Tag: Computer Configuration

This policy setting allows you to manage the certificate propagation that occurs when a smart card is inserted. If you enable or do not configure this policy setting then certificate propagation will occur when you insert your smart card. If you disable this policy setting certificate propagation will not occur and the certificates will not be made available to applications such as Outlook.

This policy setting lets you allow certificates without an Extended Key Usage (EKU) set to be used for logon. In versions of Windows prior to Windows Vista smart card certificates that are used for logon require an enhanced key usage (EKU) extension with a smart card logon object identifier. This policy setting can be used to modify that restriction. If you enable this policy setting certificates with the following attributes can also be used to log on with a smart card:- Certificates with no EKU- Certificates with an All Purpose EKU- Certificates with a Client Authentication EKUIf you disable or do not configure this policy setting only certificates that contain the smart card logon object identifier can be used to log on with a smart card.

This policy setting lets you determine whether the integrated unblock feature will be available in the logon User Interface (UI). In order to use the integrated unblock feature your smart card must support this feature. Please check with your hardware manufacturer to see if your smart card supports this feature. If you enable this policy setting the integrated unblock feature will be available. If you disable or do not configure this policy setting then the integrated unblock feature will not be available.

This policy settings lets you configure if all your valid logon certificates are displayed. During the certificate renewal period a user can have multiple valid logon certificates issued from the same certificate template. This can cause confusion as to which certificate to select for logon. The common case for this behavior is when a certificate is renewed and the old one has not yet expired. Two certificates are determined to be the same if they are issued from the same template with the same major version and they are for the same user (determined by their UPN). If there are two or more of the “same” certificate on a smart card and this policy is enabled then the certificate that is used for logon on Windows 2000 Windows XP and Windows 2003 Server will be shown otherwise the the certificate with the expiration time furthest in the future will be shown. Note: This setting will be applied after the following policy: “Allow time invalid certificates”If you enable or do not configure this policy setting filtering will take place. If you disable this policy setting no filtering will take place.

This policy setting allows you to manage the reading of all certificates from the smart card for logon. During logon Windows will by default only read the default certificate from the smart card unless it supports retrieval of all certificates in a single call. This setting forces Windows to read all the certificates from the card. This can introduce a significant performance decrease in certain situations. Please contact your smart card vendor to determine if your smart card and associated CSP supports the required behavior. If you enable this setting then Windows will attempt to read all certificates from the smart card regardless of the feature set of the CSP. If you disable or do not configure this setting Windows will only attempt to read the default certificate from those cards that do not support retrieval of all certificates in a single call. Certificates other than the default will not be available for logon.