Microsoft Policies and Registry Keys Relevant to ActivClient

The following Microsoft Windows policies and registry keys are relevant to ActivClient. For convenience, some are configured automatically by the ActivClient setup.

Note:

ActivClient does not restore these settings to their default values at uninstallation. You must manually reset the settings. For further information, see Restore Microsoft Settings.

Tip! For more information about Microsoft Group Policy, registry key, and local security policy settings see the Microsoft documentation.

Description:

This policy setting lets you determine whether the integrated unblock feature will be available in the logon User Interface (UI).

Default setting: Not configured

Note: In order to use the integrated unblock feature, the token must support this feature. Please check with your hardware manufacturer.

Behavior:

  • Disabled or Not Configured: The integrated unblock feature will not be available.

  • Enabled: The integrated unblock feature will be available.

Policy Setting:

Computer Configuration\Administrative Templates\Windows Components\Smart Card\Allow Integrated Unblock screen to be displayed at the time of logon.

Registry Path:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider

Registry Key:

AllowIntegratedUnblockScreen (DWORD)

Note:

  • This Windows feature is compatible with security devices that are configured for unblocking with an External Authentication mechanism. Most card profiles issued by HID CMS with HID Applets are compatible with the unlock feature at logon.

  • For further information about profile selection, refer to the HID CMS documentation.

Description:

This setting determines what happens when the token for a logged-on user is removed from the reader.

Note:

  • During ActivClient installation, the setting is automatically set to Lock Workstation.

  • The Smart Card Removal Policy service (SCPolicySvc) is also updated to Automatic.

Behavior:

  • No Action

  • Lock Workstation: The workstation is locked when the token is removed, allowing users to leave the area, take their token with them, and still maintain a protected session.

  • Force Logoff: The user is automatically logged off when the token is removed.

  • Disconnect if a remote Terminal Services session: Removal of the token disconnects the session without logging the user off. This allows the user to insert the token and resume the session later, or at another security device reader-equipped computer, without having to log on again. If the session is local, this policy functions identically to Lock Workstation.

Policy Setting:

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Smart card removal behavior.

Registry Path:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Registry Key:

Scremoveoption (String)

Description:

This registry key allows you to configure the RDP/TCP Logon Timeout.

Default Value: 300 seconds

Registry Path:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp

Registry Key:

LogonTimeout (DWORD)

Description:

This policy setting allows you to manage the certificate propagation that occurs when a token is inserted.

Default setting: Not configured

Behavior:

  • Enabled or Not Configured: Certificate propagation will occur when you insert your smart card.

  • Disabled: Certificate propagation will not occur and the certificates will not be made available to applications such as Outlook.

     

Policy Setting:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CertProp

Registry Path:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp

Registry Key:

CertPropEnabled (DWORD)

Note:

During ActivClient installation:

  • The setting is retained at its default value (Not Configured).

  • The Certificate Propagation service is also set to Automatic.

ActivClient supports new PIV cards, including PIV-compatible CAC cards, without requiring any software updates. It relies on the Windows Smart Card Plug and Play feature, which automatically detects new tokens and installs the necessary drivers when a token is inserted into a reader for the first time.

Description:

This policy setting allows you to control whether Smart Card Plug and Play is enabled.

Default setting: Not configured

Behavior

  • Enabled or Not Configured: Smart Card Plug and Play is enabled and the system will attempt to install a smart card device driver automatically when a token is inserted in a reader for the first time.

  • Disabled: Smart Card Plug and Play is disabled, and the system will not attempt to install a smart card device driver automatically upon token insertion.

Policy Setting:

Computer Configuration\Administrative Templates\Windows Components\Smart Card\Turn on Smart Card Plug and Play service

Registry Path:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScPnP

Registry Key:

EnableScPnP (DWORD)

Note:

During ActivClient installation:

  • The setting is retained at its default value (Not Configured).

  • The Smart Card service is set to Automatic.

Description:

This registry key allows you to configure the timeout delay for transactions.

Default Value: 5 seconds

Note: The configured value should be equal to or longer than TransactionTimeoutMilliseconds.
Note:

  • If the registry key is not present, it is created during ActivClient installation, and the value is automatically set to 60 seconds.

  • If the registry key already exists, the value is updated automatically to 60 seconds during ActivClient installation.

  • If ActivClient is uninstalled, the value is reset to the Windows default (5 seconds).

Registry Path:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais

Registry Key:

TransactionTimeoutDelay (DWORD)

Description:

This registry key allows you to automatically fail transactions that take an excessive amount of time: if an application opens a transaction with the token and does not perform any actions for longer than the specified number of milliseconds, the system forcibly resets the connection to the token.

Default Value: 1500 milliseconds

Registry Path:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider

Registry Key:

TransactionTimeoutMilliseconds (DWORD)

Note:

  • If the registry key is not present, it is created during ActivClient installation, and the value is automatically set to 5000 milliseconds.

  • If the registry key already exists, the value is updated automatically to 5000 milliseconds during ActivClient installation.

  • If the ActivClient is uninstalled, the value is reset to the Windows default (1500 milliseconds).