requiring CTRL+ALT+DEL before users log on ensures that users are communicating by means of a trusted path when entering their passwords.
If this policy is disabled, any user is required to press CTRL+ALT+DEL before logging on to Windows.
Default on domain-computers: Enabled: At least Windows 8/Disabled: Windows 7 or earlier.
Default on stand-alone computers: Enabled.
2. User Account Control: Admin Approval Mode for the Built-in Administrator account
To be able to communicate with the Credential Provider you need to disable this setting found in Administrative tools->Local Security Policy->User Account Control: Use Admin Approval Mode for the built-in Administrator account. After applying this setting a reboot of the computer is required.
This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account.
The options are:
• Enabled: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the operation.
• Disabled: (Default) The built-in Administrator account runs all applications with full administrative privilege.