Microsoft Policies Relevant to ActivID ActivClient

Microsoft Windows Policies

The following Microsoft Windows policies are relevant to ActivClient. For convenience, some are configured automatically by ActivClient setup.

Card Auto Registration (PIV Cards Only)

ActivClient supports new PIV cards (including PIV-compatible CAC cards) without requiring any software update. ActivClient leverages the Windows card auto-registration (or Plug and Play) feature, which needs to be enabled.

Description:

This policy setting allows you to control whether Smart Card Plug and Play is enabled.

If you enable or do not configure this policy setting, Smart Card Plug and Play will be enabled and the system will attempt to install a Smart Card device driver when a card is inserted in a Smart Card Reader for the first time.

Possible Values:

• Not Configured = 0

• Enabled = 1

• Disabled = 2

Policy Setting:

Computer Configuration\Administrative Templates\Windows Components\Smart Card\Turn on Smart Card Plug and Play service.

Registry Key:

EnableScPnP

Comments:

• Available on Microsoft Windows 7, Server 2008 R2 and later.

• During ActivClient installation:

• The setting 'Turn on Smart Card Plug and Play service' is retained to default as Not Configured.

• The Smart Card service is set to Automatic.

Card Removal

Description:

This setting determines what happens when the smart card for a logged-on user is removed from the smart card reader.

Possible Values:

• No Action = 0

• Lock Workstation = 1

• Force Logoff = 2

• Disconnect if a remote Terminal Services session = 3

Policy Setting:

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon : Smart card removal behavior.

Registry Key:

Scremoveoption

Comments:

During ActivClient installation:

• The setting 'Interactive logon: Smart card removal behavior' is automatically set to Lock on Card removal.

• The Smart Card Removal Policy service (SCPolicySvc) is also updated to Automatic.

Certificate Registration

Description:

This policy setting allows you to manage the certificate propagation that occurs when a smart card is inserted.

If you enable or do not configure this policy setting, then certificate propagation will occur when you insert your smart card.

Possible Values:

• Not Configured = 0

• Enabled = 1

• Disabled = 2

Policy Setting:

Computer Configuration\Administrative Templates\Windows Components\Smart Card\Turn on certificate propagation from smart card.

Registry Key:

CertPropEnabled

Comments:

During ActivClient installation:

• The setting 'Turn on certificate propagation from smart card' is retained to default as Not Configured.

• The Certificate Propagation service is also set to Automatic.

RDP/TCP Logon Timeout

Description: This registry allows you to configure the RDP/TCP Logon Timeout.

Default Values: 300 milliseconds

Registry Key: LogonTimeout

Comments:

By default, RDP/TCP session will wait for 300 seconds (or 5 minutes) for a user to log in before timing out. This can be changed if user needs longer time for various reasons.

Registry Path:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp

Smart Card PIN Unlock

In order to enable the Unblock feature at logon, the following policy must be configured.

Description:

This policy setting lets you determine whether the integrated unblock feature will be available in the logon User Interface (UI).

In order to use the integrated unblock feature, your smart card must support this feature. Please check with your hardware manufacturer to see if your smart card supports this feature.

If you enable this policy setting, the integrated unblock feature will be available.

If you disable or do not configure this policy setting then the integrated unblock feature will not be available.

Possible Values:

• Not Configured = 0

• Enabled = 1

• Disabled = 2

Policy Setting:

Computer Configuration\Administrative Templates\Windows Components\Smart Card\Allow Integrated Unblock screen to be displayed at the time of logon.

Comments:

This Windows feature is compatible with smart cards that are configured for unblocking with an External Authentication mechanism. Most card profiles issued by ActivID CMS with ActivID Applets are compatible with the unlock feature at logon.

For further information about profile selection, refer to the ActivID CMS documentation.

TransactionTimeoutDelay

Description: This registry allows you to configure the TransactionTimeoutDelay.

Default Values: 5 Seconds

Registry Key: TransactionTimeoutDelay

Comments:

If the registry is not present, during the ActivClient installation, registry is added and the TransactionTimeoutDelay is set automatically to 60 seconds.

If the registry is already present, during the ActivClient installation, TransactionTimeoutDelay is updated automatically to 60 seconds.

If the ActivClient is uninstalled, then the set value of TransactionTimeoutDelay in the registry remains the same (60 Seconds).

Registry Path:

For 64-bit applications: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais

For 32-bit applications: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Calais

TransactionTimeoutMilliseconds

Description: This registry allows you to configure the TransactionTimeoutMilliseconds.

Default Values: 5000 milliseconds

Registry Key: TransactionTimeoutMilliseconds

Comments:

If the registry is not present, during the ActivClient installation, registry is added and the TransactionTimeoutMilliseconds is set automatically to 5000 milliseconds.

If the registry is already present, during the ActivClient installation, TransactionTimeoutMilliseconds is updated automatically to 5000 milliseconds.

If the ActivClient is uninstalled, then the set value of TransactionTimeoutMilliseconds in the registry remains the same (5000 milliseconds).

Registry Path:

For 64-bit applications: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider

For 32-bit applications: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider

Microsoft Outlook Policies

The following Microsoft Outlook policies are relevant to ActivClient Outlook Enhancement feature.

The Microsoft Outlook administrative templates can be downloaded from:

For Microsoft Office 365, 2016 and 2019:

http://www.microsoft.com/en-us/download/details.aspx?id=49030

The following table lists the policies that you should configure in order to finalize support of the Microsoft Outlook enhancements feature:

Microsoft Outlook enhancements policies:

Microsoft Office Outlook Setting	Description
Sign all e-mail messages	This setting is defined under: User Configuration\Administrative Templates\Microsoft Outlook 20xx\Security\Cryptography Sign all e-mail messages: Not Configured Enabled Disabled Sets the value for the corresponding UI option.
Request an S/MIME receipt for all S/MIME signed messages	This setting is defined under: User Configuration\Administrative Templates\Microsoft Outlook 20xx\Security\Cryptography Request an S/MIME receipt for all S/MIME signed messages: Not Configured Enabled Disabled Sets the value for the corresponding UI option.
Encrypt all e-mail messages	This setting is defined under: User Configuration\Administrative Templates\Microsoft Outlook 20xx\Security\Cryptography Encrypt all e-mail messages: Not Configured Enabled Disabled Sets the value for the corresponding UI option.
Send all signed messages as clear signed messages	This setting is defined under: User Configuration\Administrative Templates\Microsoft Outlook 20xx\Security\Cryptography Send all signed messages as clear signed messages: Not Configured Enabled Disabled Sets the value for the corresponding UI option.
Enable Cryptography Icons	This setting is defined under: User Configuration\Administrative Templates\Microsoft Outlook 20xx\Security\Cryptography Enable Cryptography Icons: Not Configured Enabled Disabled Sets the value for the corresponding UI option.