On July 14, 2026, Microsoft released cumulative update KB5101650 for Windows 11 versions 24H2 and 25H2 with a small but transformative policy for enterprise IT. The new registry setting lets administrators automatically approve single sign-on (SSO) permission prompts on managed devices, restoring the seamless handoff between Windows sign-in and Microsoft cloud apps that many corporate users took for granted before recent regulatory changes.
For the millions of employees whose workflows are interrupted daily by a dialog box asking if they want to use their Windows credentials to sign into Teams, Outlook, or SharePoint, the fix is a single DWORD value. But it is only available on devices that organizations explicitly control, and only for Entra ID (formerly Azure AD) accounts. The update marks Redmond’s direct response to a friction point that has been a thorn in the side of admins since early 2025.
The Setting That Silences the Prompt
The magic is a machine-level registry policy: HKLM\SOFTWARE\Policies\Microsoft\Windows\AAD\AutoAcceptSsoPermission. Setting the DWORD to 1 instructs Windows to automatically grant consent whenever a Microsoft service asks whether it can use the user’s existing Entra ID token. The prompt disappears. The user signs into Windows once, and that identity follows them into every work app that supports Microsoft’s modern authentication.
Microsoft designed the policy to be deployed through standard management tools. IT can push it via Group Policy, Microsoft Intune, Configuration Manager, or any MDM that can inject registry keys. The policy is applied at the machine level, so it affects all Entra ID accounts on that device—a crucial point for admins managing shared endpoints or rotating shift workers.
The scope is deliberately narrow. The policy does not touch personal Microsoft accounts; an employee who adds a personal Outlook.com profile on a managed laptop will still see the consent prompt for that account. Unmanaged devices, such as BYOD laptops joined only to Entra ID without full enrollment, retain the experience Microsoft introduced in early 2025, where every first launch of an app like Word or Edge triggers a permission request.
Administrators who tested early builds note that the policy takes effect immediately after a Group Policy refresh or device sync, with no reboot required. Microsoft’s documentation specifies that the setting works on Windows 11 24H2 and 25H2. For organizations still on Windows 11 23H2 or Windows 10, which fall out of mainstream support before this update, the prompt suppression is not available.
Who Benefits—and Who Doesn’t
The feature is squarely aimed at IT teams managing fleets of Windows 11 machines where user identity, device compliance, and app access are already enforced through Microsoft Entra ID and Intune policy. For those environments, the SSO prompt was never a security necessity; it was an extra click inserted into a workflow that the organization had already approved. Employees on fully managed devices see it every time they open a new Microsoft 365 app or service, sometimes multiple times a day after token refreshes. Frustration builds, helpdesk tickets pile up, and productivity dips.
Now, with a single configuration change, those prompts vanish. The effect is most pronounced in call centers, healthcare, and education—sectors where users frequently switch between shared Windows sessions and count on instant access to Teams or Outlook Web Access. For deskless workers, the prompt was not a thoughtful privacy nudge but a roadblock.
Home users, students on personal devices, and anyone who signs into Windows with a Microsoft account rather than an organizational Entra ID will see no change. Their prompt-based consent flow remains intact, preserving the user-choice model that European regulators mandated. Microsoft explicitly states that the policy has no effect on consumer identity flows. Even in enterprise, if an admin does not configure the policy or sets it to 0, the default behavior persists: Windows still asks before handing credentials to apps.
Developers building internal line-of-business apps that rely on the Web Account Manager (WAM) or MSAL.NET should test their integrations. The auto-accept policy works with any Microsoft service that uses the same Azure AD app registration model, but custom applications that bundle their own consent dialogs may still present separate prompts depending on how they request scopes. Microsoft’s announcement on the Windows IT Pro Blog confirms the policy covers “Microsoft apps and services,” leaving third-party SaaS providers outside its immediate reach, though many enterprise apps federate through Entra and will see the benefit indirectly.
The Backstory: Why EU Rules Spoiled the SSO Party
The need for this registry tweak traces back to Microsoft’s compliance with the European Economic Area’s evolving data protection expectations and the broader push for user consent under regulations like the EU’s Data Governance Act and related guidance. In early 2025, Microsoft adjusted Windows sign-in behavior in the EEA so that logging into Windows no longer automatically signed users into other Microsoft services. Instead, Windows presented a prompt: “Allow this app to use your sign-in info?” The change was designed to give individuals explicit control over whether their credentials could be reused, preventing Microsoft from silently linking their local session to cloud services without a clear opt-in.
For consumers and lightly managed small businesses, the prompt makes sense. It provides transparency and a moment of choice. But for large organizations that own the device and manage identity, it introduced a redundant step. Imagine a nurse logging into a shared workstation at the start of a shift, only to be greeted by a series of permission requests for Epic, Outlook, and Teams—apps that IT has already deemed necessary and secure. Multiply that by hundreds of users and thousands of daily sign-ins, and the impact on productivity becomes measurable.
Microsoft acknowledged the pain in its July 14, 2026 blog post, writing that “while the prompt-based experience aligns with regional regulatory expectations, we heard from customers that it creates unnecessary friction on managed enterprise devices.” The new registry policy is that feedback turned into code—an explicit handoff of the consent decision from the individual to the organization, where the device is already under management.
Neowin first reported the availability of the update and the policy on July 15, noting the discrepancy in initial documentation that suggested separate June and July update packages. Microsoft’s official statement clarified that KB5101650 is the single cumulative update that includes the fix for both Windows 11 24H2 and 25H2, shipped on July 14’s Patch Tuesday.
A Step-by-Step Guide for IT Admins
If your organization has been waiting for a way to eliminate the SSO permission prompt, here is exactly what to do.
First, confirm eligibility. You need devices running Windows 11 version 24H2 or 25H2 with the July 2026 cumulative update installed. Check your Windows Update for Business reports or run winver on a sample machine. The OS build number for 24H2 will be 26100.1450 or later; for 25H2, build 26200.1550 or later. If you are on an older feature update, you cannot use this policy and must upgrade.
Next, decide how to deploy. Choose one path:
- Group Policy (on-premises AD or hybrid): Create a new Group Policy Object linked to the appropriate OU. Under Computer Configuration > Preferences > Windows Settings > Registry, add a new Registry Item. Set Action: Update, Hive: HKEY_LOCAL_MACHINE, Key Path: SOFTWARE\Policies\Microsoft\Windows\AAD, Value Name: AutoAcceptSsoPermission, Value Type: REG_DWORD, Value Data: 1. Apply to target devices and run gpupdate /force on a test box.
- Microsoft Intune: Navigate to Devices > Configuration profiles > Create profile > Windows 10 and later > Settings catalog. Search for “AAD” or use the registry key path. If the setting is not yet available as a native ADMX-backed setting (Microsoft typically adds Governance policies within weeks), use a custom OMA-URI:
- OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Registry/HKLM/SOFTWARE/Policies/Microsoft/Windows/AAD/AutoAcceptSsoPermission
- Data type: Integer
- Value: 1
Assign the profile to a pilot group of devices.
- Configuration Manager or other MDM: Follow the vendor’s procedure for applying registry policy. Many platforms can import ADMX templates; if an updated Windows.admx is not yet available, a simple PowerShell script pushed as a compliance baseline can set the value.
Pilot the policy carefully. Start with a small, representative group of users—covering typical Microsoft 365 apps (Outlook, Teams, OneDrive for Business), browser-based access to SharePoint and Power Apps, and any line-of-business tools that use modern authentication. Pay special attention to shared-device scenarios: on a workstation used by multiple nurses or warehouse clerks, you want to ensure that auto-accept does not inadvertently retain credentials when a user signs out. Windows should still clear tokens during sign-out; the policy only suppresses the permission dialog, not the normal token lifecycle. Test also with privileged accounts: administrators logging into Azure Portal or admin consoles may benefit from an extra confirmation step. If you want to exclude admin accounts from auto-accept, you will need to implement additional targeting logic, perhaps using separate GPOs or dynamic device groups in Intune, because the policy applies machine-wide.
Monitor helpdesk feedback. One unexpected consequence can be user confusion: employees who had grown accustomed to the prompt may think something is broken when it disappears. A brief internal communication explaining the change can head off tickets.
If issues arise, you can roll back quickly by deleting the registry value or setting it to 0 and refreshing policy. Unmanaged devices are unaffected, so the risk is contained.
What’s Next
Microsoft’s blog post hints at more to come. The company states it is “evaluating further admin controls and transparency features for authentication experiences on managed Windows devices.” This likely means additional Group Policy or Intune settings that give finer-grained control over which apps can bypass the prompt, or perhaps a way to present the consent to users only under specific conditions.
For now, KB5101650 delivers exactly what weary IT admins have been asking for: a supported, simple mechanism to restore the frictionless sign-in experience on the devices they already manage. The burden of the extra click has shifted from end users to the policy server, where one configuration tweak can silence a year of prompts.