Certificate Availability
Some applications are smart card-aware and automatically access smart card-based certificates using ActivClient libraries (in this case, the ActivClient PKCS#11 library). Other applications (for example, Internet Explorer, Microsoft Edge and Microsoft Outlook) require the certificates to be available in Microsoft Windows (specifically registered to the Microsoft Windows CAPI store) prior to using them.
ActivClient leverages a Microsoft Windows feature to automatically register smart card certificates in the Microsoft Windows Certificate Store on card insertion (this is often referred to as 'certificate propagation'). This feature is controlled by a Microsoft Windows policy. See Turn on Certificate Propagation From Smart Card for details.
The ActivClient policies detailed in this section complement the Microsoft Windows policy.
For the Certificate Availability policy changes to be applied, you must restart the workstation.
Remove Certificates from Microsoft Windows on Logoff
In a deployment, several users can share the same computer (kiosk), and sometimes use the same user account on the kiosk. This functionality for administrators allows the automatic removal of the certificates that were registered automatically. This feature requires that the smart card is inserted in the card reader during the log-off operation.
Description:
Defines if user certificates are removed from Microsoft Windows when users log off.
Enable this feature if you are using a shared Microsoft Windows account and you do not want to see the certificates from all the users using their smart card on this computer, or if this computer is primarily used to issue smart cards for other users.
If this setting is not configured or disabled, then certificates are not removed from Microsoft Windows on logoff.
When this setting is enabled, the smart card must remain inserted during logoff for certificates to be removed from Microsoft Windows properly.
Remove Certificates from Microsoft Windows on Smart Card Removal
Description:
Removes user certificates from Microsoft Windows when users remove their smart card.
Enable this feature if you are using a shared Windows account and you do not want to see the certificates from all the users using their smart card on this computer, or if this computer is primarily used to issue smart cards for other users.
If this setting is not configured or disabled, then certificates are not removed from Microsoft Windows on card removal.