{
"title": "KB5101650 Hands IT the Power to Silence Entra SSO Consent Prompts on Windows 11",
"content": "With the July 14, 2026 Patch Tuesday update, Microsoft introduced a registry policy that lets IT administrators automatically approve single sign-on permission requests on managed Windows 11 devices. The change means employees on corporate 24H2 and 25H2 PCs no longer have to click through consent dialogs every time a Microsoft application wants to use their Entra credentials.
What Actually Changed
The update—KB5101650—brings Windows 11 version 24H2 to OS Build 26100.8875 and version 25H2 to OS Build 26200.8875. Hidden within that cumulative security fix is a new policy entry specifically designed to reduce authentication friction on enterprise endpoints.
Administrators can now set a DWORD value named AutoAcceptSsoPermission under the registry key HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\AAD. Setting it to 1 tells Windows to skip the permission dialog that normally appears when a Microsoft application—such as Word, Outlook, Teams, or Edge—tries to use the employee’s already-signed-in Entra identity. Setting the value to 0 or removing it restores the default consent prompt.
The policy is machine-wide, not per-user, and it only takes effect when all three conditions are true: the device is managed by an organization (via Intune, Group Policy, or another MDM), the signed-in account is a Microsoft Entra work or school account, and the PC is running a fully patched Windows 11 24H2 or 25H2 build. Personal Microsoft accounts and unmanaged home PCs are explicitly out of scope.
What It Means for You
For IT Administrators
If you manage a fleet of Windows 11 devices, this is a small change that can dramatically reduce end-user confusion and help desk tickets. The scenario is all too familiar: you’ve deployed a PC through Autopilot, joined it to Entra ID, pushed a suite of Microsoft 365 apps, and locked everything down with Conditional Access. Yet the employee still gets a prompt asking, “Allow this app to use your work account?” It feels broken. The new policy allows you to make that decision once, at the device configuration level, and stop prompting users.
But trustworthiness doesn’t mean trust-everything. The policy does not bypass multi-factor authentication, Conditional Access rules, application-specific consent requirements, or any other identity protections your tenant has configured. It solely suppresses the Windows-level prompt that asks for permission to hand over the already-existing Entra credential. If an app requires a second factor or a fresh token due to a Conditional Access policy, the user will still see that prompt.
The policy is particularly welcome in the European Economic Area, where Microsoft, complying with privacy regulations, redesigned Windows account behavior to require explicit user consent each time a Microsoft service wanted to use the signed-in identity. An employee on a corporate EEA machine could face this prompt multiple times a day. The registry key restores a seamless, pre‑EEA‑prompt experience on devices where the IT department has already established full trust.
For Home Users and Unmanaged Devices
There’s nothing for you here. The policy will not work on a personal PC, even if you manually create the registry key, because the device isn’t managed and the account isn’t an Entra work or school account. You’ll still have to click through consent dialogs for Microsoft 365 apps and online services.
For Security and Identity Teams
Before your desktop team flips the switch, review the impact on user perception and policy documentation. Automatically accepting the SSO handoff might mean employees no longer see a visual cue that their work identity is being used by an application. While that’s usually fine on a corporate device, some organizations may prefer to keep the prompt as an explicit acknowledgment. Make sure your employee privacy notices and device‑use policies reflect that applications are authorized to use the corporate identity without additional interaction on managed hardware.
Also, note that the policy does not affect tenant‑wide consent settings. If an application requires administrator consent to access organization data, that process remains in place. The AutoAcceptSsoPermission setting merely tells Windows to stop asking “