Smart Card Group Policy and Registry Settings

  • Article

Updated: February 21, 2012

Applies To: Windows 7, Windows Server 2008 R2

The following sections and tables list the smart card-related Group Policy settings and registry keys that can be set on a per-computer basis. If you use domain Group Policy Objects (GPOs), you can edit and apply Group Policy settings to local or domain computers.

  • Primary Group Policy settings for smart cards

  • Base CSP and Smart Card KSP registry keys

  • CRL checking registry keys

  • Additional smart card Group Policy settings and registry keys

Primary Group Policy settings for smart cards

The following smart card Group Policy settings are located in Computer Configuration\Administrative Templates\Windows Components\Smart Card.

The registry keys are in the following locations:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider

  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CertProp

Note

Smart card reader registry information is located in HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Calais\Readers.
Smart card registry information is located in HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Calais\SmartCards.

Administrative template Group Policy settings and registry keys

Group Policy setting Registry key Default Description

Allow certificates with no extended key usage certificate attribute

AllowCertificatesWithNoEKU

Enabled

This policy setting allows certificates without an enhanced key usage (EKU) set to be used for logon.

In versions of Windows prior to Windows Vista, smart card certificates that are used for logon require an EKU extension with a smart card logon object identifier. This policy setting can be used to modify that restriction.

Enabled   Certificates with the following attributes can also be used to log on with a smart card:

  • Certificates with no EKU

  • Certificates with an All Purpose EKU

  • Certificates with a Client Authentication EKU

Disabled or Not Configured   Only certificates that contain the smart card logon object identifier can be used to log on with a smart card.

Allow Integrated Unblock screen to be displayed at the time of logon

AllowIntegratedUnblock

Enabled

This policy setting lets you determine whether the integrated unblock feature is available in the logon user interface (UI).

To use the integrated unblock feature, your smart card must support it. Check with the hardware manufacturer to verify that your smart card supports this feature.

Enabled   The integrated unblock feature is available.

Disabled or Not Configured   The integrated unblock feature is not available.

Allow signature keys valid for Logon

AllowSignatureOnlyKeys

Enabled

This policy setting lets you allow signature key-based certificates to be enumerated and available for logon.

Enabled   Any certificates available on the smart card with a signature-only key are listed on the logon screen.

Disabled or Not Configured   Any certificates available on the smart card with a signature-only key are not listed on the logon screen.

Allow time invalid certificates

AllowTimeInvalidCertificates

Enabled

This policy setting permits those certificates that are expired or not yet valid to be displayed for logon.

Under previous versions of Windows, certificates were required to contain a valid time and to not be expired. To be used, the certificate must be accepted by the domain controller. This policy setting only controls which certificates are displayed on the client computer.

Enabled   Certificates are listed on the logon screen whether they have an invalid time or their time validity has expired.

Disabled or Not Configured   Certificates that are expired or not yet valid are not listed on the logon screen.

Turn on certificate propagation from smart card

CertPropEnabled

Enabled

This policy setting allows you to manage the certificate propagation that occurs when a smart card is inserted.

Enabled or Not Configured   Certificate propagation occurs when you insert a smart card in the smart card reader.

Disabled   Certificate propagation does not occur, and the certificates are not available to applications such as Outlook.

Configure root certificate clean up

RootCertificateCleanupOption

Not Configured

This policy setting allows you to manage the cleanup behavior of root certificates.

Enabled   Root certificate cleanup occurs according to the option selected.

Disabled or Not Configured   Root certificate cleanup occurs upon logoff.

Turn on root certificate propagation from smart card

EnableRootCertificate Propagation

Enabled

This policy setting allows you to manage the root certificate propagation that occurs when a smart card is inserted.

Enabled or Not Configured   Root certificate propagation occurs when you insert your smart card.

Note
For this policy setting to work, the Turn on certificate propagation from smart card policy setting must also be enabled.

Disabled   Root certificates are not propagated from the smart card.

Prevent plaintext PINs from being returned by Credential Manager

DisallowPlaintextPin

Not Configured

This policy setting prevents Credential Manager from returning plaintext PINs.

Enabled   Credential Manager does not return a plaintext PIN.

Note

If this policy setting is enabled, some smart cards may not work in Windows. Consult the smart card manufacturer to determine whether this policy setting should be enabled.

Disabled or Not Configured   Plaintext PINs can be returned by Credential Manager.

Allow ECC certificates to be used for logon and authentication (Windows 7 and Windows Server 2008 R2 only)

EnumerateECCCerts

Not Configured

This policy setting allows you to control whether elliptic curve cryptography (ECC) certificates on a smart card can be used to log on to a domain.

Enabled   ECC certificates on a smart card can be used to log on to a domain.

Disabled or Not Configured   ECC certificates on a smart card cannot be used to log on to a domain.

Note

This policy setting only affects a user's ability to log on to a domain. ECC certificates on a smart card that are used for other applications, such as document signing, are not affected by this policy setting.

Note

If you use an ECDSA key to log on, you must also have an associated ECDH key to permit logon when you are not connected to the network.

Filter duplicate logon certificates

FilterDuplicateCerts

Not Configured

This policy setting lets you configure which valid logon certificates are displayed.

During the certificate renewal period, a user may have multiple valid logon certificates issued from the same certificate template. This can cause confusion about which certificate to select for logon. This behavior may occur when a certificate is renewed and the old certificate has not expired yet. Two certificates are determined to be the same if they are issued from the same template with the same major version and they are for the same user (determined by their UPN).

If there are two or more of the "same" certificates on a smart card and this policy setting is enabled, the certificate that is used to log on to computers running Windows 2000, Windows XP, or Windows Server 2003 will be displayed. Otherwise, the certificate with the most distant expiration time will be displayed.

Note

This policy setting is applied after the Allow time invalid certificates policy setting.

Enabled or Not Configured   Filtering occurs.

Disabled   No filtering occurs.

Force the reading of all certificates from the smart card

ForceReadingAllCertificates

Not Configured

This policy setting allows you to manage the reading of all certificates from the smart card for logon.

During logon, Windows reads only the default certificate from the smart card unless it supports retrieval of all certificates in a single call. This setting forces Windows to read all the certificates from the card. This can introduce a significant performance decrease in certain situations. Contact the smart card vendor to determine if your smart card and associated CSP support the required behavior.

Enabled   Windows attempts to read all certificates from the smart card regardless of the CSP feature set.

Disabled or Not Configured   Windows only attempts to read the default certificate from smart cards that do not support retrieval of all certificates in a single call. Certificates other than the default are not available for logon.

Display string when smart card is blocked

IntegratedUnblockPromptString

Not Configured

This policy setting allows you to manage the displayed message when a smart card is blocked.

Enabled   The specified message is displayed to the user when the smart card is blocked.

Note

The Allow Integrated Unblock screen to be displayed at the time of logon policy setting must also be enabled.

Disabled or Not Configured (and the integrated unblock feature is also enabled)   The default message is displayed to the user when the smart card is blocked.

Reverse the subject name stored in a certificate when displaying

ReverseSubject

Not Configured

This policy setting lets you reverse how the subject name is displayed during logon from the way it is stored in the certificate.

To help users distinguish one certificate from another, the user principal name (UPN) and the common name are displayed by default. For example, if the certificate subject is CN=User1, OU=Users, DN=example, DN=com and the UPN is user1@example.com, "User1" is displayed along with "user1@example.com." If the UPN is not present, the entire subject name is displayed. This setting controls the appearance of that subject name and might need to be adjusted for your organization.

Enabled or Not Configured   The subject name is reversed.

Disabled   The subject name is displayed as it appears in the certificate.

Turn on Smart Card Plug and Play service (Windows 7 and Windows Server 2008 R2 only)

EnableScPnP

Enabled

This policy setting allows you to control whether Smart Card Plug and Play is enabled.

Enabled or Not Configured   Smart Card Plug and Play is enabled, and the system attempts to install a smart card device driver the first time a smart card is inserted in a smart card reader.

Disabled   Smart Card Plug and Play is disabled and a device driver is not installed when a smart card is inserted in a smart card reader.

Note

This policy setting applies only to smart cards that have passed the Windows Hardware Quality Labs (WHQL) testing process.

Notify user of successful smart card driver installation (Windows 7 and Windows Server 2008 R2 only)

ScPnPNotification

Enabled

This policy setting allows you to control whether a confirmation message is displayed when a smart card device driver is installed.

Enabled or Not Configured    A confirmation message is displayed when a smart card device driver is installed.

Disabled   A confirmation message is not displayed when a smart card device driver is installed.

Note

This policy setting applies only to smart card drivers that have passed the Windows Hardware Quality Labs (WHQL) testing process.

Allow user name hint

X509HintsNeeded

Not Configured

This policy setting lets you determine whether an optional field is displayed during logon and elevation that allows users to enter their user name or user name and domain, which associates a certificate with the user.

Enabled   An optional field is displayed that allows users to enter their user name or user name and domain.

Disabled or Not Configured   An optional field is not displayed.

Base CSP and Smart Card KSP registry keys

The following registry keys can be configured for the Base cryptography service provider (CSP) and the smart card key storage provider (KSP). The following tables list the keys. All keys use the DWORD type.

The registry keys for the Base CSP are located in the registry in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider.

The registry keys for the smart card KSP are located in HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cryptography\Providers\Microsoft Smart Card Key Storage Provider.

Registry keys for the Base CSP and smart card KSP

Registry key Description

AllowPrivateExchangeKeyImport

A non-zero value allows RSA exchange (for example, encryption) private keys to be imported for use in key archival scenarios.

Default value: 00000000

AllowPrivateSignatureKeyImport

A non-zero value allows RSA signature private keys to be imported for use in key archival scenarios.

Default value: 00000000

DefaultPrivateKeyLenBits

Defines the default length for private keys, if desired.

Default value: 00000400

Default key generation parameter: 1024-bit keys

RequireOnCardPrivateKeyGen

This key sets the flag for requiring on-card private key generation (default). If this value is set, a key generated on a host can be imported into the smart card. This is used for smart cards that do not support on-card key generation or where key escrow is required.

Default value: 00000000

TransactionTimeoutMilliseconds

Default timeout values allow you to specify whether transactions that take an excessive amount of time will fail.

Default value: 000005dc1500

The default timeout for holding transactions to the smart card is 1.5 seconds.

Additional registry keys for the smart card KSP

Registry key Description

AllowPrivateECDHEKeyImport

This value allows Ephemeral Elliptic Curve Diffie-Hellman (ECDHE) private keys to be imported for use in key archival scenarios.

Default value: 00000000

AllowPrivateECDSAKeyImport

This value allows Elliptic Curve Digital Signature Algorithm (ECDSA) private keys to be imported for use in key archival scenarios.

Default value: 00000000

CRL checking registry keys

The following table lists the keys and the corresponding values to turn off certificate revocation list (CRL) checking at the Key Distribution Center (KDC) or client. To manage CRL checking, you need to configure settings for both the KDC and the client.

CRL checking registry keys

Registry key Details

HKEY_LOCAL_MACHINE\SYSTEM\CCS\Services\Kdc\UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors

Type = DWORD

Value = 1

HKEY_LOCAL_MACHINE\SYSTEM\CCS\Control\LSA\Kerberos\Parameters\UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors

Type = DWORD

Value = 1

Additional smart card Group Policy settings and registry keys

In a smart card deployment, additional Group Policy settings can be used to enhance ease of use or security. Some of these policy settings that can complement a smart card deployment include:

  • Turning off delegation for computers

  • Interactive logon: Do not require CTRL+ALT+DEL (not recommended)

The following smart card-related Group Policy settings are located in Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.

Local security policy settings

Group Policy setting Registry key Default Description

Interactive logon: Require smart card

scforceoption

Disabled

This security policy setting requires users to log on to a computer by using a smart card.

Enabled Users can only log on to the computer by using a smart card.

Disabled Users can log on to the computer by using any method.

Interactive logon: Smart card removal behavior

scremoveoption

This policy setting is not defined, which means that the system treats it as No Action.

This setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. The options are:

  • No Action

  • Lock Workstation The workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session.

  • Force Logoff The user is automatically logged off when the smart card is removed.

  • Disconnect if a Remote Desktop Services session Removal of the smart card disconnects the session without logging the user off. This allows the user to reinsert the smart card and resume the session later, or at another smart card reader equipped computer, without having to log on again. If the session is local, this policy setting functions identically to the Lock Workstation policy setting.

    Note
    Remote Desktop Services was called Terminal Services in previous versions of Windows Server.

For Windows 7 and Windows Vista, the Smart Card Removal Policy service must be started for this policy setting to work.

From the Local Security Policy Editor (secpol.msc), you can edit and apply system policies to manage credential delegation for local or domain computers.

The following smart card-related Group Policy settings are located in Computer Configuration\Administrative Templates\System\Credentials Delegation.

Registry keys are located in HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\Credssp\PolicyDefaults.

Note

Fresh credentials are those that you are prompted for when running an application.

Credential delegation policy settings

Group Policy setting Registry key Default Description

Allow Delegating Fresh Credentials

AllowFreshCredentials

Not Configured

This policy setting applies:

  • When server authentication was achieved via a trusted X509 certificate or Kerberos.

  • To applications using the CredSSP component (for example, Remote Desktop Services).

Enabled   You can specify the servers where the user's fresh credentials can be delegated.

Not Configured   After proper mutual authentication, delegation of fresh credentials is permitted to Remote Desktop Services running on any computer (TERMSRV/*).

Disabled   Delegation of fresh credentials to any computer is not permitted.

Note
This policy setting can be set to one or more service principal names (SPNs). The SPN represents the target server where the user credentials can be delegated. A single wildcard is permitted when specifying the SPN.

For example:

  • Use TERMSRV/* for Remote Desktop Session Host (RD Session Host) running on any computer.

  • Use TERMSRV/host.humanresources.fabrikam.com for RD Session Host running on the host.humanresources.fabrikam.com computer.

  • Use TERMSRV/*.humanresources.fabrikam.com for RD Session Host running on all computers in .humanresources.fabrikam.com

Allow Delegating Fresh Credentials with NTLM-only Server Authentication

AllowFreshCredentialsWhenNTLMOnly

Not Configured

This policy setting applies:

  • When server authentication was achieved via NTLM.

  • To applications that use the CredSSP component (for example, Remote Desktop).

Enabled   You can specify the servers to where the user's fresh credentials can be delegated.

Not Configured   After proper mutual authentication, delegation of fresh credentials is permitted to RD Session Host running on any computer (TERMSRV/*).

Disabled   Delegation of fresh credentials is not permitted to any computer.

Note

This policy setting can be set to one or more SPNs. The SPN represents the target server where the user credentials can be delegated. A single wildcard character (*) is permitted when specifying the SPN.
See the Allow Delegating Fresh Credentials policy setting description for examples.

Deny Delegating Fresh Credentials

DenyFreshCredentials

Not Configured

This policy setting applies to applications that use the CredSSP component (for example, Remote Desktop).

Enabled   You can specify the servers where the user's fresh credentials cannot be delegated.

Disabled or Not Configured   A server is not specified.

Note

This policy setting can be set to one or more SPNs. The SPN represents the target server where the user credentials cannot be delegated. A single wildcard character (*) is permitted when specifying the SPN.
See the Allow Delegating Fresh Credentials policy setting description for examples.

If you are using Remote Desktop Services with smart card logon, you cannot delegate default and saved credentials. The following registry keys in HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\Credssp\PolicyDefaults and corresponding Group Policy settings are ignored.

Registry key Corresponding Group Policy setting

AllowDefaultCredentials

Allow Delegating Default Credentials

AllowDefaultCredentialsWhenNTLMOnly

Allow Delegating Default Credentials with NTLM-only Server Authentication

AllowSavedCredentials

Allow Delegating Saved Credentials

AllowSavedCredentialsWhenNTLMOnly

Allow Delegating Saved Credentials with NTLM-only Server Authentication