Microsoft Policies Relevant to ActivID ActivClient
Microsoft Windows Policies
The following Microsoft Windows policies are relevant to ActivClient. For convenience, some are configured automatically by ActivClient setup.
-
ActivClient does not restore these settings to their default values at uninstallation. You must manually reset the settings. For further information, see Restore Microsoft Settings.
-
ActivClient 6.x included policies that had some redundancy with Microsoft policies. In ActivClient 7, ActivClient relies on Microsoft policies when it is relevant.
Card Auto Registration (PIV Cards Only)
ActivClient supports new PIV cards (including PIV-compatible CAC cards) without requiring any software update. ActivClient leverages the Windows card auto-registration (or Plug and Play) feature, which needs to be enabled.
Description:
This policy setting allows you to control whether Smart Card Plug and Play is enabled.
If you enable or do not configure this policy setting, Smart Card Plug and Play will be enabled and the system will attempt to install a Smart Card device driver when a card is inserted in a Smart Card Reader for the first time.
Possible Values:
-
Not Configured = 0
-
Enabled = 1
-
Disabled = 2
Policy Setting:
Computer Configuration\Administrative Templates\Windows Components\Smart Card\Turn on Smart Card Plug and Play service.
Registry Key:
EnableScPnP
Comments:
-
Available on Microsoft Windows 7, Server 2008 R2 and later.
-
During ActivClient installation:
-
The setting 'Turn on Smart Card Plug and Play service' is retained to default as Not Configured.
-
The Smart Card service is set to Automatic.
Card Removal
Description:
This setting determines what happens when the smart card for a logged-on user is removed from the smart card reader.
Possible Values:
-
No Action = 0
-
Lock Workstation = 1
-
Force Logoff = 2
-
Disconnect if a remote Terminal Services session = 3
Policy Setting:
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon : Smart card removal behavior.
Registry Key:
Scremoveoption
Comments:
During ActivClient installation:
-
The setting 'Interactive logon: Smart card removal behavior' is automatically set to Lock on Card removal.
-
The Smart Card Removal Policy service (SCPolicySvc) is also updated to Automatic.
Certificate Registration
Description:
This policy setting allows you to manage the certificate propagation that occurs when a smart card is inserted.
If you enable or do not configure this policy setting, then certificate propagation will occur when you insert your smart card.
Possible Values:
-
Not Configured = 0
-
Enabled = 1
-
Disabled = 2
Policy Setting:
Computer Configuration\Administrative Templates\Windows Components\Smart Card\Turn on certificate propagation from smart card.
Registry Key:
CertPropEnabled
Comments:
During ActivClient installation:
-
The setting 'Turn on certificate propagation from smart card' is retained to default as Not Configured.
-
The Certificate Propagation service is also set to Automatic.
RDP/TCP Logon Timeout
Description: This registry allows you to configure the RDP/TCP Logon Timeout.
Default Values: 300 Seconds
Registry Key: LogonTimeout
Comments:
By default, RDP/TCP session will wait for 300 seconds (or 5 minutes) for a user to log in before timing out. This can be changed if user needs longer time for various reasons.
Registry Path:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
Smart Card PIN Unlock
In order to enable the Unblock feature at logon, the following policy must be configured.
Description:
This policy setting lets you determine whether the integrated unblock feature will be available in the logon User Interface (UI).
In order to use the integrated unblock feature, your smart card must support this feature. Please check with your hardware manufacturer to see if your smart card supports this feature.
If you enable this policy setting, the integrated unblock feature will be available.
If you disable or do not configure this policy setting then the integrated unblock feature will not be available.
Possible Values:
-
Not Configured = 0
-
Enabled = 1
-
Disabled = 2
Policy Setting:
Computer Configuration\Administrative Templates\Windows Components\Smart Card\Allow Integrated Unblock screen to be displayed at the time of logon.
Comments:
This Windows feature is compatible with smart cards that are configured for unblocking with an External Authentication mechanism. Most card profiles issued by ActivID CMS with ActivID Applets are compatible with the unlock feature at logon.
For further information about profile selection, refer to the ActivID CMS documentation.
TransactionTimeoutDelay
Description: This registry allows you to configure the TransactionTimeoutDelay.
Default Values: 5 Seconds
Registry Key: TransactionTimeoutDelay
Comments:
If the registry is not present, during the ActivClient installation, registry is added and the TransactionTimeoutDelay is set automatically to 60 seconds.
If the registry is already present, during the ActivClient installation, TransactionTimeoutDelay is updated automatically to 60 seconds.
If the ActivClient is uninstalled, then the set value of TransactionTimeoutDelay in the registry remains the same (60 Seconds).
Registry Path:
For 64-bit applications: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais
For 32-bit applications: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Calais
TransactionTimeoutMilliseconds
Description: This registry allows you to configure the TransactionTimeoutMilliseconds.
Default Values: 5000 milliseconds
Registry Key: TransactionTimeoutMilliseconds
Comments:
If the registry is not present, during the ActivClient installation, registry is added and the TransactionTimeoutMilliseconds is set automatically to 5000 milliseconds.
If the registry is already present, during the ActivClient installation, TransactionTimeoutMilliseconds is updated automatically to 5000 milliseconds.
If the ActivClient is uninstalled, then the set value of TransactionTimeoutMilliseconds in the registry remains the same (5000 milliseconds).
Registry Path:
For 64-bit applications: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider
For 32-bit applications: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider
Microsoft Outlook Policies
The following Microsoft Outlook policies are relevant to ActivClient Outlook Enhancement feature.
The Microsoft Outlook administrative templates can be downloaded from:
For Microsoft Office 365, 2016 and 2019:
http://www.microsoft.com/en-us/download/details.aspx?id=49030
The following table lists the policies that you should configure in order to finalize support of the Microsoft Outlook enhancements feature:
Microsoft Outlook enhancements policies:
Microsoft Office Outlook Setting | Description |
---|---|
Sign all e-mail messages |
This setting is defined under: User Configuration\Administrative Templates\Microsoft Outlook 20xx\Security\Cryptography Sign all e-mail messages:
Sets the value for the corresponding UI option. |
Request an S/MIME receipt for all S/MIME signed messages |
This setting is defined under: User Configuration\Administrative Templates\Microsoft Outlook 20xx\Security\Cryptography Request an S/MIME receipt for all S/MIME signed messages:
Sets the value for the corresponding UI option. |
Encrypt all e-mail messages |
This setting is defined under: User Configuration\Administrative Templates\Microsoft Outlook 20xx\Security\Cryptography Encrypt all e-mail messages:
Sets the value for the corresponding UI option. |
Send all signed messages as clear signed messages |
This setting is defined under: User Configuration\Administrative Templates\Microsoft Outlook 20xx\Security\Cryptography Send all signed messages as clear signed messages:
Sets the value for the corresponding UI option. |
Enable Cryptography Icons |
This setting is defined under: User Configuration\Administrative Templates\Microsoft Outlook 20xx\Security\Cryptography Enable Cryptography Icons:
Sets the value for the corresponding UI option. |