From e4d02b28712e667495f4d67ef8194e13904b99af Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Mon, 6 Nov 2023 12:11:52 -0500
Subject: [PATCH 01/21] Freshness - light review of legacy content
---
education/index.yml | 2 +-
education/windows/autopilot-reset.md | 32 +-
.../set-up-shared-or-guest-pc.md | 2 +-
windows/configuration/shared-pc-technical.md | 2 +-
.../access-control/access-control.md | 2 +-
.../smart-card-and-remote-desktop-services.md | 48 +--
.../smart-cards/smart-card-architecture.md | 214 ++++------
...ertificate-requirements-and-enumeration.md | 268 +++++-------
.../smart-card-debugging-information.md | 141 ++++---
...card-group-policy-and-registry-settings.md | 390 ++++++++----------
...how-smart-card-sign-in-works-in-windows.md | 19 +-
...rt-card-smart-cards-for-windows-service.md | 37 +-
.../smart-card-tools-and-settings.md | 10 +-
...-windows-smart-card-technical-reference.md | 49 +--
14 files changed, 518 insertions(+), 698 deletions(-)
diff --git a/education/index.yml b/education/index.yml
index a41a668122..a79c5f8617 100644
--- a/education/index.yml
+++ b/education/index.yml
@@ -8,7 +8,7 @@ metadata:
title: Microsoft 365 Education Documentation
description: Learn about product documentation and resources available for school IT administrators, teachers, students, and education app developers.
ms.topic: hub-page
- ms.date: 08/10/2022
+ ms.date: 11/06/2023
productDirectory:
title: For IT admins
diff --git a/education/windows/autopilot-reset.md b/education/windows/autopilot-reset.md
index 0c9591c71b..996188d7bf 100644
--- a/education/windows/autopilot-reset.md
+++ b/education/windows/autopilot-reset.md
@@ -15,7 +15,7 @@ ms.collection:
IT admins or technical teachers can use Autopilot Reset to quickly remove personal files, apps, and settings, and reset Windows 10 devices from the lock screen anytime and apply original settings and management enrollment (Microsoft Entra ID and device management) so the devices are ready to use. With Autopilot Reset, devices are returned to a fully configured or known IT-approved state.
-To enable Autopilot Reset you must:
+To enable Autopilot Reset, you must:
1. [Enable the policy for the feature](#enable-autopilot-reset)
2. [Trigger a reset for each device](#trigger-autopilot-reset)
@@ -38,7 +38,7 @@ You can set the policy using one of these methods:
- Value: 0
- Windows Configuration Designer
-
+
You can [use Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-create-package) to set the **Runtime settings > Policies > CredentialProviders > DisableAutomaticReDeploymentCredentials** setting and create a provisioning package.
- Set up School PCs app
@@ -62,14 +62,13 @@ Autopilot Reset is a two-step process: trigger it and then authenticate. Once yo
**To trigger Autopilot Reset**
-1. From the Windows device lock screen, enter the keystroke: **CTRL + Windows key + R**.
+1. From the Windows device lock screen, enter the keystroke: CTRL + WIN + R.
- This keystroke will open up a custom sign-in screen for Autopilot Reset. The screen serves two purposes:
+ This keystroke opens up a custom sign-in screen for Autopilot Reset. The screen serves two purposes:
1. Confirm/verify that the end user has the right to trigger Autopilot Reset
-
2. Notify the user in case a provisioning package, created using Windows Configuration Designer or Set up School PCs, will be used as part of the process.
@@ -80,35 +79,26 @@ Autopilot Reset is a two-step process: trigger it and then authenticate. Once yo
> To reestablish Wi-Fi connectivity after reset, make sure the **Connect automatically** box is checked for the device's wireless network connection.
Once Autopilot Reset is triggered, the reset process starts.
-
+
After reset, the device:
- - Sets the region, language, and keyboard.
-
- - Connects to Wi-Fi.
-
- - If you provided a provisioning package when Autopilot Reset is triggered, the system will apply this new provisioning package. Otherwise, the system will reapply the original provisioning package on the device.
-
+ - Sets the region, language, and keyboard
+ - Connects to Wi-Fi
+ - If you provided a provisioning package when Autopilot Reset is triggered, the system applies this new provisioning package. Otherwise, the system reapplies the original provisioning package on the device
- Is returned to a known good managed state, connected to Microsoft Entra ID and MDM.
Once provisioning is complete, the device is again ready for use.
-
-
## Troubleshoot Autopilot Reset
-Autopilot Reset will fail when the [Windows Recovery Environment (WinRE)](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference) isn't enabled on the device. You'll see `Error code: ERROR_NOT_SUPPORTED (0x80070032)`.
+Autopilot Reset fails when the [Windows Recovery Environment (WinRE)](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference) isn't enabled on the device. The error code is: `ERROR_NOT_SUPPORTED (0x80070032)`.
To make sure WinRE is enabled, use the [REAgentC.exe tool](/windows-hardware/manufacture/desktop/reagentc-command-line-options) to run the following command:
-```console
-reagentc /enable
+```cmd
+reagentc.exe /enable
```
If Autopilot Reset fails after enabling WinRE, or if you're unable to enable WinRE, kindly contact [Microsoft Support](https://support.microsoft.com) for assistance.
-
-## Related articles
-
-[Set up Windows devices for education](set-up-windows-10.md)
diff --git a/windows/configuration/set-up-shared-or-guest-pc.md b/windows/configuration/set-up-shared-or-guest-pc.md
index c8ef487740..6d7f554aea 100644
--- a/windows/configuration/set-up-shared-or-guest-pc.md
+++ b/windows/configuration/set-up-shared-or-guest-pc.md
@@ -1,7 +1,7 @@
---
title: Set up a shared or guest Windows device
description: Description of how to configured Shared PC mode, which is a Windows feature that optimizes devices for shared use scenarios.
-ms.date: 10/15/2022
+ms.date: 11/06/2023
ms.prod: windows-client
ms.technology: itpro-configure
ms.topic: reference
diff --git a/windows/configuration/shared-pc-technical.md b/windows/configuration/shared-pc-technical.md
index b0d626cff0..2c55e09d27 100644
--- a/windows/configuration/shared-pc-technical.md
+++ b/windows/configuration/shared-pc-technical.md
@@ -1,7 +1,7 @@
---
title: Shared PC technical reference
description: List of policies and settings applied by the Shared PC options.
-ms.date: 10/15/2022
+ms.date: 11/06/2023
ms.prod: windows-client
ms.technology: itpro-configure
ms.topic: reference
diff --git a/windows/security/identity-protection/access-control/access-control.md b/windows/security/identity-protection/access-control/access-control.md
index 0cc106f7cb..5ab8ca8c5f 100644
--- a/windows/security/identity-protection/access-control/access-control.md
+++ b/windows/security/identity-protection/access-control/access-control.md
@@ -1,5 +1,5 @@
---
-ms.date: 11/22/2022
+ms.date: 11/06/2023
title: Access Control Overview
description: Description of the access controls in Windows, which is the process of authorizing users, groups, and computers to access objects on the network or computer.
ms.topic: overview
diff --git a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
index 35ace33d60..2f0dcd3354 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
@@ -1,5 +1,5 @@
---
-ms.date: 09/24/2021
+ms.date: 11/06/2023
title: Smart Card and Remote Desktop Services
description: This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in.
ms.topic: conceptual
@@ -13,9 +13,8 @@ Smart card redirection logic and **WinSCard** API are combined to support multip
Smart card support is required to enable many Remote Desktop Services scenarios. These include:
-- Using Fast User Switching or Remote Desktop Services. A user is not able to establish a redirected smart card-based remote desktop connection. That is, the connect attempt is not successful in Fast User Switching or from a Remote Desktop Services session.
-
-- Enabling Encrypting File System (EFS) to locate the user's smart card reader from the Local Security Authority (LSA) process in Fast User Switching or in a Remote Desktop Services session. If EFS is not able to locate the smart card reader or certificate, EFS cannot decrypt user files.
+- Using Fast User Switching or Remote Desktop Services. A user is not able to establish a redirected smart card-based remote desktop connection. That is, the connect attempt is not successful in Fast User Switching or from a Remote Desktop Services session
+- Enabling Encrypting File System (EFS) to locate the user's smart card reader from the Local Security Authority (LSA) process in Fast User Switching or in a Remote Desktop Services session. If EFS is not able to locate the smart card reader or certificate, EFS cannot decrypt user files
## Remote Desktop Services redirection
@@ -23,23 +22,16 @@ In a Remote Desktop scenario, a user is using a remote server for running servic
-**Remote Desktop redirection**
+### Remote Desktop redirection
Notes about the redirection model:
-1. This scenario is a remote sign-in session on a computer with Remote Desktop Services. In the remote session (labeled as "Client session"), the user runs **net use /smartcard**.
-
-2. Arrows represent the flow of the PIN after the user types the PIN at the command prompt until it reaches the user's smart card in a smart card reader that is connected to the Remote Desktop Connection (RDC) client computer.
-
-3. The authentication is performed by the LSA in session 0.
-
-4. The CryptoAPI processing is performed in the LSA (Lsass.exe). This is possible because RDP redirector (rdpdr.sys) allows per-session, rather than per-process, context.
-
-5. The WinScard and SCRedir components, which were separate modules in operating systems earlier than Windows Vista, are now included in one module. The ScHelper library is a CryptoAPI wrapper that is specific to the Kerberos protocol.
-
-6. The redirection decision is made on a per smart card context basis, based on the session of the thread that performs the SCardEstablishContext call.
-
-7. Changes to WinSCard.dll implementation were made in Windows Vista to improve smart card redirection.
+1. This scenario is a remote sign-in session on a computer with Remote Desktop Services. In the remote session (labeled as "Client session"), the user runs `net use /smartcard`
+1. Arrows represent the flow of the PIN after the user types the PIN at the command prompt until it reaches the user's smart card in a smart card reader that is connected to the Remote Desktop Connection (RDC) client computer
+1. The authentication is performed by the LSA in session 0
+1. The CryptoAPI processing is performed in the LSA (`lsass.exe`). This is possible because RDP redirector (`rdpdr.sys`) allows per-session, rather than per-process, context
+1. The ScHelper library is a CryptoAPI wrapper that is specific to the Kerberos protocol
+1. The redirection decision is made on a per smart card context basis, based on the session of the thread that performs the `SCardEstablishContext` call
## RD Session Host server single sign-in experience
@@ -57,13 +49,17 @@ In addition, Group Policy settings that are specific to Remote Desktop Services
To enable smart card sign-in to a Remote Desktop Session Host (RD Session Host) server, the Key Distribution Center (KDC) certificate must be present on the RDC client computer. If the computer is not in the same domain or workgroup, the following command can be used to deploy the certificate:
-**certutil -dspublish NTAuthCA** "*DSCDPContainer*"
+```cmd
+certutil.exe -dspublish NTAuthCA "DSCDPContainer"
+```
-The *DSCDPContainer* Common Name (CN) is usually the name of the certification authority.
+The `DSCDPContainer` Common Name (CN) is usually the name of the certification authority.
Example:
-**certutil -dspublish NTAuthCA** <*CertFile*> **"CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=engineering,DC=contoso,DC=com"**
+```cmd
+certutil -dspublish NTAuthCA "CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=engineering,DC=contoso,DC=com"
+```
For information about this option for the command-line tool, see [-dsPublish](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732443(v=ws.11)#BKMK_dsPublish).
@@ -71,15 +67,19 @@ For information about this option for the command-line tool, see [-dsPublish](/p
To enable remote access to resources in an enterprise, the root certificate for the domain must be provisioned on the smart card. From a computer that is joined to a domain, run the following command at the command line:
-**certutil -scroots update**
+```cmd
+certutil.exe -scroots update
+```
For information about this option for the command-line tool, see [-SCRoots](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732443(v=ws.11)#BKMK_SCRoots).
For Remote Desktop Services across domains, the KDC certificate of the RD Session Host server must also be present in the client computer's NTAUTH store. To add the store, run the following command at the command line:
-**certutil -addstore -enterprise NTAUTH** <*CertFile*>
+```cmd
+certutil -addstore -enterprise NTAUTH
+```
-Where <*CertFile*> is the root certificate of the KDC certificate issuer.
+Where *CertFile* is the root certificate of the KDC certificate issuer.
For information about this option for the command-line tool, see [-addstore](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732443(v=ws.11)#BKMK_addstore).
diff --git a/windows/security/identity-protection/smart-cards/smart-card-architecture.md b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
index f66eedf547..786822878b 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-architecture.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
@@ -3,7 +3,7 @@ title: Smart Card Architecture
description: This topic for the IT professional describes the system architecture that supports smart cards in the Windows operating system.
ms.reviewer: ardenw
ms.topic: reference-architecture
-ms.date: 09/24/2021
+ms.date: 11/06/2023
---
# Smart Card Architecture
@@ -16,25 +16,20 @@ In a networking context, authentication is the act of proving identity to a netw
For smart cards, Windows supports a provider architecture that meets the secure authentication requirements and is extensible so that you can include custom credential providers. This topic includes information about:
-- [Credential provider architecture](#credential-provider-architecture)
-
-- [Smart card subsystem architecture](#smart-card-subsystem-architecture)
-
-
+- [Credential provider architecture](#credential-provider-architecture)
+- [Smart card subsystem architecture](#smart-card-subsystem-architecture)
## Credential provider architecture
The following table lists the components that are included in the interactive sign-in architecture of the Windows Server and Windows operating systems.
-| **Component** | **Description** |
-|------------------------------------------------|-----|
-| Winlogon | Provides an interactive sign-in infrastructure. |
-| Logon UI | Provides interactive UI rendering. |
-| Credential providers (password and smart card) | Describes credential information and serializing credentials. |
-| Local Security Authority (LSA) | Processes sign-in credentials. |
-| Authentication packages | Includes NTLM and the Kerberos protocol. Communicates with server authentication packages to authenticate users. |
+| Component | Description |
+|--|--|
+| Winlogon | Provides an interactive sign-in infrastructure. |
+| Logon UI | Provides interactive UI rendering. |
+| Credential providers (password and smart card) | Describes credential information and serializing credentials. |
+| Local Security Authority (LSA) | Processes sign-in credentials. |
+| Authentication packages | Includes NTLM and the Kerberos protocol. Communicates with server authentication packages to authenticate users. |
Interactive sign-in in Windows begins when the user presses CTRL+ALT+DEL. The CTRL+ALT+DEL key combination is called a secure attention sequence (SAS). To keep other programs and processes from using it, Winlogon registers this sequence during the boot process.
@@ -42,8 +37,6 @@ After receiving the SAS, the UI then generates the sign-in tile from the informa
-**Figure 1** **Credential provider architecture**
-
Typically, a user who signs in to a computer by using a local account or a domain account must enter a user name and password. These credentials are used to verify the user's identity. For smart card sign-in, a user's credentials are contained on the smart card's security chip. A smart card reader lets the computer interact with the security chip on the smart card. When users sign in with a smart card, they enter a personal identification number (PIN) instead of a user name and password.
Credential providers are in-process COM objects that run on the local system and are used to collect credentials. The Logon UI provides interactive UI rendering, Winlogon provides interactive sign-in infrastructure, and credential providers work with both of these components to help gather and process credentials.
@@ -52,7 +45,8 @@ Winlogon instructs the Logon UI to display credential provider tiles after it re
Combined with supporting hardware, credential providers can extend the Windows operating system to enable users to sign in by using biometrics (for example, fingerprint, retinal, or voice recognition), password, PIN, smart card certificate, or any custom authentication package. Enterprises and IT professionals can develop and deploy custom authentication mechanisms for all domain users, and they may explicitly require users to use this custom sign-in mechanism.
-> **Note** Credential providers are not enforcement mechanisms. They are used to gather and serialize credentials. The LSA and authentication packages enforce security.
+> [!NOTE]
+> Credential providers are not enforcement mechanisms. They are used to gather and serialize credentials. The LSA and authentication packages enforce security.
Credential providers can be designed to support single sign-in (SSO). In this process, they authenticate users to a secure network access point (by using RADIUS and other technologies) for signing in to the computer. Credential providers are also designed to support application-specific credential gathering, and they can be used for authentication to network resources, joining computers to a domain, or to provide administrator consent for User Account Control (UAC).
@@ -60,13 +54,14 @@ Multiple credential providers can coexist on a computer.
Credential providers must be registered on a computer running Windows, and they are responsible for:
-- Describing the credential information that is required for authentication.
+- Describing the credential information that is required for authentication
+- Handling communication and logic with external authentication authorities
+- Packaging credentials for interactive and network sign-in
-- Handling communication and logic with external authentication authorities.
-
-- Packaging credentials for interactive and network sign-in.
-
-> **Note** The Credential Provider API does not render the UI. It describes what needs to be rendered.
Only the password credential provider is available in safe mode.
The smart card credential provider is available in safe mode during networking.
+> [!NOTE]
+> The Credential Provider API does not render the UI. It describes what needs to be rendered.\
+> Only the password credential provider is available in safe mode.\
+> The smart card credential provider is available in safe mode during networking.
## Smart card subsystem architecture
@@ -74,19 +69,16 @@ Vendors provide smart cards and smart card readers, and in many cases the vendor
### Base CSP and smart card minidriver architecture
-Figure 2 illustrates the relationship between the CryptoAPI, CSPs, the Smart Card Base Cryptographic Service Provider (Base CSP), and smart card minidrivers.
+The following graphic shows the relationship between the CryptoAPI, CSPs, the Smart Card Base Cryptographic Service Provider (Base CSP), and smart card minidrivers.
-**Figure 2** **Base CSP and smart card minidriver architecture**
-
### Caching with Base CSP and smart card KSP
Smart card architecture uses caching mechanisms to assist in streamlining operations and to improve a user's access to a PIN.
-- [Data caching](#data-caching): The data cache provides for a single process to minimize smart card I/O operations.
-
-- [PIN caching](#pin-caching): The PIN cache helps the user from having to reenter a PIN each time the smart card is unauthenticated.
+- [Data caching](#data-caching): The data cache provides for a single process to minimize smart card I/O operations
+- [PIN caching](#pin-caching): The PIN cache helps the user from having to reenter a PIN each time the smart card is unauthenticated
#### Data caching
@@ -94,13 +86,10 @@ Each CSP implements the current smart card data cache separately. The Base CSP i
The existing global cache works as follows:
-1. The application requests a cryptographic operation. For example, a user certificate is to be read from the smart card.
-
-2. The CSP checks its cache for the item.
-
-3. If the item is not found in the cache, or if the item is cached but is not up-to-date, the item is read from the smart card.
-
-4. After any item has been read from the smart card, it is added to the cache. Any existing out-of-date copy of that item is replaced.
+1. The application requests a cryptographic operation. For example, a user certificate is to be read from the smart card
+1. The CSP checks its cache for the item
+1. If the item is not found in the cache, or if the item is cached but is not up-to-date, the item is read from the smart card
+1. After any item has been read from the smart card, it is added to the cache. Any existing out-of-date copy of that item is replaced
Three types of objects or data are cached by the CSP: pins (for more information, see [PIN caching](#pin-caching)), certificates, and files. If any of the cached data changes, the corresponding object is read from the smart card in successive operations. For example, if a file is written to the smart card, the CSP cache becomes out-of-date for the files, and other processes read the smart card at least once to refresh their CSP cache.
@@ -114,19 +103,13 @@ To mitigate this, the smart card enters an exclusive state when an application a
The following example illustrates how this works. In this scenario, there are two applications: Outlook and Internet Explorer. The applications use smart cards for different purposes.
-1. The user starts Outlook and tries to send a signed e-mail. The private key is on the smart card.
-
-2. Outlook prompts the user for the smart card PIN. The user enters the correct PIN.
-
-3. E-mail data is sent to the smart card for the signature operation. The Outlook client formats the response and sends the e-mail.
-
-4. The user opens Internet Explorer and tries to access a protected site that requires Transport Layer Security (TLS) authentication for the client.
-
-5. Internet Explorer prompts the user for the smart card PIN. The user enters the correct PIN.
-
-6. The TLS-related private key operation occurs on the smart card, and the user is authenticated and signed in.
-
-7. The user returns to Outlook to send another signed e-mail. This time, the user is not prompted for a PIN because the PIN is cached from the previous operation. Similarly, if the user uses Internet Explorer again for another operation, Internet Explorer will not prompt the user for a PIN.
+1. The user starts Outlook and tries to send a signed e-mail. The private key is on the smart card
+1. Outlook prompts the user for the smart card PIN. The user enters the correct PIN
+1. E-mail data is sent to the smart card for the signature operation. The Outlook client formats the response and sends the e-mail
+1. The user opens Internet Explorer and tries to access a protected site that requires Transport Layer Security (TLS) authentication for the client
+1. Internet Explorer prompts the user for the smart card PIN. The user enters the correct PIN
+1. The TLS-related private key operation occurs on the smart card, and the user is authenticated and signed in
+1. The user returns to Outlook to send another signed e-mail. This time, the user is not prompted for a PIN because the PIN is cached from the previous operation. Similarly, if the user uses Internet Explorer again for another operation, Internet Explorer will not prompt the user for a PIN
The Base CSP internally maintains a per-process cache of the PIN. The PIN is encrypted and stored in memory. The functions that are used to secure the PIN are RtlEncryptMemory, RtlDecryptMemory, and RtlSecureZeroMemory, which will empty buffers that contained the PIN.
@@ -134,27 +117,17 @@ The Base CSP internally maintains a per-process cache of the PIN. The PIN is enc
The following sections in this topic describe how Windows leverages the smart card architecture to select the correct smart card reader software, provider, and credentials for a successful smart card sign-in:
-- [Container specification levels](#container-specification-levels)
-
-- [Container operations](#container-operations)
-
-- [Context flags](#context-flags)
-
-- [Create a new container in silent context](#create-a-new-container-in-silent-context)
-
-- [Smart card selection behavior](#smart-card-selection-behavior)
-
-- [Make a smart card reader match](#make-a-smart-card-reader-match)
-
-- [Make a smart card match](#make-a-smart-card-match)
-
-- [Open an existing default container (no reader specified)](#open-an-existing-default-container-no-reader-specified)
-
-- [Open an existing GUID-named container (no reader specified)](#open-an-existing-guid-named-container-no-reader-specified)
-
-- [Create a new container (no reader specified)](#create-a-new-container-no-reader-specified)
-
-- [Delete a container](#delete-a-container)
+- [Container specification levels](#container-specification-levels)
+- [Container operations](#container-operations)
+- [Context flags](#context-flags)
+- [Create a new container in silent context](#create-a-new-container-in-silent-context)
+- [Smart card selection behavior](#smart-card-selection-behavior)
+- [Make a smart card reader match](#make-a-smart-card-reader-match)
+- [Make a smart card match](#make-a-smart-card-match)
+- [Open an existing default container (no reader specified)](#open-an-existing-default-container-no-reader-specified)
+- [Open an existing GUID-named container (no reader specified)](#open-an-existing-guid-named-container-no-reader-specified)
+- [Create a new container (no reader specified)](#create-a-new-container-no-reader-specified)
+- [Delete a container](#delete-a-container)
#### Container specification levels
@@ -162,13 +135,15 @@ In response to a CryptAcquireContext call in CryptoAPI, the Base CSP tries to ma
Similarly, in response to a NCryptOpenKey call in CNG, the smart card KSP tries to match the container the same way, and it takes the same container format, as shown in the following table.
-> **Note** Before opening a key by using the smart card KSP, a call to NCryptOpenStorageProvider (MS\_SMART\_CARD\_KEY\_STORAGE\_PROVIDER) must be made.
+> **Note**
+> [!NOTE]
+> Before opening a key by using the smart card KSP, a call to NCryptOpenStorageProvider (`MS\_SMART\_CARD\_KEY\_STORAGE\_PROVIDER`) must be made.
| **Type** | **Name** | **Format** |
|----------|----------|------------|
-| I | Reader Name and Container Name | \\\\.\\<Reader Name>\\<Container Name> |
-| II | Reader Name and Container Name (NULL) | \\\\.\\<Reader Name> |
-| III | Container Name Only | <Container Name> |
+| I | Reader Name and Container Name | `\\\\.\\\\` |
+| II | Reader Name and Container Name (NULL) | `\\\\.\\` |
+| III | Container Name Only | `` |
| IV | Default Container (NULL) Only | NULL |
The Base CSP and smart card KSP cache smart card handle information about the calling process and about the smart cards the process has accessed. When searching for a smart card container, the Base CSP or smart card KSP first checks its cache for the process. If the cached handle is invalid or no match is found, the SCardUIDlg API is called to get the card handle.
@@ -177,11 +152,9 @@ The Base CSP and smart card KSP cache smart card handle information about the ca
The following three container operations can be requested by using CryptAcquireContext:
-1. Create a new container. (The CNG equivalent of CryptAcquireContext with dwFlags set to CRYPT\_NEWKEYSET is NCryptCreatePersistedKey.)
-
-2. Open an existing container. (The CNG equivalent of CryptAcquireContext to open the container is NCryptOpenKey.)
-
-3. Delete a container. (The CNG equivalent of CryptAcquireContext with dwFlags set to CRYPT\_DELETEKEYSET is NCryptDeleteKey.)
+1. Create a new container. (The CNG equivalent of CryptAcquireContext with dwFlags set to CRYPT\_NEWKEYSET is NCryptCreatePersistedKey.)
+1. Open an existing container. (The CNG equivalent of CryptAcquireContext to open the container is NCryptOpenKey.)
+1. Delete a container. (The CNG equivalent of CryptAcquireContext with dwFlags set to CRYPT\_DELETEKEYSET is NCryptDeleteKey.)
The heuristics that are used to associate a cryptographic handle with a particular smart card and reader are based on the container operation requested and the level of container specification used.
@@ -210,24 +183,18 @@ In addition to container operations and container specifications, you must consi
Applications can call the Base CSP with CRYPT\_DEFAULT\_CONTAINER\_OPTIONAL, set the PIN in silent context, and then create a new container in silent context. This operation occurs as follows:
-1. Call CryptAcquireContext by passing the smart card reader name in as a type II container specification level, and specifying the CRYPT\_DEFAULT\_CONTAINER\_OPTIONAL flag.
-
-2. Call CryptSetProvParam by specifying PP\_KEYEXCHANGE\_PIN or PP\_SIGNATURE\_PIN and a null-terminated ASCII PIN.
-
-3. Release the context acquired in Step 1.
-
-4. Call CryptAcquireContext with CRYPT\_NEWKEYSET, and specify the type I container specification level.
-
-5. Call CryptGenKey to create the key.
+1. Call CryptAcquireContext by passing the smart card reader name in as a type II container specification level, and specifying the CRYPT\_DEFAULT\_CONTAINER\_OPTIONAL flag.
+1. Call CryptSetProvParam by specifying PP\_KEYEXCHANGE\_PIN or PP\_SIGNATURE\_PIN and a null-terminated ASCII PIN.
+1. Release the context acquired in Step 1.
+1. Call CryptAcquireContext with CRYPT\_NEWKEYSET, and specify the type I container specification level.
+1. Call CryptGenKey to create the key.
#### Smart card selection behavior
-In some of the following scenarios, the user can be prompted to insert a smart card. If the user context is silent, this operation fails and no UI is displayed. Otherwise, in response to the UI, the user can insert a smart card or click **Cancel**. If the user cancels the operation, the operation fails. The flow chart in Figure 3 shows the selection steps performed by the Windows operating system.
+In some of the following scenarios, the user can be prompted to insert a smart card. If the user context is silent, this operation fails and no UI is displayed. Otherwise, in response to the UI, the user can insert a smart card or click **Cancel**. If the user cancels the operation, the operation fails. The flow chart shows the selection steps performed by the Windows operating system.
-**Figure 3** **Smart card selection behavior**
-
In general, smart card selection behavior is handled by the SCardUIDlgSelectCard API. The Base CSP interacts with this API by calling it directly. The Base CSP also sends callback functions that have the purpose of filtering and matching candidate smart cards. Callers of CryptAcquireContext provide smart card matching information. Internally, the Base CSP uses a combination of smart card serial numbers, reader names, and container names to find specific smart cards.
Each call to SCardUI \* may result in additional information read from a candidate smart card. The Base CSP smart card selection callbacks cache this information.
@@ -236,15 +203,11 @@ Each call to SCardUI \* may result in additional information read from a candida
For type I and type II container specification levels, the smart card selection process is less complex because only the smart card in the named reader can be considered a match. The process for matching a smart card with a smart card reader is:
-1. Find the requested smart card reader. If it cannot be found, the process fails. (This requires a cache search by reader name.)
-
-2. If no smart card is in the reader, the user is prompted to insert a smart card. (This is only in non-silent mode; if the call is made in silent mode, it will fail.)
-
-3. For container specification level II only, the name of the default container on the chosen smart card is determined.
-
-4. To open an existing container or delete an existing container, find the specified container. If the specified container cannot be found on this smart card, the user is prompted to insert a smart card.
-
-5. If the system attempts to create a new container, if the specified container already exists on this smart card, the process fails.
+1. Find the requested smart card reader. If it cannot be found, the process fails. (This requires a cache search by reader name.)
+1. If no smart card is in the reader, the user is prompted to insert a smart card. (This is only in non-silent mode; if the call is made in silent mode, it will fail.)
+1. For container specification level II only, the name of the default container on the chosen smart card is determined.
+1. To open an existing container or delete an existing container, find the specified container. If the specified container cannot be found on this smart card, the user is prompted to insert a smart card.
+1. If the system attempts to create a new container, if the specified container already exists on this smart card, the process fails.
#### Make a smart card match
@@ -254,17 +217,16 @@ For container specification levels III and IV, a broader method is used to match
> **Note** This operation requires that you use the smart card with the Base CSP.
-1. For each smart card that has been accessed by the Base CSP and the handle and container information are cached, the Base CSP looks for a valid default container. An operation is attempted on the cached SCARDHANDLE to verify its validity. If the smart card handle is not valid, the Base CSP continues to search for a new smart card.
-
-2. If a matching smart card is not found in the Base CSP cache, the Base CSP calls to the smart card subsystem. SCardUIDlgSelectCard() is used with an appropriate callback filter to find a matching smart card with a valid default container.
+1. For each smart card that has been accessed by the Base CSP and the handle and container information are cached, the Base CSP looks for a valid default container. An operation is attempted on the cached SCARDHANDLE to verify its validity. If the smart card handle is not valid, the Base CSP continues to search for a new smart card.
+1. If a matching smart card is not found in the Base CSP cache, the Base CSP calls to the smart card subsystem. SCardUIDlgSelectCard() is used with an appropriate callback filter to find a matching smart card with a valid default container.
#### Open an existing GUID-named container (no reader specified)
> **Note** This operation requires that you use the smart card with the Base CSP.
-1. For each smart card that is already registered with the Base CSP, search for the requested container. Attempt an operation on the cached SCARDHANDLE to verify its validity. If the smart card handle is not valid, the smart card's serial number is passed to the SCardUI \* API to continue searching for this specific smart card (rather than only a general match for the container name).
+1. For each smart card that is already registered with the Base CSP, search for the requested container. Attempt an operation on the cached SCARDHANDLE to verify its validity. If the smart card handle is not valid, the smart card's serial number is passed to the SCardUI \* API to continue searching for this specific smart card (rather than only a general match for the container name).
-2. If a matching smart card is not found in the Base CSP cache, a call is made to the smart card subsystem. SCardUIDlgSelectCard() is used with an appropriate callback filter to find a matching smart card with the requested container. Or, if a smart card serial number resulted from the search in Step 1, the callback filter attempts to match the serial number, not the container name.
+1. If a matching smart card is not found in the Base CSP cache, a call is made to the smart card subsystem. SCardUIDlgSelectCard() is used with an appropriate callback filter to find a matching smart card with the requested container. Or, if a smart card serial number resulted from the search in Step 1, the callback filter attempts to match the serial number, not the container name.
#### Create a new container (no reader specified)
@@ -274,41 +236,31 @@ If the PIN is not cached, no CRYPT\_SILENT is allowed for the container creation
For other operations, the caller may be able to acquire a "verify" context against the default container (CRYPT\_DEFAULT\_CONTAINER\_OPTIONAL) and then make a call with CryptSetProvParam to cache the user PIN for subsequent operations.
-1. For each smart card already known by the CSP, refresh the stored SCARDHANDLE and make the following checks:
-
- 1. If the smart card has been removed, continue the search.
-
- 2. If the smart card is present, but it already has the named container, continue the search.
-
- 3. If the smart card is available, but a call to CardQueryFreeSpace indicates that the smart card has insufficient storage for an additional key container, continue the search.
-
- 4. Otherwise, use the first available smart card that meets the above criteria for the container creation.
-
-2. If a matching smart card is not found in the CSP cache, make a call to the smart card subsystem. The callback that is used to filter enumerated smart cards verifies that a candidate smart card does not already have the named container, and that CardQueryFreeSpace indicates the smart card has sufficient space for an additional container. If no suitable smart card is found, the user is prompted to insert a smart card.
+1. For each smart card already known by the CSP, refresh the stored SCARDHANDLE and make the following checks:
+ 1. If the smart card has been removed, continue the search
+ 1. If the smart card is present, but it already has the named container, continue the search
+ 1. If the smart card is available, but a call to CardQueryFreeSpace indicates that the smart card has insufficient storage for an additional key container, continue the search
+ 1. Otherwise, use the first available smart card that meets the above criteria for the container creation
+1. If a matching smart card is not found in the CSP cache, make a call to the smart card subsystem. The callback that is used to filter enumerated smart cards verifies that a candidate smart card does not already have the named container, and that CardQueryFreeSpace indicates the smart card has sufficient space for an additional container. If no suitable smart card is found, the user is prompted to insert a smart card
#### Delete a container
-1. If the specified container name is NULL, the default container is deleted. Deleting the default container causes a new default container to be selected arbitrarily. For this reason, this operation is not recommended.
-
-2. For each smart card already known by the CSP, refresh the stored SCARDHANDLE and make the following checks:
-
- 1. If the smart card does not have the named container, continue the search.
-
- 2. If the smart card has the named container, but the smart card handle is no longer valid, store the serial number of the matching smart card and pass it to SCardUI \*.
-
-3. If a matching smart card is not found in the CSP cache, make a call to the smart card subsystem. The callback that is used to filter enumerated smart cards should verify that a candidate smart card has the named container. If a serial number was provided as a result of the previous cache search, the callback should filter enumerated smart cards on serial number rather than on container matches. If the context is non-silent and no suitable smart card is found, display UI that prompts the user to insert a smart card.
+1. If the specified container name is NULL, the default container is deleted. Deleting the default container causes a new default container to be selected arbitrarily. For this reason, this operation is not recommended
+1. For each smart card already known by the CSP, refresh the stored SCARDHANDLE and make the following checks:
+ 1. If the smart card does not have the named container, continue the search
+ 1. If the smart card has the named container, but the smart card handle is no longer valid, store the serial number of the matching smart card and pass it to SCardUI
+1. If a matching smart card is not found in the CSP cache, make a call to the smart card subsystem. The callback that is used to filter enumerated smart cards should verify that a candidate smart card has the named container. If a serial number was povided as a result of the previous cache search, the callback should filter enumerated smart cards on serial number rather than on container matches. If the context is non-silent and no suitable smart card is found, display UI that prompts the user to insert a smart card.
### Base CSP and KSP-based architecture in Windows
-Figure 4 shows the Cryptography architecture that is used by the Windows operating system.
+The following diagram shows the Cryptography architecture that is used by the Windows operating system.
-**Figure 4** **Cryptography architecture**
-
### Base CSP and smart card KSP properties in Windows
-> **Note** The API definitions are located in WinCrypt.h and WinSCard.h.
+> [!NOTE]
+> The API definitions are located in WinCrypt.h and WinSCard.h.
| **Property** | **Description** |
|-----------------------|------------------|
@@ -328,4 +280,4 @@ If a smart card is registered by a CSP and a smart card minidriver, the one that
CSPs and KSPs are meant to be written only if specific functionality is not available in the current smart card minidriver architecture. For example, the smart card minidriver architecture supports hardware security modules, so a minidriver could be written for a hardware security module, and a CSP or KSP may not be required unless it is needed to support algorithms that are not implemented in the Base CSP or smart card KSP.
-For more information about how to write a smart card minidriver, CSP, or KSP, see [Smart Card Minidrivers](/windows-hardware/drivers/smartcard/smart-card-minidrivers).
\ No newline at end of file
+For more information about how to write a smart card minidriver, CSP, or KSP, see [Smart Card Minidrivers](/windows-hardware/drivers/smartcard/smart-card-minidrivers).
diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
index 9931e52d1f..0311f04e6f 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
@@ -3,7 +3,7 @@ title: Certificate Requirements and Enumeration
description: This topic for the IT professional and smart card developers describes how certificates are managed and used for smart card sign-in.
ms.reviewer: ardenw
ms.topic: concept-article
-ms.date: 09/24/2021
+ms.date: 11/06/2023
---
# Certificate Requirements and Enumeration
@@ -12,64 +12,38 @@ This topic for the IT professional and smart card developers describes how certi
When a smart card is inserted, the following steps are performed.
-> **Note** Unless otherwise mentioned, all operations are performed silently (CRYPT\_SILENT is passed to CryptAcquireContext).
+> [!NOTE]
+> Unless otherwise mentioned, all operations are performed silently (CRYPT\_SILENT is passed to CryptAcquireContext).
-1. The smart card resource manager database searches for the smart card's cryptographic service provider (CSP).
+1. The smart card resource manager database searches for the smart card's cryptographic service provider (CSP).
+1. A qualified container name is constructed by using the smart card reader name, and it is passed to the CSP. The format is *\\\\.\\<Reader name>\\
+1. CryptAcquireContext is called to retrieve a context to the default container. If a failure occurs, the smart card will be unusable for smart card sign-in.
+1. The name of the container is retrieved by using the PP\_CONTAINER parameter with CryptGetProvParam.
+1. Using the context acquired in Step 3, the CSP is queried for the PP\_USER\_CERTSTORE parameter (added in Windows Vista). For more information, see [Smart Card Architecture](smart-card-architecture.md). If the operation is successful, the name of a certificate store is returned, and the program flow skips to Step 8.
+1. If the operation in Step 5 fails, the default container context from Step 3 is queried for the AT\_KEYEXCHANGE key.
+1. The certificate is then queried from the key context by using KP\_CERTIFICATE. The certificate is added to an in-memory certificate store.
+1. For each certificate in the certificate store from Step 5 or Step 7, the following checks are performed:
-2. A qualified container name is constructed by using the smart card reader name, and it is passed to the CSP. The format is *\\\\.\\<Reader name>*\\
-
-3. CryptAcquireContext is called to retrieve a context to the default container. If a failure occurs, the smart card will be unusable for smart card sign-in.
-
-4. The name of the container is retrieved by using the PP\_CONTAINER parameter with CryptGetProvParam.
-
-5. Using the context acquired in Step 3, the CSP is queried for the PP\_USER\_CERTSTORE parameter (added in Windows Vista). For more information, see [Smart Card Architecture](smart-card-architecture.md). If the operation is successful, the name of a certificate store is returned, and the program flow skips to Step 8.
-
-6. If the operation in Step 5 fails, the default container context from Step 3 is queried for the AT\_KEYEXCHANGE key.
-
-7. The certificate is then queried from the key context by using KP\_CERTIFICATE. The certificate is added to an in-memory certificate store.
-
-8. For each certificate in the certificate store from Step 5 or Step 7, the following checks are performed:
-
- 1. The certificate must be valid, based on the computer system clock (not expired or valid with a future date).
-
- 2. The certificate must not be in the AT\_SIGNATURE part of a container.
-
- 3. The certificate must have a valid user principal name (UPN).
-
- 4. The certificate must have the digital signature key usage.
-
- 5. The certificate must have the smart card logon EKU.
+ 1. The certificate must be valid, based on the computer system clock (not expired or valid with a future date).
+ 1. The certificate must not be in the AT\_SIGNATURE part of a container.
+ 1. The certificate must have a valid user principal name (UPN).
+ 1. The certificate must have the digital signature key usage.
+ 1. The certificate must have the smart card logon EKU.
Any certificate that meets these requirements is displayed to the user with the certificate's UPN (or e-mail address or subject, depending on the presence of the certificate extensions).
- > **Note** These requirements are the same as those in Windows Server 2003, but they are performed before the user enters the PIN. You can override many of them by using Group Policy settings.
+ > [!NOTE]
+ > These requirements are the same as those in Windows Server 2003, but they are performed before the user enters the PIN. You can override many of them by using Group Policy settings.
-9. The process then chooses a certificate, and the PIN is entered.
-
-10. LogonUI.exe packages the information and sends it to Lsass.exe to process the sign-in attempt.
-
-11. If successful, LogonUI.exe closes. This causes the context acquired in Step 3 to be released.
-
-## About Certificate support for compatibility
-
-Although versions of Windows earlier than Windows Vista include support for smart cards, the types of certificates that smart cards can contain are limited. The limitations are:
-
-- Each certificate must have a user principal name (UPN) and the smart card sign-in object identifier (also known as OID) in the extended key usage (EKU) attribute field. There is a Group Policy setting, Allow ECC certificates to be used for logon and authentication, to make the EKU optional.
-
-- Each certificate must be stored in the AT\_KEYEXCHANGE portion of the default CryptoAPI container, and non-default CryptoAPI containers are not supported.
-
-The following table lists the certificate support in older Windows operating system versions.
-
-| **Operating system** | **Certificate support** |
-|---------------------------------------|----------------------------------------------------------------------------------------------------------|
-| Windows Server 2008 R2 and Windows 7 | Support for smart card sign-in with ECC-based certificates. ECC smart card sign-in is enabled through Group Policy.
ECDH\_P256
ECDH
Curve P-256 from FIPS 186-2
ECDSA\_P256
ECDSA
Curve P-256 from FIPS 186-2
ECDH\_P384
ECDH
Curve P-384 from FIPS 186-2
ECDH\_P521
ECDH
Curve P-521 from FIPS 186-2
ECDSA\_P256
ECDH
Curve P-256 from FIPS 186-2
ECDSA\_P384
ECDSA
Curve P-384 from FIPS 186-2
ECDSA\_P521
ECDSA
Curve P-384 from FIPS 186-2 |
-| Windows Server 2008 and Windows Vista | Valid certificates are enumerated and displayed from all smart cards and presented to the user.
Keys are no longer restricted to the default container, and certificates in different containers can be chosen.
Elliptic curve cryptography (ECC)-based certificates are not supported for smart card sign-in |
+1. The process then chooses a certificate, and the PIN is entered.
+1. LogonUI.exe packages the information and sends it to Lsass.exe to process the sign-in attempt.
+1. If successful, LogonUI.exe closes. This causes the context acquired in Step 3 to be released.
## Smart card sign-in flow in Windows
Most issues during authentication occur because of session behavior changes. When changes occur, the Local Security Authority (LSA) does not reacquire the session context; it relies instead on the Cryptographic Service Provider to handle the session change.
-Client certificates that do not contain a UPN in the **subjectAltName** (SAN) field of the certificate can be enabled for sign-in, which supports a wider variety of certificates and supports multiple sign-in certificates on the same card.
+Client certificates that do not contain a UPN in the `subjectAltName`` (SAN) field of the certificate can be enabled for sign-in, which supports a wider variety of certificates and supports multiple sign-in certificates on the same card.
Support for multiple certificates on the same card is enabled by default. New certificate types must be enabled through Group Policy.
@@ -79,51 +53,39 @@ The following diagram illustrates how smart card sign-in works in the supported
-**Smart card sign-in flow**
+### Smart card sign-in flow
Following are the steps that are performed during a smart card sign-in:
1. Winlogon requests the sign-in UI credential information.
+1. Asynchronously, smart card resource manager starts, and the smart card credential provider does the following:
+ 1. Gets credential information (a list of known credentials, or if no credentials exist, the smart card reader information that Windows detected).
+ 1. Gets a list of smart card readers (by using the WinSCard API) and the list of smart cards inserted in each of them.
+ 1. Enumerates each card to verify that a sign-in certificate that is controlled by Group Policy is present. If the certificate is present, the smart card credential provider copies it into a temporary, secure cache on the computer or terminal.
-2. Asynchronously, smart card resource manager starts, and the smart card credential provider does the following:
+ > [!NOTE]
+ > Smartcard cache entries are created for certificates with a subject name or with a subject key identifier. If the certificate has a subject name, it is stored with an index that is based on the subject name and certificate issuer. If another certificate with the same subject name and certificate issuer is used, it will replace the existing cached entry. A change in this behavior after Windows Vista, allows for the condition when the certificate does not have a subject name, the cache is created with an index that is based on the subject key identifier and certificate issuer. If another certificate has the same the subject key identifier and certificate issuer, the cache entry is replaced. When certificates have neither a subject name nor subject key identifier, a cached entry is not created.
- 1. Gets credential information (a list of known credentials, or if no credentials exist, the smart card reader information that Windows detected).
+ 1. Notifies the sign-in UI that it has new credentials.
- 2. Gets a list of smart card readers (by using the WinSCard API) and the list of smart cards inserted in each of them.
+1. The sign-in UI requests the new credentials from the smart card credential provider. As a response, the smart card credential provider provides each sign-in certificate to the sign-in UI, and corresponding sign-in tiles are displayed. The user selects a smart card-based sign-in certificate tile, and Windows displays a PIN dialog box.
+1. The user enters the PIN, and then presses ENTER. The smart card credential provider encrypts the PIN.
+1. The credential provider that resides in the LogonUI system collects the PIN. As part of packaging credentials in the smart card credential provider, the data is packaged in a KERB\_CERTIFICATE\_LOGON structure. The main contents of the KERB\_CERTIFICATE\_LOGON structure are the smart card PIN, CSP data (such as reader name and container name), user name, and domain name. User name is required if the sign-in domain is not in the same forest because it enables a certificate to be mapped to multiple user accounts.
+1. The credential provider wraps the data (such as the encrypted PIN, container name, reader name, and card key specification) and sends it back to LogonUI.
+1. Winlogon presents the data from LogonUI to the LSA with the user information in LSALogonUser.
+1. LSA calls the Kerberos authentication package (Kerberos SSP) to create a Kerberos authentication service request (KRB\_AS\_REQ), which containing a preauthenticator (as specified in RFC 4556: [Public Key Cryptography for Initial Authentication in Kerberos (PKINIT)](http://www.ietf.org/rfc/rfc4556.txt)).
- 3. Enumerates each card to verify that a sign-in certificate that is controlled by Group Policy is present. If the certificate is present, the smart card credential provider copies it into a temporary, secure cache on the computer or terminal.
+ If the authentication is performed by using a certificate that uses a digital signature, the preauthentication data consists of the user's public certificate and the certificate that is digitally signed with the corresponding private key.
If the authentication is performed by using a certificate that uses key encipherment, the preauthentication data consists of the user's public certificate and the certificate that is encrypted with the corresponding private key.
- > **Note** Smartcard cache entries are created for certificates with a subject name or with a subject key identifier. If the certificate has a subject name, it is stored with an index that is based on the subject name and certificate issuer. If another certificate with the same subject name and certificate issuer is used, it will replace the existing cached entry. A change in this behavior after Windows Vista, allows for the condition when the certificate does not have a subject name, the cache is created with an index that is based on the subject key identifier and certificate issuer. If another certificate has the same the subject key identifier and certificate issuer, the cache entry is replaced. When certificates have neither a subject name nor subject key identifier, a cached entry is not created.
+1. To sign the request digitally (as per RFC 4556), a call is made to the corresponding CSP for a private key operation. Because the private key in this case is stored in a smart card, the smart card subsystem is called, and the necessary operation is completed. The result is sent back to the Kerberos security support provider (SSP).
+1. The Kerberos SSP sends an authentication request for a ticket-granting-ticket (TGT) (per RFC 4556) to the Key Distribution Center (KDC) service that runs on a domain controller.
+1. The KDC finds the user's account object in Active Directory Domain Services (AD DS), as detailed in [Client certificate requirements and mappings](#client-certificate-requirements-and-mappings), and uses the user's certificate to verify the signature.
+1. The KDC validates the user's certificate (time, path, and revocation status) to ensure that the certificate is from a trusted source. The KDC uses CryptoAPI to build a certification path from the user's certificate to a root certification authority (CA) certificate that resides in the root store on the domain controller. The KDC then uses CryptoAPI to verify the digital signature on the signed authenticator that was included in the preauthentication data fields. The domain controller verifies the signature and uses the public key from the user's certificate to prove that the request originated from the owner of the private key that corresponds to the public key. The KDC also verifies that the issuer is trusted and appears in the NTAUTH certificate store.
+1. The KDC service retrieves user account information from AD DS. The KDC constructs a TGT, which is based on the user account information that it retrieves from AD DS. The TGT's authorization data fields include the user's security identifier (SID), the SIDs for universal and global domain groups to which the user belongs, and (in a multidomain environment) the SIDs for any universal groups of which the user is a member.
+1. The domain controller returns the TGT to the client as part of the KRB\_AS\_REP response.
- 4. Notifies the sign-in UI that it has new credentials.
-
-3. The sign-in UI requests the new credentials from the smart card credential provider. As a response, the smart card credential provider provides each sign-in certificate to the sign-in UI, and corresponding sign-in tiles are displayed. The user selects a smart card-based sign-in certificate tile, and Windows displays a PIN dialog box.
-
-4. The user enters the PIN, and then presses ENTER. The smart card credential provider encrypts the PIN.
-
-5. The credential provider that resides in the LogonUI system collects the PIN. As part of packaging credentials in the smart card credential provider, the data is packaged in a KERB\_CERTIFICATE\_LOGON structure. The main contents of the KERB\_CERTIFICATE\_LOGON structure are the smart card PIN, CSP data (such as reader name and container name), user name, and domain name. User name is required if the sign-in domain is not in the same forest because it enables a certificate to be mapped to multiple user accounts.
-
-6. The credential provider wraps the data (such as the encrypted PIN, container name, reader name, and card key specification) and sends it back to LogonUI.
-
-7. Winlogon presents the data from LogonUI to the LSA with the user information in LSALogonUser.
-
-8. LSA calls the Kerberos authentication package (Kerberos SSP) to create a Kerberos authentication service request (KRB\_AS\_REQ), which containing a preauthenticator (as specified in RFC 4556: [Public Key Cryptography for Initial Authentication in Kerberos (PKINIT)](http://www.ietf.org/rfc/rfc4556.txt)).
-
- If the authentication is performed by using a certificate that uses a digital signature, the preauthentication data consists of the user's public certificate and the certificate that is digitally signed with the corresponding private key.
If the authentication is performed by using a certificate that uses key encipherment, the preauthentication data consists of the user's public certificate and the certificate that is encrypted with the corresponding private key.
-
-9. To sign the request digitally (as per RFC 4556), a call is made to the corresponding CSP for a private key operation. Because the private key in this case is stored in a smart card, the smart card subsystem is called, and the necessary operation is completed. The result is sent back to the Kerberos security support provider (SSP).
-
-10. The Kerberos SSP sends an authentication request for a ticket-granting-ticket (TGT) (per RFC 4556) to the Key Distribution Center (KDC) service that runs on a domain controller.
-
-11. The KDC finds the user's account object in Active Directory Domain Services (AD DS), as detailed in [Client certificate requirements and mappings](#client-certificate-requirements-and-mappings), and uses the user's certificate to verify the signature.
-
-12. The KDC validates the user's certificate (time, path, and revocation status) to ensure that the certificate is from a trusted source. The KDC uses CryptoAPI to build a certification path from the user's certificate to a root certification authority (CA) certificate that resides in the root store on the domain controller. The KDC then uses CryptoAPI to verify the digital signature on the signed authenticator that was included in the preauthentication data fields. The domain controller verifies the signature and uses the public key from the user's certificate to prove that the request originated from the owner of the private key that corresponds to the public key. The KDC also verifies that the issuer is trusted and appears in the NTAUTH certificate store.
-
-13. The KDC service retrieves user account information from AD DS. The KDC constructs a TGT, which is based on the user account information that it retrieves from AD DS. The TGT's authorization data fields include the user's security identifier (SID), the SIDs for universal and global domain groups to which the user belongs, and (in a multidomain environment) the SIDs for any universal groups of which the user is a member.
-
-14. The domain controller returns the TGT to the client as part of the KRB\_AS\_REP response.
-
- > **Note** The KRB\_AS\_REP packet consists of:
+ > [!NOTE]
+ > The KRB\_AS\_REP packet consists of:
>- Privilege attribute certificate (PAC)
>- User's SID
>- SIDs of any groups of which the user is a member
@@ -132,21 +94,16 @@ Following are the steps that are performed during a smart card sign-in:
TGT is encrypted with the master key of the KDC, and the session key is encrypted with a temporary key. This temporary key is derived based on RFC 4556. Using CryptoAPI, the temporary key is decrypted. As part of the decryption process, if the private key is on a smart card, a call is made to the smart card subsystem by using the specified CSP to extract the certificate corresponding to the user's public key. (Programmatic calls for the certificate include CryptAcquireContext, CryptSetProvParam with the PIN, CryptgetUserKey, and CryptGetKeyParam.) After the temporary key is obtained, the Kerberos SSP decrypts the session key.
-15. The client validates the reply from the KDC (time, path, and revocation status). It first verifies the KDC's signature by the construction of a certification path from the KDC's certificate to a trusted root CA, and then it uses the KDC's public key to verify the reply signature.
+1. The client validates the reply from the KDC (time, path, and revocation status). It first verifies the KDC's signature by the construction of a certification path from the KDC's certificate to a trusted root CA, and then it uses the KDC's public key to verify the reply signature.
+1. Now that a TGT has been obtained, the client obtains a service ticket, which is used to sign in to the local computer.
+1. With success, LSA stores the tickets and returns a success message to LSALogonUser. After this success message is issued, user profile for the device is selected and set, Group Policy refresh is instantiated, and other actions are performed.
+1. After the user profile is loaded, the Certification Propagation Service (CertPropSvc) detects this event, reads the certificates from the smart card (including the root certificates), and then populates them into the user's certificate store (MYSTORE)
+1. CSP to smart card resource manager communication happens on the LRPC Channel.
+1. On successful authentication, certificates are propagated to the user's store asynchronously by the Certificate Propagation Service (CertPropSvc).
+1. When the card is removed, certificates in the temporary secure cache store are removed. The Certificates are no longer available for sign-in, but they remain in the user's certificate store.
-16. Now that a TGT has been obtained, the client obtains a service ticket, which is used to sign in to the local computer.
-
-17. With success, LSA stores the tickets and returns a success message to LSALogonUser. After this success message is issued, user profile for the device is selected and set, Group Policy refresh is instantiated, and other actions are performed.
-
-18. After the user profile is loaded, the Certification Propagation Service (CertPropSvc) detects this event, reads the certificates from the smart card (including the root certificates), and then populates them into the user's certificate store (MYSTORE).
-
-19. CSP to smart card resource manager communication happens on the LRPC Channel.
-
-20. On successful authentication, certificates are propagated to the user's store asynchronously by the Certificate Propagation Service (CertPropSvc).
-
-21. When the card is removed, certificates in the temporary secure cache store are removed. The Certificates are no longer available for sign-in, but they remain in the user's certificate store.
-
-> **Note** A SID is created for each user or group at the time a user account or a group account is created within the local security accounts database or within AD DS. The SID never changes, even if the user or group account is renamed.
+> [!NOTE]
+> A SID is created for each user or group at the time a user account or a group account is created within the local security accounts database or within AD DS. The SID never changes, even if the user or group account is renamed.
For more information about the Kerberos protocol, see [Microsoft Kerberos](/windows/win32/secauthn/microsoft-kerberos).
@@ -156,11 +113,9 @@ By default, the KDC verifies that the client's certificate contains the smart ca
Active Directory Certificate Services provides three kinds of certificate templates:
-- Domain controller
-
-- Domain controller authentication
-
-- Kerberos authentication
+- Domain controller
+- Domain controller authentication
+- Kerberos authentication
Depending on the configuration of the domain controller, one of these types of certificates is sent as a part of the AS\_REP packet.
@@ -172,57 +127,54 @@ Certificate requirements are listed by versions of the Windows operating system.
The smart card certificate has specific format requirements when it is used with Windows XP and earlier operating systems. You can enable any certificate to be visible for the smart card credential provider.
-
-| **Component** | **Requirements for Windows 8.1, Windows 8, Windows 7, Windows Vista, Windows 10, and Windows 11** | **Requirements for Windows XP** |
-|--------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| CRL distribution point location | Not required | The location must be specified, online, and available, for example:
\[1\]CRL Distribution Point
Distribution Point Name:
Full Name:
URL=`` |
-| Key usage | Digital signature | Digital signature |
-| Basic constraints | Not required | \[Subject Type=End Entity, Path Length Constraint=None\] (Optional) |
-| extended key usage (EKU) | The smart card sign-in object identifier is not required.
**Note** If an EKU is present, it must contain the smart card sign-in EKU. Certificates with no EKU can be used for sign-in. | - Client Authentication (1.3.6.1.5.5.7.3.2)
The client authentication object identifier is required only if a certificate is used for SSL authentication.
- Smart Card Sign-in (1.3.6.1.4.1.311.20.2.2) |
-| Subject alternative name | E-mail ID is not required for smart card sign-in. | Other Name: Principal Name=(UPN), for example:
UPN=user1@contoso.com
The UPN OtherName object identifier is 1.3.6.1.4.1.311.20.2.3.
The UPN OtherName value must be an ASN1-encoded UTF8 string. |
-| Subject | Not required | Distinguished name of user. This field is a mandatory extension, but the population of this field is optional. |
-| Key exchange (AT\_KEYEXCHANGE field) | Not required for smart card sign-in certificates if a Group Policy setting is enabled. (By default, Group Policy settings are not enabled.) | Not required |
-| CRL | Not required | Not required |
-| UPN | Not required | Not required |
-| Notes | You can enable any certificate to be visible for the smart card credential provider. | There are two predefined types of private keys. These keys are Signature Only (AT\_SIGNATURE) and Key Exchange (AT\_KEYEXCHANGE). Smart card sign-in certificates must have a Key Exchange (AT\_KEYEXCHANGE) private key type. |
+| Component | Requirements |
+|--|--|
+| CRL distribution point location | Not required |
+| Key usage | Digital signature |
+| Basic constraints | Not required |
+| extended key usage (EKU) | The smart card sign-in object identifier is not required.
**Note** If an EKU is present, it must contain the smart card sign-in EKU. Certificates with no EKU can be used for sign-in. |
+| Subject alternative name | E-mail ID is not required for smart card sign-in. |
+| Subject | Not required |
+| Key exchange (AT\_KEYEXCHANGE field) | Not required for smart card sign-in certificates if a Group Policy setting is enabled. (By default, Group Policy settings are not enabled.) |
+| CRL | Not required |
+| UPN | Not required |
+| Notes | You can enable any certificate to be visible for the smart card credential provider. |
### Client certificate mappings
Certificate mapping is based on the UPN that is contained in the subjectAltName (SAN) field of the certificate. Client certificates that do not contain information in the SAN field are also supported.
-SSL/TLS can map certificates that do not have SAN, and the mapping is done by using the AltSecID attributes on client accounts. The X509 AltSecID, which is used by SSL/TLS client authentication is of the form "X509: <I>"*<Issuer Name>*"<S>"*<Subject Name>*. The *<Issuer Name>* and *<Subject Name>* are taken from the client certificate, with '\\r' and '\\n' replaced with ','.
+SSL/TLS can map certificates that do not have SAN, and the mapping is done by using the AltSecID attributes on client accounts. The X509 AltSecID, which is used by SSL/TLS client authentication is of the form "X509: `` `` and `` are taken from the client certificate, with '\\r' and '\\n' replaced with ','.
-**Certificate revocation list distribution points**
+#### Certificate revocation list distribution points
-**UPN in Subject Alternative Name field**
+#### UPN in Subject Alternative Name field
-**Subject and Issuer fields**
+#### Subject and Issuer fields
This account mapping is supported by the KDC in addition to six other mapping methods. The following figure demonstrates a flow of user account mapping logic that is used by the KDC.
-**High-level flow of certificate processing for sign-in**
+#### High-level flow of certificate processing for sign-in
The certificate object is parsed to look for content to perform user account mapping.
-- When a user name is provided with the certificate, the user name is used to locate the account object. This operation is the fastest, because string matching occurs.
-
-- When only the certificate object is provided, a series of operations are performed to locate the user name to map the user name to an account object.
-
-- When no domain information is available for authentication, the local domain is used by default. If any other domain is to be used for lookup, a domain name hint should be provided to perform the mapping and binding.
+- When a user name is provided with the certificate, the user name is used to locate the account object. This operation is the fastest, because string matching occurs
+- When only the certificate object is provided, a series of operations are performed to locate the user name to map the user name to an account object
+- When no domain information is available for authentication, the local domain is used by default. If any other domain is to be used for lookup, a domain name hint should be provided to perform the mapping and binding
Mapping based on generic attributes is not possible because there is no generic API to retrieve attributes from a certificate. Currently, the first method that locates an account successfully stops the search. But a configuration error occurs if two methods map the same certificate to different user accounts when the client does not supply the client name through the mapping hints.
The following figure illustrates the process of mapping user accounts for sign-in in the directory by viewing various entries in the certificate.
-**Certificate processing logic**
+#### Certificate processing logic
@@ -232,21 +184,17 @@ NT\_AUTH policy is best described in the CERT\_CHAIN\_POLICY\_NT\_AUTH parameter
A single user certificate can be mapped to multiple accounts. For example, a user might be able to sign in to a user account and also to sign in as a domain administrator. The mapping is done by using the constructed AltSecID based on attributes from client accounts. For information about how this mapping is evaluated, see [Client certificate requirements and mappings](#client-certificate-requirements-and-mappings).
-> **Note** Because each account has a different user name, we recommend that you enable the **Allow user name hint** Group Policy setting (**X509HintsNeeded** registry key) to provide the optional fields that allow users to enter their user names and domain information to sign in.
+> [!NOTE]
+> Because each account has a different user name, we recommend that you enable the **Allow user name hint** Group Policy setting (**X509HintsNeeded** registry key) to provide the optional fields that allow users to enter their user names and domain information to sign in.
Based on the information that is available in the certificate, the sign-in conditions are:
-1. If no UPN is present in the certificate:
-
- 1. Sign-in can occur in the local forest or in another forest if a single user with one certificate needs to sign in to different accounts.
-
- 2. A hint must be supplied if mapping is not unique (for example, if multiple users are mapped to the same certificate).
-
-2. If a UPN is present in the certificate:
-
- 1. The certificate cannot be mapped to multiple users in the same forest.
-
- 2. The certificate can be mapped to multiple users in different forests. For a user to sign in to other forests, an X509 hint must be supplied to the user.
+1. If no UPN is present in the certificate:
+ 1. Sign-in can occur in the local forest or in another forest if a single user with one certificate needs to sign in to different accounts
+ 1. A hint must be supplied if mapping is not unique (for example, if multiple users are mapped to the same certificate)
+1. If a UPN is present in the certificate:
+ 1. The certificate cannot be mapped to multiple users in the same forest
+ 1. The certificate can be mapped to multiple users in different forests. For a user to sign in to other forests, an X509 hint must be supplied to the user
## Smart card sign-in for multiple users into a single account
@@ -258,9 +206,10 @@ For example, if Certificate1 has CN=CNName1, Certificate2 has CN=User1, and Cert
## Smart card sign-in across forests
-For account mapping to work across forests, particularly in cases where there is not enough information available on the certificate, the user might enter a hint in the form of a user name, such as *domain\\user*, or a fully qualified UPN such as user@contoso.com.
+For account mapping to work across forests, particularly in cases where there is not enough information available on the certificate, the user might enter a hint in the form of a user name, such as *domain\\user*, or a fully qualified UPN such as `user@contoso.com`.
-> **Note** For the hint field to appear during smart card sign-in, the **Allow user name hint** Group Policy setting (**X509HintsNeeded** registry key) must be enabled on the client.
+> [!NOTE]
+> For the hint field to appear during smart card sign-in, the **Allow user name hint** Group Policy setting (**X509HintsNeeded** registry key) must be enabled on the client.
## OCSP support for PKINIT
@@ -274,40 +223,29 @@ Windows client computers attempt to request the OCSP responses and use them in t
For sign-in to work in a smart card-based domain, the smart card certificate must meet the following conditions:
-- The KDC root certificate on the smart card must have an HTTP CRL distribution point listed in its certificate.
-
-- The smart card sign-in certificate must have the HTTP CRL distribution point listed in its certificate.
-
-- The CRL distribution point must have a valid CRL published and a delta CRL, if applicable, even if the CRL distribution point is empty.
-
+- The KDC root certificate on the smart card must have an HTTP CRL distribution point listed in its certificate
+- The smart card sign-in certificate must have the HTTP CRL distribution point listed in its certificate
+- The CRL distribution point must have a valid CRL published and a delta CRL, if applicable, even if the CRL distribution point is empty
- The smart card certificate must contain one of the following:
-
- - A subject field that contains the DNS domain name in the distinguished name. If it does not, resolution to an appropriate domain fails, so Remote Desktop Services and the domain sign-in with the smart card fail.
-
- - A UPN where the domain name resolves to the actual domain. For example, if the domain name is Engineering.Corp.Contoso, the UPN is username@engineering.corp.contoso.com. If any part of the domain name is omitted, the Kerberos client cannot find the appropriate domain.
+ - A subject field that contains the DNS domain name in the distinguished name. If it does not, resolution to an appropriate domain fails, so Remote Desktop Services and the domain sign-in with the smart card fail
+ - A UPN where the domain name resolves to the actual domain. For example, if the domain name is `Engineering.Corp.Contoso`, the UPN is `username@engineering.corp.contoso.com`. If any part of the domain name is omitted, the Kerberos client cannot find the appropriate domain
Although the HTTP CRL distribution points are on by default in Windows Server 2008, subsequent versions of the Windows Server operating system do not include HTTP CRL distribution points. To allow smart card sign-in to a domain in these versions, do the following:
-1. Enable HTTP CRL distribution points on the CA.
-
-2. Restart the CA.
-
-3. Reissue the KDC certificate.
-
-4. Issue or reissue the smart card sign-in certificate.
-
-5. Propagate the updated root certificate to the smart card that you want to use for the domain sign-in.
+1. Enable HTTP CRL distribution points on the CA
+1. Restart the CA
+1. Reissue the KDC certificate
+1. Issue or reissue the smart card sign-in certificate
+1. Propagate the updated root certificate to the smart card that you want to use for the domain sign-in
The workaround is to enable the **Allow user name hint** Group Policy setting (**X509HintsNeeded** registry key), which allows the user to supply a hint in the credentials user interface for domain sign-in.
-If the client computer is not joined to the domain or if it is joined to a different domain, the client computer can resolve the server domain only by looking at the distinguished name on the certificate, not the UPN. For this scenario to work, the certificate requires a full subject, including DC=*<DomainControllerName>*, for domain name resolution.
+If the client computer is not joined to the domain or if it is joined to a different domain, the client computer can resolve the server domain only by looking at the distinguished name on the certificate, not the UPN. For this scenario to work, the certificate requires a full subject, including `DC=`, for domain name resolution.
To deploy root certificates on a smart card for the currently joined domain, you can use the following command:
-**certutil -scroots update**
+```cmd
+certutil.exe -scroots update
+```
For more information about this option for the command-line tool, see [-SCRoots](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732443(v=ws.11)#BKMK_SCRoots).
-
-## See also
-
-[How Smart Card Sign-in Works in Windows](smart-card-how-smart-card-sign-in-works-in-windows.md)
diff --git a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
index 8193759010..ba68729da2 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
@@ -6,7 +6,7 @@ ms.collection:
- highpri
- tier2
ms.topic: troubleshooting
-ms.date: 09/24/2021
+ms.date: 11/06/2023
---
# Smart Card Troubleshooting
@@ -15,17 +15,12 @@ This article explains tools and services that smart card developers can use to h
Debugging and tracing smart card issues requires a variety of tools and approaches. The following sections provide guidance about tools and approaches you can use.
-- [Certutil](#certutil)
-
-- [Debugging and tracing using Windows software trace preprocessor (WPP)](#debugging-and-tracing-using-wpp)
-
-- [Kerberos protocol, Key Distribution Center (KDC), and NTLM debugging and tracing](#kerberos-protocol-kdc-and-ntlm-debugging-and-tracing)
-
-- [Smart Card service](#smart-card-service)
-
-- [Smart card readers](#smart-card-readers)
-
-- [CryptoAPI 2.0 Diagnostics](#cryptoapi-20-diagnostics)
+- [Certutil](#certutil)
+- [Debugging and tracing using Windows software trace preprocessor (WPP)](#debugging-and-tracing-using-wpp)
+- [Kerberos protocol, Key Distribution Center (KDC), and NTLM debugging and tracing](#kerberos-protocol-kdc-and-ntlm-debugging-and-tracing)
+- [Smart Card service](#smart-card-service)
+- [Smart card readers](#smart-card-readers)
+- [CryptoAPI 2.0 Diagnostics](#cryptoapi-20-diagnostics)
## Certutil
@@ -44,7 +39,7 @@ Each certificate is enclosed in a container. When you delete a certificate on th
To find the container value, type `certutil -scinfo`.
-To delete a container, type **certutil -delkey -csp "Microsoft Base Smart Card Crypto Provider"** "<*ContainerValue*>".
+To delete a container, type `certutil -delkey -csp "Microsoft Base Smart Card Crypto Provider" ""`.
## Debugging and tracing using WPP
@@ -54,9 +49,10 @@ WPP simplifies tracing the operation of the trace provider. It provides a mechan
Using WPP, use one of the following commands to enable tracing:
-- **tracelog.exe -kd -rt -start** <*FriendlyName*> **-guid \#**<*GUID*> **-f .\\**<*LogFileName*>**.etl -flags** <*flags*> **-ft 1**
-
-- **logman start** <*FriendlyName*> **-ets -p {**<*GUID*>**} -**<*Flags*> **-ft 1 -rt -o .\\**<*LogFileName*>**.etl -mode 0x00080000**
+```cmd
+tracelog.exe -kd -rt -start -guid \ -f .\\.etl -flags -ft 1
+logman start -ets -p {} - -ft 1 -rt -o .\\.etl -mode 0x00080000
+```
You can use the parameters in the following table.
@@ -72,77 +68,91 @@ You can use the parameters in the following table.
| `scfilter` | eed7f3c9-62ba-400e-a001-658869df9a91 | 0xffff |
| `wudfusbccid` | a3c09ba3-2f62-4be5-a50f-8278a646ac9d | 0xffff |
-Examples
+### Examples
To enable tracing for the SCardSvr service:
-- **tracelog.exe -kd -rt -start scardsvr -guid \#13038e47-ffec-425d-bc69-5707708075fe -f .\\scardsvr.etl -flags 0xffff -ft 1**
+```cmd
+tracelog.exe -kd -rt -start scardsvr -guid \#13038e47-ffec-425d-bc69-5707708075fe -f .\\scardsvr.etl -flags 0xffff -ft 1
+logman start scardsvr -ets -p {13038e47-ffec-425d-bc69-5707708075fe} 0xffff -ft 1 -rt -o .\\scardsvr.etl -mode 0x00080000
+```
-- **logman start scardsvr -ets -p {13038e47-ffec-425d-bc69-5707708075fe} 0xffff -ft 1 -rt -o .\\scardsvr.etl -mode 0x00080000**
+To enable tracing for `scfilter.sys`:
-To enable tracing for scfilter.sys:
-
- - **tracelog.exe -kd -rt -start scfilter -guid \#eed7f3c9-62ba-400e-a001-658869df9a91 -f .\\scfilter.etl -flags 0xffff -ft 1**
+```cmd
+tracelog.exe -kd -rt -start scfilter -guid \#eed7f3c9-62ba-400e-a001-658869df9a91 -f .\\scfilter.etl -flags 0xffff -ft 1
+```
### Stop the trace
Using WPP, use one of the following commands to stop the tracing:
-- **tracelog.exe -stop** <*FriendlyName*>
-
-- **logman -stop** <*FriendlyName*> **-ets**
+```cmd
+tracelog.exe -stop <*FriendlyName*>
+logman -stop <*FriendlyName*> -ets
+```
#### Examples
To stop a trace:
-- **tracelog.exe -stop scardsvr**
-
-- **logman -stop scardsvr -ets**
+```cmd
+tracelog.exe -stop scardsvr
+logman -stop scardsvr -ets
+```
## Kerberos protocol, KDC, and NTLM debugging and tracing
-
-
You can use these resources to troubleshoot these protocols and the KDC:
-- [Kerberos and LDAP Troubleshooting Tips](/previous-versions/tn-archive/bb463167(v=technet.10)).
+- [Kerberos and LDAP Troubleshooting Tips](/previous-versions/tn-archive/bb463167(v=technet.10))
+- [Windows Driver Kit (WDK) and Debugging Tools for Windows (WinDbg)](https://developer.microsoft.com/en-us/windows/hardware/windows-driver-kit). You can use the trace log tool in this SDK to debug Kerberos authentication failures.
-- [Windows Driver Kit (WDK) and Debugging Tools for Windows (WinDbg)](https://developer.microsoft.com/en-us/windows/hardware/windows-driver-kit). You can use the trace log tool in this SDK to debug Kerberos authentication failures.
-
-To begin tracing, you can use `Tracelog`. Different components use different control GUIDs as explained in these examples. For more information, see [`Tracelog`](/windows-hardware/drivers/devtest/tracelog).
+To begin tracing, you can use `Tracelog`. Different components use different control GUIDs as explained in these examples. For more information, see [`Tracelog`](/windows-hardware/drivers/devtest/tracelog)
### NTLM
To enable tracing for NTLM authentication, run the following command on the command line:
- - **tracelog.exe -kd -rt -start ntlm -guid \#5BBB6C18-AA45-49b1-A15F-085F7ED0AA90 -f .\\ntlm.etl -flags 0x15003 -ft 1**
+```cmd
+tracelog.exe -kd -rt -start ntlm -guid \#5BBB6C18-AA45-49b1-A15F-085F7ED0AA90 -f .\\ntlm.etl -flags 0x15003 -ft 1
+```
To stop tracing for NTLM authentication, run this command:
- - **tracelog -stop ntlm**
+```cmd
+tracelog -stop ntlm
+```
### Kerberos authentication
To enable tracing for Kerberos authentication, run this command:
- - **tracelog.exe -kd -rt -start kerb -guid \#6B510852-3583-4e2d-AFFE-A67F9F223438 -f .\\kerb.etl -flags 0x43 -ft 1**
+```cmd
+tracelog.exe -kd -rt -start kerb -guid \#6B510852-3583-4e2d-AFFE-A67F9F223438 -f .\\kerb.etl -flags 0x43 -ft 1
+```
To stop tracing for Kerberos authentication, run this command:
- - **tracelog.exe -stop kerb**
+```cmd
+tracelog.exe -stop kerb
+```
### KDC
To enable tracing for the KDC, run the following command on the command line:
- - **tracelog.exe -kd -rt -start kdc -guid \#1BBA8B19-7F31-43c0-9643-6E911F79A06B -f .\\kdc.etl -flags 0x803 -ft 1**
+```cmd
+tracelog.exe -kd -rt -start kdc -guid \#1BBA8B19-7F31-43c0-9643-6E911F79A06B -f .\\kdc.etl -flags 0x803 -ft 1
+```
To stop tracing for the KDC, run the following command on the command line:
- - **tracelog.exe -stop kdc**
+```cmd
+tracelog.exe -stop kdc
+```
-To stop tracing from a remote computer, run this command: logman.exe -s *<ComputerName>*.
+To stop tracing from a remote computer, run this command: logman.exe -s **.
> [!NOTE]
> The default location for logman.exe is %systemroot%system32\\. Use the **-s** option to supply a computer name.
@@ -157,15 +167,13 @@ You can also configure tracing by editing the Kerberos registry values shown in
| Kerberos | HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Kerberos
Value name: LogToFile
Value type: DWORD
Value data: 00000001
HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Kerberos\\Parameters
Value name: KerbDebugLevel
Value type: DWORD
Value data: c0000043
HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Kerberos\\Parameters
Value name: LogToFile
Value type: DWORD
Value data: 00000001 |
| KDC | HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Kdc
Value name: KdcDebugLevel
Value type: DWORD
Value data: c0000803 |
-If you used `Tracelog`, look for the following log file in your current directory: kerb.etl/kdc.etl/ntlm.etl.
+If you used `Tracelog`, look for the following log file in your current directory: `kerb.etl/kdc.etl/ntlm.etl`.
If you used the registry key settings shown in the previous table, look for the trace log files in the following locations:
-- NTLM: %systemroot%\\tracing\\msv1\_0
-
-- Kerberos: %systemroot%\\tracing\\kerberos
-
-- KDC: %systemroot%\\tracing\\kdcsvc
+- NTLM: %systemroot%\\tracing\\msv1\_0
+- Kerberos: %systemroot%\\tracing\\kerberos
+- KDC: %systemroot%\\tracing\\kdcsvc
To decode event trace files, you can use `Tracefmt` (tracefmt.exe). `Tracefmt` is a command-line tool that formats and displays trace messages from an event trace log file (.etl) or a real-time trace session. `Tracefmt` can display the messages in the Command Prompt window or save them in a text file. It is located in the \\tools\\tracing subdirectory of the Windows Driver Kit (WDK). For more information, see [`Tracefmt`](/windows-hardware/drivers/devtest/tracefmt).
@@ -173,25 +181,19 @@ To decode event trace files, you can use `Tracefmt` (tracefmt.exe). `Tracefmt` i
The smart card resource manager service runs in the context of a local service. It's implemented as a shared service of the services host (svchost) process.
-**To check if Smart Card service is running**
+To check if Smart Card service is running:
-1. Press CTRL+ALT+DEL, and then select **Start Task Manager**.
+1. Press CTRL+ALT+DEL, and then select **Start Task Manager**
+1. In the **Windows Task Manager** dialog box, select the **Services** tab
+1. Select the **Name** column to sort the list alphabetically, and then type **s**
+1. In the **Name** column, look for **SCardSvr**, and then look under the **Status** column to see if the service is running or stopped
-2. In the **Windows Task Manager** dialog box, select the **Services** tab.
+To restart Smart Card service:
-3. Select the **Name** column to sort the list alphabetically, and then type **s**.
-
-4. In the **Name** column, look for **SCardSvr**, and then look under the **Status** column to see if the service is running or stopped.
-
-**To restart Smart Card service**
-
-1. Run as administrator at the command prompt.
-
-2. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then select **Yes**.
-
-3. At the command prompt, type `net stop SCardSvr`.
-
-4. At the command prompt, type `net start SCardSvr`.
+1. Run as administrator at the command prompt
+1. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then select **Yes**
+1. At the command prompt, type `net stop SCardSvr`
+1. At the command prompt, type `net start SCardSvr`
You can use the following command at the command prompt to check whether the service is running: `sc queryex scardsvr`.
@@ -215,15 +217,12 @@ C:\>
As with any device connected to a computer, Device Manager can be used to view properties and begin the debug process.
-**To check if smart card reader is working**
+To check if smart card reader is working:
-1. Navigate to **Computer**.
-
-2. Right-click **Computer**, and then select **Properties**.
-
-3. Under **Tasks**, select **Device Manager**.
-
-4. In Device Manager, expand **Smart card readers**, select the name of the smart card reader you want to check, and then select **Properties**.
+1. Navigate to **Computer**
+1. Right-click **Computer**, and then select **Properties**
+1. Under **Tasks**, select **Device Manager**
+1. In Device Manager, expand **Smart card readers**, select the name of the smart card reader you want to check, and then select **Properties**
> [!NOTE]
> If the smart card reader is not listed in Device Manager, in the **Action** menu, select **Scan for hardware changes**.
diff --git a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
index 81d22a9785..099af97427 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
@@ -3,7 +3,7 @@ title: Smart Card Group Policy and Registry Settings
description: Discover the Group Policy, registry key, local security policy, and credential delegation policy settings that are available for configuring smart cards.
ms.reviewer: ardenw
ms.topic: reference
-ms.date: 11/02/2021
+ms.date: 11/06/2023
---
# Smart Card Group Policy and Registry Settings
@@ -12,72 +12,51 @@ This article for IT professionals and smart card developers describes the Group
The following sections and tables list the smart card-related Group Policy settings and registry keys that can be set on a per-computer basis. If you use domain Group Policy Objects (GPOs), you can edit and apply Group Policy settings to local or domain computers.
-- [Primary Group Policy settings for smart cards](#primary-group-policy-settings-for-smart-cards)
-
- - [Allow certificates with no extended key usage certificate attribute](#allow-certificates-with-no-extended-key-usage-certificate-attribute)
-
- - [Allow ECC certificates to be used for logon and authentication](#allow-ecc-certificates-to-be-used-for-logon-and-authentication)
-
- - [Allow Integrated Unblock screen to be displayed at the time of logon](#allow-integrated-unblock-screen-to-be-displayed-at-the-time-of-logon)
-
- - [Allow signature keys valid for Logon](#allow-signature-keys-valid-for-logon)
-
- - [Allow time invalid certificates](#allow-time-invalid-certificates)
-
- - [Allow user name hint](#allow-user-name-hint)
-
- - [Configure root certificate clean up](#configure-root-certificate-clean-up)
-
- - [Display string when smart card is blocked](#display-string-when-smart-card-is-blocked)
-
- - [Filter duplicate logon certificates](#filter-duplicate-logon-certificates)
-
- - [Force the reading of all certificates from the smart card](#force-the-reading-of-all-certificates-from-the-smart-card)
-
- - [Notify user of successful smart card driver installation](#notify-user-of-successful-smart-card-driver-installation)
-
- - [Prevent plaintext PINs from being returned by Credential Manager](#prevent-plaintext-pins-from-being-returned-by-credential-manager)
-
- - [Reverse the subject name stored in a certificate when displaying](#reverse-the-subject-name-stored-in-a-certificate-when-displaying)
-
- - [Turn on certificate propagation from smart card](#turn-on-certificate-propagation-from-smart-card)
-
- - [Turn on root certificate propagation from smart card](#turn-on-root-certificate-propagation-from-smart-card)
-
- - [Turn on Smart Card Plug and Play service](#turn-on-smart-card-plug-and-play-service)
-
-- [Base CSP and Smart Card KSP registry keys](#base-csp-and-smart-card-ksp-registry-keys)
-
-- [CRL checking registry keys](#crl-checking-registry-keys)
-
-- [Additional smart card Group Policy settings and registry keys](#additional-smart-card-group-policy-settings-and-registry-keys)
+- [Primary Group Policy settings for smart cards](#primary-group-policy-settings-for-smart-cards)
+ - [Allow certificates with no extended key usage certificate attribute](#allow-certificates-with-no-extended-key-usage-certificate-attribute)
+ - [Allow ECC certificates to be used for logon and authentication](#allow-ecc-certificates-to-be-used-for-logon-and-authentication)
+ - [Allow Integrated Unblock screen to be displayed at the time of logon](#allow-integrated-unblock-screen-to-be-displayed-at-the-time-of-logon)
+ - [Allow signature keys valid for Logon](#allow-signature-keys-valid-for-logon)
+ - [Allow time invalid certificates](#allow-time-invalid-certificates)
+ - [Allow user name hint](#allow-user-name-hint)
+ - [Configure root certificate clean up](#configure-root-certificate-clean-up)
+ - [Display string when smart card is blocked](#display-string-when-smart-card-is-blocked)
+ - [Filter duplicate logon certificates](#filter-duplicate-logon-certificates)
+ - [Force the reading of all certificates from the smart card](#force-the-reading-of-all-certificates-from-the-smart-card)
+ - [Notify user of successful smart card driver installation](#notify-user-of-successful-smart-card-driver-installation)
+ - [Prevent plaintext PINs from being returned by Credential Manager](#prevent-plaintext-pins-from-being-returned-by-credential-manager)
+ - [Reverse the subject name stored in a certificate when displaying](#reverse-the-subject-name-stored-in-a-certificate-when-displaying)
+ - [Turn on certificate propagation from smart card](#turn-on-certificate-propagation-from-smart-card)
+ - [Turn on root certificate propagation from smart card](#turn-on-root-certificate-propagation-from-smart-card)
+ - [Turn on Smart Card Plug and Play service](#turn-on-smart-card-plug-and-play-service)
+- [Base CSP and Smart Card KSP registry keys](#base-csp-and-smart-card-ksp-registry-keys)
+- [CRL checking registry keys](#crl-checking-registry-keys)
+- [Additional smart card Group Policy settings and registry keys](#additional-smart-card-group-policy-settings-and-registry-keys)
## Primary Group Policy settings for smart cards
-The following smart card Group Policy settings are in Computer Configuration\\Administrative Templates\\Windows Components\\Smart Card.
+The following smart card Group Policy settings are in Computer Configuration\Administrative Templates\Windows Components\Smart Card.
The registry keys are in the following locations:
-- **HKEY\_LOCAL\_MACHINE\\SOFTWARE\Policies\\Microsoft\\Windows\\ScPnP\\EnableScPnP**
-
-- **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\SmartCardCredentialProvider**
-
-- **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CertProp**
+- **HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScPnP\EnableScPnP**
+- **HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider**
+- **HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CertProp**
> [!NOTE]
-> Smart card reader registry information is in **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Cryptography\\Calais\\Readers**.
-Smart card registry information is in **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Cryptography\\Calais\\SmartCards**.
+> Smart card reader registry information is in **HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Calais\Readers**.\
+> Smart card registry information is in **HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Calais\SmartCards**.
The following table lists the default values for these GPO settings. Variations are documented under the policy descriptions in this article.
-| **Server type or GPO** | **Default value** |
-|----------------------------------------------|-------------------|
-| Default Domain Policy | Not configured |
-| Default Domain Controller Policy | Not configured |
-| Stand-Alone Server Default Settings | Not configured |
-| Domain Controller Effective Default Settings | Disabled |
-| Member Server Effective Default Settings | Disabled |
-| Client Computer Effective Default Settings | Disabled |
+| Server type or GPO | Default value |
+|--|--|
+| Default Domain Policy | Not configured |
+| Default Domain Controller Policy | Not configured |
+| Stand-Alone Server Default Settings | Not configured |
+| Domain Controller Effective Default Settings | Disabled |
+| Member Server Effective Default Settings | Disabled |
+| Client Computer Effective Default Settings | Disabled |
### Allow certificates with no extended key usage certificate attribute
@@ -90,20 +69,17 @@ You can use this policy setting to allow certificates without an extended key us
When this policy setting is turned on, certificates with the following attributes can also be used to sign in with a smart card:
-- Certificates with no EKU
-
-- Certificates with an All Purpose EKU
-
-- Certificates with a Client Authentication EKU
+- Certificates with no EKU
+- Certificates with an All Purpose EKU
+- Certificates with a Client Authentication EKU
When this policy setting isn't turned on, only certificates that contain the smart card logon object identifier can be used to sign in with a smart card.
-| **Item** | **Description** |
-|--------------------------------------|-------------------------------------------------------------------------------------------------------------|
-| Registry key | AllowCertificatesWithNoEKU |
-| Default values | No changes per operating system versions
Disabled and not configured are equivalent |
-| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None |
-| Notes and resources | |
+| Item | Description |
+|--|--|
+| Registry key | AllowCertificatesWithNoEKU |
+| Default values | No changes per operating system versions
Disabled and not configured are equivalent |
+| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None |
### Allow ECC certificates to be used for logon and authentication
@@ -113,12 +89,12 @@ When this setting is turned on, ECC certificates on a smart card can be used to
When this setting isn't turned on, ECC certificates on a smart card can't be used to sign in to a domain.
-| **Item** | **Description** |
-|--------------------------------------|-------------------------------|
-| Registry key | **EnumerateECCCerts** |
-| Default values | No changes per operating system versions
Disabled and not configured are equivalent |
-| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None |
-| Notes and resources | This policy setting only affects a user's ability to sign in to a domain. ECC certificates on a smart card that are used for other applications, such as document signing, aren't affected by this policy setting.
If you use an ECDSA key to sign in, you must also have an associated ECDH key to permit sign in when you're not connected to the network. |
+| Item | Description |
+|--|--|
+| Registry key | `EnumerateECCCerts` |
+| Default values | No changes per operating system versions
Disabled and not configured are equivalent |
+| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None |
+| Notes and resources | This policy setting only affects a user's ability to sign in to a domain. ECC certificates on a smart card that are used for other applications, such as document signing, aren't affected by this policy setting.
If you use an ECDSA key to sign in, you must also have an associated ECDH key to permit sign in when you're not connected to the network. |
### Allow Integrated Unblock screen to be displayed at the time of logon
@@ -128,27 +104,26 @@ When this setting is turned on, the integrated unblock feature is available.
When this setting isn't turned on, the feature is not available.
-| **Item** | **Description** |
-|--------------------------------------|---------------------------------------------------------------------------------------------------------------|
-| Registry key | **AllowIntegratedUnblock** |
-| Default values | No changes per operating system versions
Disabled and not configured are equivalent |
-| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None |
-| Notes and resources | To use the integrated unblock feature, the smart card must support it. Check with the hardware manufacturer to verify that the smart card supports this feature.
You can create a custom message that the user sees when the smart card is blocked by configuring the policy setting [Display string when smart card is blocked](#display-string-when-smart-card-is-blocked). |
+| Item | Description |
+|--|--|
+| Registry key | `AllowIntegratedUnblock` |
+| Default values | No changes per operating system versions
Disabled and not configured are equivalent |
+| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None |
+| Notes and resources | To use the integrated unblock feature, the smart card must support it. Check with the hardware manufacturer to verify that the smart card supports this feature.
You can create a custom message that the user sees when the smart card is blocked by configuring the policy setting [Display string when smart card is blocked](#display-string-when-smart-card-is-blocked). |
### Allow signature keys valid for Logon
-You can use this policy setting to allow signature key–based certificates to be enumerated and available for sign-in.
+You can use this policy setting to allow signature key-based certificates to be enumerated and available for sign-in.
When this setting is turned on, any certificates that are available on the smart card with a signature-only key are listed on the sign-in screen.
When this setting isn't turned on, certificates available on the smart card with a signature-only key aren't listed on the sign-in screen.
-| **Item** | **Description** |
-|--------------------------------------|-------------------------------------------------------------------------------------------------------------|
-| Registry key | **AllowSignatureOnlyKeys**|
-| Default values | No changes per operating system versions
Disabled and not configured are equivalent |
-| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None |
-| Notes and resources | |
+| Item | Description |
+|--|--|
+| Registry key | **AllowSignatureOnlyKeys** |
+| Default values | No changes per operating system versions
Disabled and not configured are equivalent |
+| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None |
### Allow time invalid certificates
@@ -161,48 +136,43 @@ When this setting is turned on, certificates are listed on the sign-in screen wh
When this policy setting isn't turned on, certificates that are expired or not yet valid aren't listed on the sign-in screen.
-| **Item** | **Description** |
-|--------------------------------------|-------------------------------------------------------------------------------------------------------------|
-| Registry key | **AllowTimeInvalidCertificates** |
-| Default values | No changes per operating system versions
Disabled and not configured are equivalent |
-| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None |
-| Notes and resources | |
+| Item | Description |
+|--|--|
+| Registry key | `AllowTimeInvalidCertificates` |
+| Default values | No changes per operating system versions
Disabled and not configured are equivalent |
+| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None |
### Allow user name hint
-You can use this policy setting to determine whether an optional field appears during sign-in and provides a subsequent elevation process where users can enter their username or username and domain, which associates a certificate with the user.
+You can use this policy setting to determine whether an optional field appears during sign-in and provides a subsequent elevation process where users can enter their username or username and domain, which associates a certificate with the user.
When this policy setting is turned on, users see an optional field where they can enter their username or username and domain.
When this policy setting isn't turned on, users don't see this optional field.
-| **Item** | **Description** |
-|--------------------------------------|-------------------------------------------------------------------------------------------------------------|
-| Registry key | **X509HintsNeeded**|
-| Default values | No changes per operating system versions
Disabled and not configured are equivalent |
-| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None |
-| Notes and resources | |
+| Item | Description |
+|--|--|
+| Registry key | `X509HintsNeeded` |
+| Default values | No changes per operating system versions
Disabled and not configured are equivalent |
+| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None |
### Configure root certificate clean-up
-You can use this policy setting to manage the cleanup behavior of root certificates. Certificates are verified by using a trust chain, and the trust anchor for the digital certificate is the Root Certification Authority (CA). A CA can issue multiple certificates with the root certificate as the top certificate of the tree structure. A private key is used to sign other certificates. This creates an inherited trustworthiness for all certificates immediately under the root certificate.
+You can use this policy setting to manage the cleanup behavior of root certificates. Certificates are verified by using a trust chain, and the trust anchor for the digital certificate is the Root Certification Authority (CA). A CA can issue multiple certificates with the root certificate as the top certificate of the tree structure. A private key is used to sign other certificates. This creates an inherited trustworthiness for all certificates immediately under the root certificate.
When this policy setting is turned on, you can set the following cleanup options:
-- **No cleanup**. When the user signs out or removes the smart card, the root certificates used during their session persist on the computer.
-
-- **Clean up certificates on smart card removal**. When the smart card is removed, the root certificates are removed.
-
-- **Clean up certificates on log off**. When the user signs out of Windows, the root certificates are removed.
+- **No cleanup**. When the user signs out or removes the smart card, the root certificates used during their session persist on the computer.
+- **Clean up certificates on smart card removal**. When the smart card is removed, the root certificates are removed.
+- **Clean up certificates on log off**. When the user signs out of Windows, the root certificates are removed.
When this policy setting isn't turned on, root certificates are automatically removed when the user signs out of Windows.
-| **Item** | **Description** |
-|--------------------------------------|-------------------------------------------------------------------------------------------------------------|
-| Registry key | **RootCertificateCleanupOption**|
-| Default values | No changes per operating system versions
Disabled and not configured are equivalent |
-| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None |
-| Notes and resources | |
+| Item | Description |
+|--|--|
+| Registry key | `RootCertificateCleanupOption` |
+| Default values | No changes per operating system versions
Disabled and not configured are equivalent |
+| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None |
### Display string when smart card is blocked
@@ -212,12 +182,11 @@ When this policy setting is turned on, you can create and manage the displayed m
When this policy setting isn't turned on (and the integrated unblock feature is also enabled), the user sees the system's default message when the smart card is blocked.
-| **Item** | **Description** |
-|--------------------------------------|-------------------------|
-| Registry key | **IntegratedUnblockPromptString** |
-| Default values | No changes per operating system versions
Disabled and not configured are equivalent |
+| Item | Description |
+|--|--|
+| Registry key | `IntegratedUnblockPromptString` |
+| Default values | No changes per operating system versions
Disabled and not configured are equivalent |
| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: This policy setting is only effective when the [Allow Integrated Unblock screen to be displayed at the time of logon](#allow-integrated-unblock-screen-to-be-displayed-at-the-time-of-logon) policy is enabled. |
-| Notes and resources | |
### Filter duplicate logon certificates
@@ -234,12 +203,12 @@ If this policy setting isn't turned on, all the certificates are displayed to th
This policy setting is applied to the computer after the [Allow time invalid certificates](#allow-time-invalid-certificates) policy setting is applied.
-| **Item** | **Description** |
-|--------------------------------------|--------------------------------------------------------------------------------------------------|
-| Registry key | **FilterDuplicateCerts**|
-| Default values | No changes per operating system versions
Disabled and not configured are equivalent |
-| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None |
-| Notes and resources | If there are two or more of the same certificates on a smart card and this policy setting is enabled, the certificate that is used to sign in to computers running Windows 2000, Windows XP, or Windows Server 2003 will be displayed. Otherwise, the certificate with the most distant expiration time will be displayed. |
+| Item | Description |
+|--|--|
+| Registry key | `FilterDuplicateCerts` |
+| Default values | No changes per operating system versions
Disabled and not configured are equivalent |
+| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None |
+| Notes and resources | If there are two or more of the same certificates on a smart card and this policy setting is enabled, the certificate that is used to sign in to computers running Windows 2000, Windows XP, or Windows Server 2003 will be displayed. Otherwise, the certificate with the most distant expiration time will be displayed. |
### Force the reading of all certificates from the smart card
@@ -249,45 +218,45 @@ When this policy setting is turned on, Windows attempts to read all certificates
When this policy isn't turned on, Windows attempts to read only the default certificate from smart cards that don't support retrieval of all certificates in a single call. Certificates other than the default aren't available for sign-in.
-| **Item** | **Description** |
-|--------------------------------------|----------------------------------------------------------------------------|
-| Registry key | **ForceReadingAllCertificates** |
-| Default values | No changes per operating system versions
Disabled and not configured are equivalent |
-| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None
**Important**: Enabling this policy setting can adversely impact performance during the sign-in process in certain situations. |
-| Notes and resources | Contact the smart card vendor to determine if your smart card and associated CSP support the required behavior. |
+| Item | Description |
+|--|--|
+| Registry key | `ForceReadingAllCertificates` |
+| Default values | No changes per operating system versions
Disabled and not configured are equivalent |
+| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None
**Important**: Enabling this policy setting can adversely impact performance during the sign-in process in certain situations. |
+| Notes and resources | Contact the smart card vendor to determine if your smart card and associated CSP support the required behavior. |
### Notify user of successful smart card driver installation
-You can use this policy setting to control whether the user sees a confirmation message when a smart card device driver is installed.
+You can use this policy setting to control whether the user sees a confirmation message when a smart card device driver is installed.
-When this policy setting is turned on, the user sees a confirmation message when a smart card device driver is installed.
+When this policy setting is turned on, the user sees a confirmation message when a smart card device driver is installed.
When this setting isn't turned on, the user doesn't see a smart card device driver installation message.
-| **Item** | **Description** |
-|--------------------------------------|------------------------------------------------|
-| Registry key | **ScPnPNotification** |
-| Default values | No changes per operating system versions
Disabled and not configured are equivalent |
-| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None |
-| Notes and resources | This policy setting applies only to smart card drivers that have passed the Windows Hardware Quality Labs (WHQL) testing process. |
+|--|--|
+| -------------------------------------- | ------------------------------------------------ |
+| Registry key | `ScPnPNotification` |
+| Default values | No changes per operating system versions
Disabled and not configured are equivalent |
+| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None |
+| Notes and resources | This policy setting applies only to smart card drivers that have passed the Windows Hardware Quality Labs (WHQL) testing process. |
### Prevent plaintext PINs from being returned by Credential Manager
-You can use this policy setting to prevent Credential Manager from returning plaintext PINs.
+You can use this policy setting to prevent Credential Manager from returning plaintext PINs.
> [!NOTE]
-> Credential Manager is controlled by the user on the local computer, and it stores credentials from supported browsers and Windows applications. Credentials are saved in special encrypted folders on the computer under the user's profile.
+> Credential Manager is controlled by the user on the local computer, and it stores credentials from supported browsers and Windows applications. Credentials are saved in special encrypted folders on the computer under the user's profile.
-When this policy setting is turned on, Credential Manager doesn't return a plaintext PIN.
+When this policy setting is turned on, Credential Manager doesn't return a plaintext PIN.
When this setting isn't turned on, Credential Manager can return plaintext PINs.
-| **Item** | **Description** |
-|--------------------------------------|-----------------------------------------------------------------------------------|
-| Registry key | **DisallowPlaintextPin**|
-| Default values | No changes per operating system versions
Disabled and not configured are equivalent |
-| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None |
-| Notes and resources | If this policy setting is enabled, some smart cards might not work in computers running Windows. Consult the smart card manufacturer to determine whether this policy setting should be enabled. |
+| Item | Description |
+|--|--|
+| Registry key | `DisallowPlaintextPin` |
+| Default values | No changes per operating system versions
Disabled and not configured are equivalent |
+| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None |
+| Notes and resources | If this policy setting is enabled, some smart cards might not work in computers running Windows. Consult the smart card manufacturer to determine whether this policy setting should be enabled. |
### Reverse the subject name stored in a certificate when displaying
@@ -300,13 +269,11 @@ When this policy setting is turned on, the subject name during sign-in appears r
When this policy setting isn't turned on, the subject name appears the same as it's stored in the certificate.
-
-| **Item** | **Description** |
-|--------------------------------------|-------------------------------------------------------------------------------------------------------------|
-| Registry key | **ReverseSubject** |
-| Default values | No changes per operating system versions
Disabled and not configured are equivalent |
-| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None |
-| Notes and resources | |
+| Item | Description |
+|--|--|
+| Registry key | `ReverseSubject` |
+| Default values | No changes per operating system versions
Disabled and not configured are equivalent |
+| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None |
### Turn on certificate propagation from smart card
@@ -318,128 +285,125 @@ When this policy setting is turned on, certificate propagation occurs when the u
When this policy setting is turned off, certificate propagation doesn't occur, and the certificates aren't available to applications, like Outlook.
-| **Item** | **Description** |
-|--------------------------------------|----------------|
-| Registry key | **CertPropEnabled**|
-| Default values | No changes per operating system versions
Enabled and not configured are equivalent |
+| Item | Description |
+|--|--|
+| Registry key | `CertPropEnabled` |
+| Default values | No changes per operating system versions
Enabled and not configured are equivalent |
| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: This policy setting must be enabled to allow the [Turn on root certificate propagation from smart card](#turn-on-root-certificate-propagation-from-smart-card) setting to work when it is enabled. |
-| Notes and resources | |
### Turn on root certificate propagation from smart card
You can use this policy setting to manage the root certificate propagation that occurs when a smart card is inserted.
> [!NOTE]
-> The certificate propagation service applies when a signed-in user inserts a smart card in a reader that is attached to the computer. This action causes the certificate to be read from the smart card. The certificates are then added to the user's Personal store.
+> The certificate propagation service applies when a signed-in user inserts a smart card in a reader that is attached to the computer. This action causes the certificate to be read from the smart card. The certificates are then added to the user's Personal store.
When this policy setting is turned on, root certificate propagation occurs when the user inserts the smart card.
When this policy setting isn't turned on, root certificate propagation doesn't occur when the user inserts the smart card.
-| **Item** | **Description** |
-|--------------------------------------|---------------------------------------------------------------------------------------------------------|
-| Registry key | **EnableRootCertificate Propagation** |
-| Default values | No changes per operating system versions
Enabled and not configured are equivalent |
+| Item | Description |
+|--|--|
+| Registry key | `EnableRootCertificate Propagation` |
+| Default values | No changes per operating system versions
Enabled and not configured are equivalent |
| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: For this policy setting to work, the [Turn on certificate propagation from smart card](#turn-on-certificate-propagation-from-smart-card) policy setting must also be enabled. |
-| Notes and resources | |
+| Notes and resources | |
### Turn on Smart Card Plug and Play service
-You can use this policy setting to control whether Smart Card Plug and Play is enabled.
+You can use this policy setting to control whether Smart Card Plug and Play is enabled.
> [!NOTE]
> Your users can use smart cards from vendors who have published their drivers through Windows Update without needing special middleware. These drivers will be downloaded in the same way as drivers for other devices in Windows. If an appropriate driver isn't available from Windows Update, a PIV-compliant mini driver that's included with any of the supported versions of Windows is used for these cards.
-When this policy setting is turned on, the system attempts to install a smart card device driver the first time a smart card is inserted in a smart card reader.
+When this policy setting is turned on, the system attempts to install a smart card device driver the first time a smart card is inserted in a smart card reader.
When this policy setting isn't turned on, a device driver isn't installed when a smart card is inserted in a smart card reader.
-| **Item** | **Description** |
-|--------------------------------------|------------------------------------------------|
-| Registry key | **EnableScPnP** |
-| Default values | No changes per operating system versions
Enabled and not configured are equivalent |
-| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None |
-| Notes and resources | This policy setting applies only to smart card drivers that have passed the Windows Hardware Quality Labs (WHQL) testing process. |
+| Item | Description |
+|--|--|
+| Registry key | `EnableScPnP` |
+| Default values | No changes per operating system versions
Enabled and not configured are equivalent |
+| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None |
+| Notes and resources | This policy setting applies only to smart card drivers that have passed the Windows Hardware Quality Labs (WHQL) testing process. |
## Base CSP and Smart Card KSP registry keys
The following registry keys can be configured for the base cryptography service provider (CSP) and the smart card key storage provider (KSP). The following tables list the keys. All keys use the DWORD type.
-The registry keys for the Base CSP are in the registry in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base Smart Card Crypto Provider**.
+The registry keys for the Base CSP are in the registry in `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider`.
-The registry keys for the smart card KSP are in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\ControlSet001\\Control\\Cryptography\\Providers\\Microsoft Smart Card Key Storage Provider**.
+The registry keys for the smart card KSP are in `HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cryptography\Providers\Microsoft Smart Card Key Storage Provider`.
-**Registry keys for the base CSP and smart card KSP**
+### Registry keys for the base CSP and smart card KSP
-| **Registry Key** | **Description** |
-|------------------------------------|---------------------------------------------------------------------------------|
-| **AllowPrivateExchangeKeyImport** | A non-zero value allows RSA exchange (for example, encryption) private keys to be imported for use in key archival scenarios.
Default value: 00000000 |
-| **AllowPrivateSignatureKeyImport** | A non-zero value allows RSA signature private keys to be imported for use in key archival scenarios.
Default value: 00000000 |
-| **DefaultPrivateKeyLenBits** | Defines the default length for private keys, if desired.
Default value: 00000400
Default key generation parameter: 1024-bit keys |
-| **RequireOnCardPrivateKeyGen** | This key sets the flag that requires on-card private key generation (default). If this value is set, a key generated on a host can be imported into the smart card. This is used for smart cards that don't support on-card key generation or where key escrow is required.
Default value: 00000000 |
-| **TransactionTimeoutMilliseconds** | Default timeout values allow you to specify whether transactions that take an excessive amount of time will fail.
Default value: 000005dc
The default timeout for holding transactions to the smart card is 1.5 seconds. |
+| Registry Key | Description |
+|--|--|
+| **AllowPrivateExchangeKeyImport** | A non-zero value allows RSA exchange (for example, encryption) private keys to be imported for use in key archival scenarios.
Default value: 00000000 |
+| **AllowPrivateSignatureKeyImport** | A non-zero value allows RSA signature private keys to be imported for use in key archival scenarios.
Default value: 00000000 |
+| **DefaultPrivateKeyLenBits** | Defines the default length for private keys, if desired.
Default value: 00000400
Default key generation parameter: 1024-bit keys |
+| **RequireOnCardPrivateKeyGen** | This key sets the flag that requires on-card private key generation (default). If this value is set, a key generated on a host can be imported into the smart card. This is used for smart cards that don't support on-card key generation or where key escrow is required.
Default value: 00000000 |
+| **TransactionTimeoutMilliseconds** | Default timeout values allow you to specify whether transactions that take an excessive amount of time will fail.
Default value: 000005dc
The default timeout for holding transactions to the smart card is 1.5 seconds. |
**Additional registry keys for the smart card KSP**
-| **Registry Key** | **Description** |
-|--------------------------------|-----------------------------------------------------|
-| **AllowPrivateECDHEKeyImport** | This value allows Ephemeral Elliptic Curve Diffie-Hellman (ECDHE) private keys to be imported for use in key archival scenarios.
Default value: 00000000 |
+| Registry Key | Description |
+|--|--|
+| **AllowPrivateECDHEKeyImport** | This value allows Ephemeral Elliptic Curve Diffie-Hellman (ECDHE) private keys to be imported for use in key archival scenarios.
Default value: 00000000 |
| **AllowPrivateECDSAKeyImport** | This value allows Elliptic Curve Digital Signature Algorithm (ECDSA) private keys to be imported for use in key archival scenarios.
Default value: 00000000 |
## CRL checking registry keys
The following table lists the keys and the corresponding values to turn off certificate revocation list (CRL) checking at the Key Distribution Center (KDC) or client. To manage CRL checking, you must configure settings for both the KDC and the client.
-**CRL checking registry keys**
+### CRL checking registry keys
-| **Registry Key** | **Details** |
-|------------|-----------------------------|
-| **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CCS\\Services\\Kdc\\UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors**| Type = DWORD
Value = 1 |
-| **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CCS\\Control\\LSA\\Kerberos\\Parameters\\UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors**| Type = DWORD
Value = 1 |
+| Registry Key | Details |
+|--|--|
+| `HKEY_LOCAL_MACHINE\SYSTEM\CCS\Services\Kdc\UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors` | Type = DWORD
Value = 1 |
+| `HKEY_LOCAL_MACHINE\SYSTEM\CCS\Control\LSA\Kerberos\Parameters\UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors` | Type = DWORD
Value = 1 |
## Additional smart card Group Policy settings and registry keys
In a smart card deployment, additional Group Policy settings can be used to enhance ease-of-use or security. Two of these policy settings that can complement a smart card deployment are:
-- Turning off delegation for computers
+- Turning off delegation for computers
+- Interactive logon: Do not require CTRL+ALT+DEL (not recommended)
-- Interactive logon: Do not require CTRL+ALT+DEL (not recommended)
+The following smart card-related Group Policy settings are in **Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options**.
-The following smart card-related Group Policy settings are in Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options.
+### Local security policy settings
-**Local security policy settings**
-
-| Group Policy setting and registry key | Default | Description |
-|------------------------------------------|------------|---------------|
-| Interactive logon: Require smart card
**scforceoption** | Disabled | This security policy setting requires users to sign in to a computer by using a smart card.
**Enabled** Users can sign in to the computer only by using a smart card.
**Disabled** Users can sign in to the computer by using any method.
NOTE: the Windows LAPS-managed local account is exempted from this policy when Enabled. For more information see [Windows LAPS integration with smart card policy](/windows-server/identity/laps/laps-concepts#windows-laps-integration-with-smart-card-policy).
|
-| Interactive logon: Smart card removal behavior
**scremoveoption** | This policy setting isn't defined, which means that the system treats it as **No Action**. | This setting determines what happens when the smart card for a signed-in user is removed from the smart card reader. The options are:
**No Action**
**Lock Workstation**: The workstation is locked when the smart card is removed, so users can leave the area, take their smart card with them, and still maintain a protected session.
**Force Logoff**: The user is automatically signed out when the smart card is removed.
**Disconnect if a Remote Desktop Services session**: Removal of the smart card disconnects the session without signing out the user. The user can reinsert the smart card and resume the session later, or at another computer that's equipped with a smart card reader, without having to sign in again. If the session is local, this policy setting functions identically to the **Lock Workstation** option.
**Note**: In earlier versions of Windows Server, Remote Desktop Services was called Terminal Services. |
+| Group Policy setting and registry key | Default | Description |
+|--|--|--|
+| Interactive logon: Require smart card
**scforceoption** | Disabled | This security policy setting requires users to sign in to a computer by using a smart card.
**Enabled** Users can sign in to the computer only by using a smart card.
**Disabled** Users can sign in to the computer by using any method.
NOTE: the Windows LAPS-managed local account is exempted from this policy when Enabled. For more information see [Windows LAPS integration with smart card policy](/windows-server/identity/laps/laps-concepts#windows-laps-integration-with-smart-card-policy).
|
+| Interactive logon: Smart card removal behavior
**scremoveoption** | This policy setting isn't defined, which means that the system treats it as **No Action**. | This setting determines what happens when the smart card for a signed-in user is removed from the smart card reader. The options are:
**No Action**
**Lock Workstation**: The workstation is locked when the smart card is removed, so users can leave the area, take their smart card with them, and still maintain a protected session.
**Force Logoff**: The user is automatically signed out when the smart card is removed.
**Disconnect if a Remote Desktop Services session**: Removal of the smart card disconnects the session without signing out the user. The user can reinsert the smart card and resume the session later, or at another computer that's equipped with a smart card reader, without having to sign in again. If the session is local, this policy setting functions identically to the **Lock Workstation** option.
**Note**: In earlier versions of Windows Server, Remote Desktop Services was called Terminal Services. |
From the Local Security Policy Editor (secpol.msc), you can edit and apply system policies to manage credential delegation for local or domain computers.
-The following smart card-related Group Policy settings are in Computer Configuration\\Administrative Templates\\System\\Credentials Delegation.
+The following smart card-related Group Policy settings are in **Computer Configuration\Administrative Templates\System\Credentials Delegation**.
-Registry keys are in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\Credssp\\PolicyDefaults**.
+Registry keys are in `HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\Credssp\PolicyDefaults`.
> [!NOTE]
> In the following table, fresh credentials are those that you are prompted for when running an application.
-**Credential delegation policy settings**
+### Credential delegation policy settings
+| Group Policy setting and registry key | Default | Description |
+|--|--|--|
+| Allow Delegating Fresh Credentials
**AllowFreshCredentials** | Not configured | This policy setting applies:
When server authentication was achieved through a trusted X509 certificate or Kerberos protocol.
To applications that use the CredSSP component (for example, Remote Desktop Services).
**Enabled**: You can specify the servers where the user's fresh credentials can be delegated.
**Not configured**: After proper mutual authentication, delegation of fresh credentials is permitted to Remote Desktop Services running on any computer.
**Disabled**: Delegation of fresh credentials to any computer isn't permitted.
**Note**: This policy setting can be set to one or more service principal names (SPNs). The SPN represents the target server where the user credentials can be delegated. A single wildcard character is permitted when specifying the SPN, for example:
Use \*TERMSRV/\*\* for Remote Desktop Session Host (RD Session Host) running on any computer.
Use *TERMSRV/host.humanresources.fabrikam.com* for RD Session Host running on the host.humanresources.fabrikam.com computer.
Use *TERMSRV/\*.humanresources.fabrikam.com* for RD Session Host running on all computers in .humanresources.fabrikam.com |
+| Allow Delegating Fresh Credentials with NTLM-only Server Authentication
**AllowFreshCredentialsWhenNTLMOnly** | Not configured | This policy setting applies:
When server authentication was achieved by using NTLM.
To applications that use the CredSSP component (for example, Remote Desktop).
**Enabled**: You can specify the servers where the user's fresh credentials can be delegated.
**Not configured**: After proper mutual authentication, delegation of fresh credentials is permitted to RD Session Host running on any computer (TERMSRV/\*).
**Disabled**: Delegation of fresh credentials isn't permitted to any computer.
**Note**: This policy setting can be set to one or more SPNs. The SPN represents the target server where the user credentials can be delegated. A single wildcard character (\*) is permitted when specifying the SPN.
See the **Allow Delegating Fresh Credentials** policy setting description for examples. |
+| Deny Delegating Fresh Credentials
**DenyFreshCredentials** | Not configured | This policy setting applies to applications that use the CredSSP component (for example, Remote Desktop).
**Enabled**: You can specify the servers where the user's fresh credentials can't be delegated.
**Disabled** or **Not configured**: A server is not specified.
**Note**: This policy setting can be set to one or more SPNs. The SPN represents the target server where the user credentials can't be delegated. A single wildcard character (\*) is permitted when specifying the SPN.
For examples, see the "Allow delegating fresh credentials" policy setting. |
-| Group Policy setting and registry key | Default | Description |
-|----------------------------------------------------------------------------------------------------------------------|----------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Allow Delegating Fresh Credentials
**AllowFreshCredentials** | Not configured | This policy setting applies:
When server authentication was achieved through a trusted X509 certificate or Kerberos protocol.
To applications that use the CredSSP component (for example, Remote Desktop Services).
**Enabled**: You can specify the servers where the user's fresh credentials can be delegated.
**Not configured**: After proper mutual authentication, delegation of fresh credentials is permitted to Remote Desktop Services running on any computer.
**Disabled**: Delegation of fresh credentials to any computer isn't permitted.
**Note**: This policy setting can be set to one or more service principal names (SPNs). The SPN represents the target server where the user credentials can be delegated. A single wildcard character is permitted when specifying the SPN, for example:
Use \*TERMSRV/\*\* for Remote Desktop Session Host (RD Session Host) running on any computer.
Use *TERMSRV/host.humanresources.fabrikam.com* for RD Session Host running on the host.humanresources.fabrikam.com computer.
Use *TERMSRV/\*.humanresources.fabrikam.com* for RD Session Host running on all computers in .humanresources.fabrikam.com |
-| Allow Delegating Fresh Credentials with NTLM-only Server Authentication
**AllowFreshCredentialsWhenNTLMOnly** | Not configured | This policy setting applies:
When server authentication was achieved by using NTLM.
To applications that use the CredSSP component (for example, Remote Desktop).
**Enabled**: You can specify the servers where the user's fresh credentials can be delegated.
**Not configured**: After proper mutual authentication, delegation of fresh credentials is permitted to RD Session Host running on any computer (TERMSRV/\*).
**Disabled**: Delegation of fresh credentials isn't permitted to any computer.
**Note**: This policy setting can be set to one or more SPNs. The SPN represents the target server where the user credentials can be delegated. A single wildcard character (\*) is permitted when specifying the SPN.
See the **Allow Delegating Fresh Credentials** policy setting description for examples. |
-| Deny Delegating Fresh Credentials
**DenyFreshCredentials** | Not configured | This policy setting applies to applications that use the CredSSP component (for example, Remote Desktop).
**Enabled**: You can specify the servers where the user's fresh credentials can't be delegated.
**Disabled** or **Not configured**: A server is not specified.
**Note**: This policy setting can be set to one or more SPNs. The SPN represents the target server where the user credentials can't be delegated. A single wildcard character (\*) is permitted when specifying the SPN.
For examples, see the "Allow delegating fresh credentials" policy setting. |
+If you're using Remote Desktop Services with smart card logon, you can't delegate default and saved credentials. The registry keys in the following table, which are at `HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\Credssp\PolicyDefaults`, and the corresponding Group Policy settings are ignored.
-If you're using Remote Desktop Services with smart card logon, you can't delegate default and saved credentials. The registry keys in the following table, which are at **HKEY\_LOCAL\_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\Credssp\\PolicyDefaults**, and the corresponding Group Policy settings are ignored.
-
-| **Registry key** | **Corresponding Group Policy setting** |
-|-------------------------------------|---------------------------------------------------------------------------|
-| **AllowDefaultCredentials** | Allow Delegating Default Credentials |
+| Registry Key| **Corresponding Group Policy setting** |
+|--|--|
+| **AllowDefaultCredentials** | Allow Delegating Default Credentials |
| **AllowDefaultCredentialsWhenNTLMOnly** | Allow Delegating Default Credentials with NTLM-only Server Authentication |
-| **AllowSavedCredentials** | Allow Delegating Saved Credentials |
-| **AllowSavedCredentialsWhenNTLMOnly** | Allow Delegating Saved Credentials with NTLM-only Server Authentication |
+| **AllowSavedCredentials** | Allow Delegating Saved Credentials |
+| **AllowSavedCredentialsWhenNTLMOnly** | Allow Delegating Saved Credentials with NTLM-only Server Authentication |
## See also
diff --git a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
index 5ad7eb1205..d3cd7bcdca 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
@@ -3,23 +3,18 @@ title: How Smart Card Sign-in Works in Windows
description: This topic for IT professional provides links to resources about the implementation of smart card technologies in the Windows operating system.
ms.reviewer: ardenw
ms.topic: overview
-ms.date: 09/24/2021
+ms.date: 1/06/2023
---
# How Smart Card Sign-in Works in Windows
This topic for IT professional provides links to resources about the implementation of smart card technologies in the Windows operating system. It includes the following resources about the architecture, certificate management, and services that are related to smart card use:
-- [Smart Card Architecture](smart-card-architecture.md): Learn about enabling communications with smart cards and smart card readers, which can be different according to the vendor that supplies them.
-
-- [Certificate Requirements and Enumeration](smart-card-certificate-requirements-and-enumeration.md): Learn about requirements for smart card certificates based on the operating system, and about the operations that are performed by the operating system when a smart card is inserted into the computer.
-
-- [Smart Card and Remote Desktop Services](smart-card-and-remote-desktop-services.md): Learn about using smart cards for remote desktop connections.
-
-- [Smart Cards for Windows Service](smart-card-smart-cards-for-windows-service.md): Learn about how the Smart Cards for Windows service is implemented.
-
-- [Certificate Propagation Service](smart-card-certificate-propagation-service.md): Learn about how the certificate propagation service works when a smart card is inserted into a computer.
-
-- [Smart Card Removal Policy Service](smart-card-removal-policy-service.md): Learn about using Group Policy to control what happens when a user removes a smart card.
+- [Smart Card Architecture](smart-card-architecture.md): Learn about enabling communications with smart cards and smart card readers, which can be different according to the vendor that supplies them
+- [Certificate Requirements and Enumeration](smart-card-certificate-requirements-and-enumeration.md): Learn about requirements for smart card certificates based on the operating system, and about the operations that are performed by the operating system when a smart card is inserted into the computer
+- [Smart Card and Remote Desktop Services](smart-card-and-remote-desktop-services.md): Learn about using smart cards for remote desktop connections
+- [Smart Cards for Windows Service](smart-card-smart-cards-for-windows-service.md): Learn about how the Smart Cards for Windows service is implemented
+- [Certificate Propagation Service](smart-card-certificate-propagation-service.md): Learn about how the certificate propagation service works when a smart card is inserted into a computer
+- [Smart Card Removal Policy Service](smart-card-removal-policy-service.md): Learn about using Group Policy to control what happens when a user removes a smart card
[!INCLUDE [smart-cards-for-windows-service](../../../../includes/licensing/smart-cards-for-windows-service.md)]
\ No newline at end of file
diff --git a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
index 2604d84270..c982c67613 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
@@ -3,7 +3,7 @@ title: Smart Cards for Windows Service
description: This topic for the IT professional and smart card developers describes how the Smart Cards for Windows service manages readers and application interactions.
ms.reviewer: ardenw
ms.topic: concept-article
-ms.date: 09/24/2021
+ms.date: 11/06/2023
---
# Smart Cards for Windows Service
@@ -69,34 +69,31 @@ The Smart Cards for Windows service runs in the context of a local service, and
```
-> **Note** For winscard.dll to be invoked as the proper class installer, the INF file for a smart card reader must specify the following for **Class** and **ClassGUID**:
-`Class=SmartCardReader`
`ClassGuid={50DD5230-BA8A-11D1-BF5D-0000F805F530}`
+> [!NOTE]
+> For winscard.dll to be invoked as the proper class installer, the INF file for a smart card reader must specify the following for **Class** and **ClassGUID**:
+>
+> `Class=SmartCardReader`
+> `ClassGuid={50DD5230-BA8A-11D1-BF5D-0000F805F530}`
By default, the service is configured for manual mode. Creators of smart card reader drivers must configure their INFs so that they start the service automatically and winscard.dll files call a predefined entry point to start the service during installation. The entry point is defined as part of the **SmartCardReader** class, and it is not called directly. If a device advertises itself as part of this class, the entry point is automatically invoked to start the service when the device is inserted. Using this method ensures that the service is enabled when it is needed, but it is also disabled for users who do not use smart cards.
When the service is started, it performs several functions:
-1. It registers itself for service notifications.
+1. It registers itself for service notifications
+1. It registers itself for Plug and Play (PnP) notifications related to device removal and additions
+1. It initializes its data cache and a global event that signals that the service has started
-2. It registers itself for Plug and Play (PnP) notifications related to device removal and additions.
-
-3. It initializes its data cache and a global event that signals that the service has started.
-
-> **Note** For smart card implementations, consider sending all communications in Windows operating systems with smart card readers through the Smart Cards for Windows service. This provides an interface to track, select, and communicate with all drivers that declare themselves members of the smart card reader device group.
+> [!NOTE]
+> For smart card implementations, consider sending all communications in Windows operating systems with smart card readers through the Smart Cards for Windows service. This provides an interface to track, select, and communicate with all drivers that declare themselves members of the smart card reader device group.
The Smart Cards for Windows service categorizes each smart card reader slot as a unique reader, and each slot is also managed separately, regardless of the device's physical characteristics. The Smart Cards for Windows service handles the following high-level actions:
-- Device introduction
-
-- Reader initialization
-
-- Notifying clients of new readers
-
-- Serializing access to readers
-
-- Smart card access
-
-- Tunneling of reader-specific commands
+- Device introduction
+- Reader initialization
+- Notifying clients of new readers
+- Serializing access to readers
+- Smart card access
+- Tunneling of reader-specific commands
## See also
diff --git a/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md b/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md
index f18465fff3..00d223bfe5 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md
@@ -3,7 +3,7 @@ title: Smart Card Tools and Settings
description: This topic for the IT professional and smart card developer links to information about smart card debugging, settings, and events.
ms.reviewer: ardenw
ms.topic: conceptual
-ms.date: 09/24/2021
+ms.date: 11/06/2023
---
# Smart Card Tools and Settings
@@ -12,11 +12,9 @@ This topic for the IT professional and smart card developer links to information
This section of the Smart Card Technical Reference contains information about the following:
-- [Smart Cards Debugging Information](smart-card-debugging-information.md): Learn about tools and services in supported versions of Windows to help identify certificate issues.
-
-- [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md): Learn about smart card-related Group Policy settings and registry keys that can be set on a per-computer basis, including how to edit and apply Group Policy settings to local or domain computers.
-
-- [Smart Card Events](smart-card-events.md): Learn about events that can be used to manage smart cards in an organization, including how to monitor installation, use, and errors.
+- [Smart Cards Debugging Information](smart-card-debugging-information.md): Learn about tools and services in supported versions of Windows to help identify certificate issues
+- [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md): Learn about smart card-related Group Policy settings and registry keys that can be set on a per-computer basis, including how to edit and apply Group Policy settings to local or domain computers
+- [Smart Card Events](smart-card-events.md): Learn about events that can be used to manage smart cards in an organization, including how to monitor installation, use, and errors
## See also
diff --git a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
index a7e5247fcc..230cd5d598 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
@@ -3,7 +3,7 @@ title: Smart Card Technical Reference
description: Learn about the Windows smart card infrastructure for physical smart cards, and how smart card-related components work in Windows.
ms.reviewer: ardenw
ms.topic: reference
-ms.date: 09/24/2021
+ms.date: 11/06/2023
---
# Smart Card Technical Reference
@@ -14,9 +14,8 @@ The Smart Card Technical Reference describes the Windows smart card infrastructu
This document explains how the Windows smart card infrastructure works. To understand this information, you should have basic knowledge of public key infrastructure (PKI) and smart card concepts. This document is intended for:
-- Enterprise IT developers, managers, and staff who are planning to deploy or are using smart cards in their organization.
-
-- Smart card vendors who write smart card minidrivers or credential providers.
+- Enterprise IT developers, managers, and staff who are planning to deploy or are using smart cards in their organization.
+- Smart card vendors who write smart card minidrivers or credential providers.
## What are smart cards?
@@ -24,11 +23,9 @@ Smart cards are tamper-resistant portable storage devices that can enhance the s
Smart cards provide:
-- Tamper-resistant storage for protecting private keys and other forms of personal information.
-
-- Isolation of security-critical computations that involve authentication, digital signatures, and key exchange from other parts of the computer. These computations are performed on the smart card.
-
-- Portability of credentials and other private information between computers at work, home, or on the road.
+- Tamper-resistant storage for protecting private keys and other forms of personal information
+- Isolation of security-critical computations that involve authentication, digital signatures, and key exchange from other parts of the computer. These computations are performed on the smart card
+- Portability of credentials and other private information between computers at work, home, or on the road
Smart cards can be used to sign in to domain accounts only, not local accounts. When you use a password to sign in interactively to a domain account, Windows uses the Kerberos version 5 (v5) protocol for authentication. If you use a smart card, the operating system uses Kerberos v5 authentication with X.509 v3 certificates.
@@ -38,26 +35,16 @@ Smart cards can be used to sign in to domain accounts only, not local accounts.
## In this technical reference
-This reference contains the following topics.
+This reference contains the following topics:
-- [How Smart Card Sign-in Works in Windows](smart-card-how-smart-card-sign-in-works-in-windows.md)
-
- - [Smart Card Architecture](smart-card-architecture.md)
-
- - [Certificate Requirements and Enumeration](smart-card-certificate-requirements-and-enumeration.md)
-
- - [Smart Card and Remote Desktop Services](smart-card-and-remote-desktop-services.md)
-
- - [Smart Cards for Windows Service](smart-card-smart-cards-for-windows-service.md)
-
- - [Certificate Propagation Service](smart-card-certificate-propagation-service.md)
-
- - [Smart Card Removal Policy Service](smart-card-removal-policy-service.md)
-
-- [Smart Card Tools and Settings](smart-card-tools-and-settings.md)
-
- - [Smart Cards Debugging Information](smart-card-debugging-information.md)
-
- - [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md)
-
- - [Smart Card Events](smart-card-events.md)
+- [How Smart Card Sign-in Works in Windows](smart-card-how-smart-card-sign-in-works-in-windows.md)
+ - [Smart Card Architecture](smart-card-architecture.md)
+ - [Certificate Requirements and Enumeration](smart-card-certificate-requirements-and-enumeration.md)
+ - [Smart Card and Remote Desktop Services](smart-card-and-remote-desktop-services.md)
+ - [Smart Cards for Windows Service](smart-card-smart-cards-for-windows-service.md)
+ - [Certificate Propagation Service](smart-card-certificate-propagation-service.md)
+ - [Smart Card Removal Policy Service](smart-card-removal-policy-service.md)
+- [Smart Card Tools and Settings](smart-card-tools-and-settings.md)
+ - [Smart Cards Debugging Information](smart-card-debugging-information.md)
+ - [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md)
+ - [Smart Card Events](smart-card-events.md)
From 6f839514bf60065cc5896c847aabefbe02b93a76 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Mon, 6 Nov 2023 12:30:24 -0500
Subject: [PATCH 02/21] update
---
education/windows/autopilot-reset.md | 21 +++---
.../smart-card-debugging-information.md | 70 ++++++++++---------
...card-group-policy-and-registry-settings.md | 2 +-
3 files changed, 49 insertions(+), 44 deletions(-)
diff --git a/education/windows/autopilot-reset.md b/education/windows/autopilot-reset.md
index 996188d7bf..7b14deeb86 100644
--- a/education/windows/autopilot-reset.md
+++ b/education/windows/autopilot-reset.md
@@ -11,7 +11,7 @@ ms.collection:
- education
---
-# Reset devices with Autopilot Reset
+# Reset devices with Autopilot Reset
IT admins or technical teachers can use Autopilot Reset to quickly remove personal files, apps, and settings, and reset Windows 10 devices from the lock screen anytime and apply original settings and management enrollment (Microsoft Entra ID and device management) so the devices are ready to use. With Autopilot Reset, devices are returned to a fully configured or known IT-approved state.
@@ -22,7 +22,7 @@ To enable Autopilot Reset, you must:
## Enable Autopilot Reset
-To use Autopilot Reset, [Windows Recovery Environment (WinRE) must be enabled on the device](#winre).
+To use Autopilot Reset, Windows Recovery Environment (WinRE) must be enabled on the device.
**DisableAutomaticReDeploymentCredentials** is a policy that enables or disables the visibility of the credentials for Autopilot Reset. It's a policy node in the [Policy CSP](/windows/client-management/mdm/policy-csp-credentialproviders), **CredentialProviders/DisableAutomaticReDeploymentCredentials**. By default, this policy is set to 1 (Disable). This setting ensures that Autopilot Reset isn't triggered by accident.
@@ -32,7 +32,7 @@ You can set the policy using one of these methods:
Check your MDM provider documentation on how to set this policy. If your MDM provider doesn't explicitly support this policy, you can manually set this policy if your MDM provider allows specific OMA-URIs to be manually set.
- For example, in Intune, create a new configuration policy and add an OMA-URI.
+ For example, in Intune, create a new configuration policy and add an OMA-URI.
- OMA-URI: ./Vendor/MSFT/Policy/Config/CredentialProviders/DisableAutomaticReDeploymentCredentials
- Data type: Integer
- Value: 0
@@ -56,11 +56,12 @@ You can set the policy using one of these methods:
- When using [Set up School PCs](use-set-up-school-pcs-app.md), in the **Configure student PC settings** screen, select **Enable Windows 10 Autopilot Reset** among the list of settings for the student PC as shown in the following example:
-
-## Trigger Autopilot Reset
-Autopilot Reset is a two-step process: trigger it and then authenticate. Once you've done these two steps, you can let the process execute and once it's done, the device is again ready for use.
-**To trigger Autopilot Reset**
+## Trigger Autopilot Reset
+
+Autopilot Reset is a two-step process: trigger it and then authenticate. Once you've done these two steps, you can let the process execute and once it's done, the device is again ready for use.
+]
+To trigger Autopilot Reset:
1. From the Windows device lock screen, enter the keystroke: CTRL + WIN + R.
@@ -69,16 +70,16 @@ Autopilot Reset is a two-step process: trigger it and then authenticate. Once yo
This keystroke opens up a custom sign-in screen for Autopilot Reset. The screen serves two purposes:
1. Confirm/verify that the end user has the right to trigger Autopilot Reset
- 2. Notify the user in case a provisioning package, created using Windows Configuration Designer or Set up School PCs, will be used as part of the process.
+ 1. Notify the user in case a provisioning package, created using Windows Configuration Designer or Set up School PCs, will be used as part of the process.
-2. Sign in with the admin account credentials. If you created a provisioning package, plug in the USB drive and trigger Autopilot Reset.
+1. Sign in with the admin account credentials. If you created a provisioning package, plug in the USB drive and trigger Autopilot Reset.
> [!IMPORTANT]
> To reestablish Wi-Fi connectivity after reset, make sure the **Connect automatically** box is checked for the device's wireless network connection.
- Once Autopilot Reset is triggered, the reset process starts.
+ Once Autopilot Reset is triggered, the reset process starts.
After reset, the device:
diff --git a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
index ba68729da2..810ef34cf7 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
@@ -28,7 +28,7 @@ For a complete description of Certutil including examples that show how to use i
### List certificates available on the smart card
-To list certificates that are available on the smart card, type `certutil -scinfo`.
+To list certificates that are available on the smart card, type `certutil.exe -scinfo`.
> [!NOTE]
> Entering a PIN is not required for this operation. You can press ESC if you are prompted for a PIN.
@@ -37,9 +37,9 @@ To list certificates that are available on the smart card, type `certutil -scinf
Each certificate is enclosed in a container. When you delete a certificate on the smart card, you're deleting the container for the certificate.
-To find the container value, type `certutil -scinfo`.
+To find the container value, type `certutil.exe -scinfo`.
-To delete a container, type `certutil -delkey -csp "Microsoft Base Smart Card Crypto Provider" ""`.
+To delete a container, type `certutil.exe -delkey -csp "Microsoft Base Smart Card Crypto Provider" ""`.
## Debugging and tracing using WPP
@@ -50,37 +50,37 @@ WPP simplifies tracing the operation of the trace provider. It provides a mechan
Using WPP, use one of the following commands to enable tracing:
```cmd
-tracelog.exe -kd -rt -start -guid \ -f .\\.etl -flags -ft 1
-logman start -ets -p {} - -ft 1 -rt -o .\\.etl -mode 0x00080000
+tracelog.exe -kd -rt -start -guid \ -f .\.etl -flags -ft 1
+logman start -ets -p {} - -ft 1 -rt -o .\.etl -mode 0x00080000
```
You can use the parameters in the following table.
-| Friendly name | GUID | Flags |
-|-------------------|--------------------------------------|-----------|
-| `scardsvr` | 13038e47-ffec-425d-bc69-5707708075fe | 0xffff |
-| `winscard` | 3fce7c5f-fb3b-4bce-a9d8-55cc0ce1cf01 | 0xffff |
-| `basecsp` | 133a980d-035d-4e2d-b250-94577ad8fced | 0x7 |
-| `scksp` | 133a980d-035d-4e2d-b250-94577ad8fced | 0x7 |
-| `msclmd` | fb36caf4-582b-4604-8841-9263574c4f2c | 0x7 |
-| `credprov` | dba0e0e0-505a-4ab6-aa3f-22f6f743b480 | 0xffff |
-| `certprop` | 30eae751-411f-414c-988b-a8bfa8913f49 | 0xffff |
-| `scfilter` | eed7f3c9-62ba-400e-a001-658869df9a91 | 0xffff |
-| `wudfusbccid` | a3c09ba3-2f62-4be5-a50f-8278a646ac9d | 0xffff |
+| Friendly name | GUID | Flags |
+|--|--|--|
+| `scardsvr` | 13038e47-ffec-425d-bc69-5707708075fe | 0xffff |
+| `winscard` | 3fce7c5f-fb3b-4bce-a9d8-55cc0ce1cf01 | 0xffff |
+| `basecsp` | 133a980d-035d-4e2d-b250-94577ad8fced | 0x7 |
+| `scksp` | 133a980d-035d-4e2d-b250-94577ad8fced | 0x7 |
+| `msclmd` | fb36caf4-582b-4604-8841-9263574c4f2c | 0x7 |
+| `credprov` | dba0e0e0-505a-4ab6-aa3f-22f6f743b480 | 0xffff |
+| `certprop` | 30eae751-411f-414c-988b-a8bfa8913f49 | 0xffff |
+| `scfilter` | eed7f3c9-62ba-400e-a001-658869df9a91 | 0xffff |
+| `wudfusbccid` | a3c09ba3-2f62-4be5-a50f-8278a646ac9d | 0xffff |
### Examples
To enable tracing for the SCardSvr service:
```cmd
-tracelog.exe -kd -rt -start scardsvr -guid \#13038e47-ffec-425d-bc69-5707708075fe -f .\\scardsvr.etl -flags 0xffff -ft 1
-logman start scardsvr -ets -p {13038e47-ffec-425d-bc69-5707708075fe} 0xffff -ft 1 -rt -o .\\scardsvr.etl -mode 0x00080000
+tracelog.exe -kd -rt -start scardsvr -guid \#13038e47-ffec-425d-bc69-5707708075fe -f .\scardsvr.etl -flags 0xffff -ft 1
+logman start scardsvr -ets -p {13038e47-ffec-425d-bc69-5707708075fe} 0xffff -ft 1 -rt -o .\scardsvr.etl -mode 0x00080000
```
To enable tracing for `scfilter.sys`:
```cmd
-tracelog.exe -kd -rt -start scfilter -guid \#eed7f3c9-62ba-400e-a001-658869df9a91 -f .\\scfilter.etl -flags 0xffff -ft 1
+tracelog.exe -kd -rt -start scfilter -guid \#eed7f3c9-62ba-400e-a001-658869df9a91 -f .\scfilter.etl -flags 0xffff -ft 1
```
### Stop the trace
@@ -115,7 +115,7 @@ To begin tracing, you can use `Tracelog`. Different components use different con
To enable tracing for NTLM authentication, run the following command on the command line:
```cmd
-tracelog.exe -kd -rt -start ntlm -guid \#5BBB6C18-AA45-49b1-A15F-085F7ED0AA90 -f .\\ntlm.etl -flags 0x15003 -ft 1
+tracelog.exe -kd -rt -start ntlm -guid \#5BBB6C18-AA45-49b1-A15F-085F7ED0AA90 -f .\ntlm.etl -flags 0x15003 -ft 1
```
To stop tracing for NTLM authentication, run this command:
@@ -129,7 +129,7 @@ tracelog -stop ntlm
To enable tracing for Kerberos authentication, run this command:
```cmd
-tracelog.exe -kd -rt -start kerb -guid \#6B510852-3583-4e2d-AFFE-A67F9F223438 -f .\\kerb.etl -flags 0x43 -ft 1
+tracelog.exe -kd -rt -start kerb -guid \#6B510852-3583-4e2d-AFFE-A67F9F223438 -f .\kerb.etl -flags 0x43 -ft 1
```
To stop tracing for Kerberos authentication, run this command:
@@ -143,7 +143,7 @@ tracelog.exe -stop kerb
To enable tracing for the KDC, run the following command on the command line:
```cmd
-tracelog.exe -kd -rt -start kdc -guid \#1BBA8B19-7F31-43c0-9643-6E911F79A06B -f .\\kdc.etl -flags 0x803 -ft 1
+tracelog.exe -kd -rt -start kdc -guid \#1BBA8B19-7F31-43c0-9643-6E911F79A06B -f .\kdc.etl -flags 0x803 -ft 1
```
To stop tracing for the KDC, run the following command on the command line:
@@ -152,30 +152,34 @@ To stop tracing for the KDC, run the following command on the command line:
tracelog.exe -stop kdc
```
-To stop tracing from a remote computer, run this command: logman.exe -s **.
+To stop tracing from a remote computer, run this command:
+
+```cmd
+logman.exe -s
+```
> [!NOTE]
-> The default location for logman.exe is %systemroot%system32\\. Use the **-s** option to supply a computer name.
+> The default location for logman.exe is %systemroot%system32\. Use the **-s** option to supply a computer name.
### Configure tracing with the registry
You can also configure tracing by editing the Kerberos registry values shown in the following table.
-| Element | Registry Key Setting |
-|-------------|----------------------------------------------------|
-| NTLM | HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\MSV1\_0
Value name: NtLmInfoLevel
Value type: DWORD
Value data: c0015003 |
-| Kerberos | HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Kerberos
Value name: LogToFile
Value type: DWORD
Value data: 00000001
HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Kerberos\\Parameters
Value name: KerbDebugLevel
Value type: DWORD
Value data: c0000043
HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Kerberos\\Parameters
Value name: LogToFile
Value type: DWORD
Value data: 00000001 |
-| KDC | HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Kdc
Value name: KdcDebugLevel
Value type: DWORD
Value data: c0000803 |
+| Element | Registry Key Setting |
+|--|--|
+| NTLM | HKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
Value name: NtLmInfoLevel
Value type: DWORD
Value data: c0015003 |
+| Kerberos | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos
Value name: LogToFile
Value type: DWORD
Value data: 00000001
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Value name: KerbDebugLevel
Value type: DWORD
Value data: c0000043
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Value name: LogToFile
Value type: DWORD
Value data: 00000001 |
+| KDC | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc
Value name: KdcDebugLevel
Value type: DWORD
Value data: c0000803 |
If you used `Tracelog`, look for the following log file in your current directory: `kerb.etl/kdc.etl/ntlm.etl`.
If you used the registry key settings shown in the previous table, look for the trace log files in the following locations:
-- NTLM: %systemroot%\\tracing\\msv1\_0
-- Kerberos: %systemroot%\\tracing\\kerberos
-- KDC: %systemroot%\\tracing\\kdcsvc
+- NTLM: `%systemroot%\tracing\msv1_0`
+- Kerberos: `%systemroot%\tracing\kerberos`
+- KDC: `%systemroot%\tracing\kdcsvc`
-To decode event trace files, you can use `Tracefmt` (tracefmt.exe). `Tracefmt` is a command-line tool that formats and displays trace messages from an event trace log file (.etl) or a real-time trace session. `Tracefmt` can display the messages in the Command Prompt window or save them in a text file. It is located in the \\tools\\tracing subdirectory of the Windows Driver Kit (WDK). For more information, see [`Tracefmt`](/windows-hardware/drivers/devtest/tracefmt).
+To decode event trace files, you can use `Tracefmt` (tracefmt.exe). `Tracefmt` is a command-line tool that formats and displays trace messages from an event trace log file (.etl) or a real-time trace session. `Tracefmt` can display the messages in the Command Prompt window or save them in a text file. It is located in the \tools\tracing subdirectory of the Windows Driver Kit (WDK). For more information, see [`Tracefmt`](/windows-hardware/drivers/devtest/tracefmt).
## Smart Card service
diff --git a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
index 099af97427..9cd57a98c5 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
@@ -64,7 +64,7 @@ You can use this policy setting to allow certificates without an extended key us
> [!NOTE]
> extended key usage certificate attribute is also known as extended key usage.
->
+>
> In versions of Windows before Windows Vista, smart card certificates that are used to sign in require an EKU extension with a smart card logon object identifier. This policy setting can be used to modify that restriction.
When this policy setting is turned on, certificates with the following attributes can also be used to sign in with a smart card:
From 5804b3ba1b5d1b59fcfc6933f65d82d3f393c3fc Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Mon, 6 Nov 2023 13:00:31 -0500
Subject: [PATCH 03/21] VSC updates
---
...l-smart-card-deploy-virtual-smart-cards.md | 42 +++++++----------
.../virtual-smart-card-evaluate-security.md | 6 +--
.../virtual-smart-card-get-started.md | 46 ++++++++-----------
.../virtual-smart-card-overview.md | 2 +-
.../virtual-smart-card-tpmvscmgr.md | 2 +-
...smart-card-understanding-and-evaluating.md | 2 +-
...tual-smart-card-use-virtual-smart-cards.md | 16 +++----
7 files changed, 48 insertions(+), 68 deletions(-)
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
index b20f03522b..c0e66c8f7e 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
@@ -2,7 +2,7 @@
title: Deploy Virtual Smart Cards
description: Learn about what to consider when deploying a virtual smart card authentication solution
ms.topic: conceptual
-ms.date: 02/22/2023
+ms.date: 11/06/2023
---
# Deploy Virtual Smart Cards
@@ -19,11 +19,9 @@ A device manufacturer creates physical devices, and then an organization purchas
This topic contains information about the following phases in a virtual smart card lifecycle:
-- [Create and personalize virtual smart cards](#create-and-personalize-virtual-smart-cards)
-
-- [Provision virtual smart cards](#provision-virtual-smart-cards)
-
-- [Maintain virtual smart cards](#maintain-virtual-smart-cards)
+- [Create and personalize virtual smart cards](#create-and-personalize-virtual-smart-cards)
+- [Provision virtual smart cards](#provision-virtual-smart-cards)
+- [Maintain virtual smart cards](#maintain-virtual-smart-cards)
## Create and personalize virtual smart cards
@@ -54,9 +52,7 @@ A virtual smart card appears within the operating system as a physical smart car
- **Non-exportability**: Because all private information on the virtual smart card is encrypted by using the TPM on the host computer, it can't be used on a different computer with a different TPM. Additionally, TPMs are designed to be tamper-resistant and non-exportable, so a malicious user can't reverse engineer an identical TPM or install the same TPM on a different computer.
For more information, see [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md).
-
- **Isolated cryptography**: TPMs provide the same properties of isolated cryptography that is offered by physical smart cards, which is utilized by virtual smart cards. Unencrypted copies of private keys are loaded only within the TPM and never into memory that is accessible by the operating system. All cryptographic operations with these private keys occur inside the TPM.
-
- **Anti-hammering**: If a user enters a PIN incorrectly, the virtual smart card responds by using the anti-hammering logic of the TPM, which rejects further attempts for some time instead of blocking the card. This is also known as lockout.
For more information, see [Blocked virtual smart card](#blocked-virtual-smart-card) and [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md).
@@ -70,12 +66,9 @@ During virtual smart card personalization, the values for the administrator key,
Because the administrator key is critical to the security of the card, it's important to consider the deployment environment and decide on the proper administrator key setting strategy. Options for these strategies include:
-- **Uniform**: Administrator keys for all the virtual smart cards deployed in the organization are the same. Although using the same key makes the maintenance infrastructure easy (only one key needs to be stored), it's highly insecure. This strategy might be sufficient for small organizations, but if the administrator key is compromised, all virtual smart cards that use the key must be reissued.
-
-- **Random, not stored**: Administrator keys are assigned randomly for all virtual smart cards, and they aren't recorded. This is a valid option if the deployment administrators don't require the ability to reset PINs, and instead prefer to delete and reissue virtual smart cards. This is a viable strategy if the administrator prefers to set PUK values for the virtual smart cards and then use this value to reset PINs, if necessary.
-
-- **Random, stored**: you assign the administrator keys randomly, storing them in a central location. Each card's security is independent of the others. This is a secure strategy on a large scale, unless the administrator key database is compromised.
-
+- **Uniform**: Administrator keys for all the virtual smart cards deployed in the organization are the same. Although using the same key makes the maintenance infrastructure easy (only one key needs to be stored), it's highly insecure. This strategy might be sufficient for small organizations, but if the administrator key is compromised, all virtual smart cards that use the key must be reissued
+- **Random, not stored**: Administrator keys are assigned randomly for all virtual smart cards, and they aren't recorded. This is a valid option if the deployment administrators don't require the ability to reset PINs, and instead prefer to delete and reissue virtual smart cards. This is a viable strategy if the administrator prefers to set PUK values for the virtual smart cards and then use this value to reset PINs, if necessary
+- **Random, stored**: you assign the administrator keys randomly, storing them in a central location. Each card's security is independent of the others. This is a secure strategy on a large scale, unless the administrator key database is compromised
- **Deterministic**: Administrator keys are the result of some function or known information. For example, the user ID could be used to randomly generate data that can be further processed through a symmetric encryption algorithm by using a secret. This administrator key can be similarly regenerated when needed, and it doesn't need to be stored. The security of this method relies on the security of the secret used.
Although the PUK and the administrator key methodologies provide unlocking and resetting functionality, they do so in different ways. The PUK is a PIN that is entered on the computer to enable a user PIN reset.
@@ -112,9 +105,8 @@ You can use APIs to build Microsoft Store apps that you can use to manage the fu
When a device or computer isn't joined to a domain, the TPM ownerAuth is stored in the registry under HKEY\_LOCAL\_MACHINE. This exposes some threats. Most of the threat vectors are protected by BitLocker, but threats that aren't protected include:
-- A malicious user possesses a device that has an active local sign-in session before the device locks. The malicious user could attempt a brute-force attack on the virtual smart card PIN, and then access the corporate secrets.
-
-- A malicious user possesses a device that has an active virtual private network (VPN) session. The device is then compromised.
+- A malicious user possesses a device that has an active local sign-in session before the device locks. The malicious user could attempt a brute-force attack on the virtual smart card PIN, and then access the corporate secrets
+- A malicious user possesses a device that has an active virtual private network (VPN) session. The device is then compromised
The proposed mitigation for the previous scenarios is to use Exchange ActiveSync (EAS) policies to reduce the automatic lockout time from five minutes to 30 seconds of inactivity. You can set policies for automatic lockout while provisioning virtual smart cards. If an organization wants more security, they can also configure a setting to remove the ownerAuth from the local device.
@@ -189,11 +181,11 @@ This command creates a card with a randomized administrator key. The key is auto
`tpmvscmgr.exe destroy /instance `
-where <instance ID> is the value that is printed on the screen when the user creates the card. Specifically, for the first card created, the instance ID is ROOT\\SMARTCARDREADER\\0000).
+where `` is the value that is printed on the screen when the user creates the card. Specifically, for the first card created, the instance ID is `ROOT\SMARTCARDREADER\0000`.
### Certificate management for unmanaged cards
-Depending on the security requirements that are unique to an organization, users can initially enroll for certificates from the certificate management console (certmgr.msc) or from within custom certificate enrollment applications. The latter method can create a request and submit it to a server that has access to the Certification Authority. This requires specific organizational configurations and deployments for certificate enrollment policies and certificate enrollment services. Windows has built-in tools, specifically Certreq.exe and Certutil.exe, which can be used by scripts to perform the enrollment from the command line.
+Depending on the security requirements that are unique to an organization, users can initially enroll for certificates from the certificate management console (certmgr.msc) or from within custom certificate enrollment applications. The latter method can create a request and submit it to a server that has access to the Certification Authority. This requires specific organizational configurations and deployments for certificate enrollment policies and certificate enrollment services. Windows has built-in tools, specifically Certreq.exe and Certutil.exe, which can be used by scripts to perform the enrollment from the command line.
#### Requesting the certificate by providing domain credentials only
@@ -211,11 +203,9 @@ The user can import the certificate into the **MY** store (which is the user's c
For deployments that require users to use a physical smart card to sign the certificate request, you can use the procedure:
-1. Users initiate a request on a domain-joined computer.
-
-2. Users complete the request by using a physical smart card to sign the request.
-
-3. Users download the request to the virtual smart card on their client computer.
+1. Users initiate a request on a domain-joined computer
+1. Users complete the request by using a physical smart card to sign the request
+1. Users download the request to the virtual smart card on their client computer
#### Using one-time password for enrollment
@@ -235,11 +225,11 @@ Maintenance is a significant portion of the virtual smart card lifecycle and one
When renewing with a previously used key, no extra steps are required because a strong certificate with this key was issued during the initial provisioning. However, when the user requests a new key pair, you must take the same steps that were used during provisioning to assure the strength of the credentials. Renewal with new keys should occur periodically to counter sophisticated long-term attempts by malicious users to infiltrate the system. When new keys are assigned, you must ensure that the new keys are being used by the expected individuals on the same virtual smart cards.
-**Resetting PINs**: Resetting virtual smart card PINs is also a frequent necessity, because employees forget their PINs. There are two ways to accomplish this, depending on choices made earlier in the deployment: Use a PUK (if the PUK is set), or use a challenge-response approach with the administration key. Before resetting the PIN, the user's identity must be verified by using some means other than the card—most likely the verification method that you used during initial provisioning (for example, in-person proofing). This is necessary in user-error scenarios when users forget their PINs. However, you should never reset a PIN if it has been compromised because the level of vulnerability after the PIN is exposed is difficult to identify. The entire card should be reissued.
+**Reset PINs**: Resetting virtual smart card PINs is also a frequent necessity, because employees forget their PINs. There are two ways to accomplish this, depending on choices made earlier in the deployment: Use a PUK (if the PUK is set), or use a challenge-response approach with the administration key. Before resetting the PIN, the user's identity must be verified by using some means other than the card—most likely the verification method that you used during initial provisioning (for example, in-person proofing). This is necessary in user-error scenarios when users forget their PINs. However, you should never reset a PIN if it has been compromised because the level of vulnerability after the PIN is exposed is difficult to identify. The entire card should be reissued.
**Lockout reset**: A frequent precursor to resetting a PIN is the necessity of resetting the TPM lockout time because the TPM anti-hammering logic will be engaged with multiple PIN entry failures for a virtual smart card. This is currently device specific.
-**Retiring cards**: The final aspect of virtual smart card management is retiring cards when they're no longer needed. When an employee leaves the company, it's desirable to revoke domain access. Revoking sign-in credentials from the certification authority (CA) accomplishes this goal.
+**Retire cards**: The final aspect of virtual smart card management is retiring cards when they're no longer needed. When an employee leaves the company, it's desirable to revoke domain access. Revoking sign-in credentials from the certification authority (CA) accomplishes this goal.
The card should be reissued if the same computer is used by other employees without reinstalling the operating system. Reusing the former card can allow the former employee to change the PIN after leaving the organization, and then hijack certificates that belong to the new user to obtain unauthorized domain access. However, if the employee takes the virtual smart card-enabled computer, it's only necessary to revoke the certificates that are stored on the virtual smart card.
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md
index d86c288331..55070ad4d8 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md
@@ -2,7 +2,7 @@
title: Evaluate Virtual Smart Card Security
description: Learn about the security characteristics and considerations when deploying TPM virtual smart cards.
ms.topic: conceptual
-ms.date: 02/22/2023
+ms.date: 11/06/2023
---
# Evaluate Virtual Smart Card Security
@@ -39,7 +39,7 @@ The Trusted Computing Group specifies that if the response to attacks involves s
1. Allow only a limited number of wrong PIN attempts before enabling a lockout that enforces a time delay before any further commands are accepted by the TPM.
> [!NOTE]
- >
+ >
> If the user enters the wrong PIN five consecutive times for a virtual smart card (which works in conjunction with the TPM), the card is blocked. When the card is blocked, it must be unblocked by using the administrative key or the PUK.
1. Increase the time delay exponentially as the user enters the wrong PIN so that an excessive number of wrong PIN attempts quickly trigger long delays in accepting commands.
@@ -49,4 +49,4 @@ For example, it will take 14 years to guess an eight character PIN for a TPM tha
1. Number of wrong PINs allowed before entering lockout (threshold): 9
1. Time the TPM is in lockout after the threshold is reached: 10 seconds
-1. Timed delay doubles for each wrong PIN after the threshold is reached
\ No newline at end of file
+1. Timed delay doubles for each wrong PIN after the threshold is reached
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
index e3348db8ba..86f7640799 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
@@ -2,7 +2,7 @@
title: Get Started with Virtual Smart Cards - Walkthrough Guide
description: This topic for the IT professional describes how to set up a basic test environment for using TPM virtual smart cards.
ms.topic: conceptual
-ms.date: 02/22/2023
+ms.date: 11/06/2023
---
# Get Started with Virtual Smart Cards: Walkthrough Guide
@@ -15,31 +15,27 @@ Virtual smart cards are a technology from Microsoft that offer comparable securi
This step-by-step walkthrough shows you how to set up a basic test environment for using TPM virtual smart cards. After you complete this walkthrough, you will have a functional virtual smart card installed on the Windows computer.
-**Time requirements**
+### Time requirements
You should be able to complete this walkthrough in less than one hour, excluding installing software and setting up the test domain.
-**Walkthrough steps**
+### Walkthrough steps
-- [Prerequisites](#prerequisites)
+- [Prerequisites](#prerequisites)
+- [Step 1: Create the certificate template](#step-1-create-the-certificate-template)
+- [Step 2: Create the TPM virtual smart card](#step-2-create-the-tpm-virtual-smart-card)
+- [Step 3: Enroll for the certificate on the TPM Virtual Smart Card](#step-3-enroll-for-the-certificate-on-the-tpm-virtual-smart-card)
-- [Step 1: Create the certificate template](#step-1-create-the-certificate-template)
-
-- [Step 2: Create the TPM virtual smart card](#step-2-create-the-tpm-virtual-smart-card)
-
-- [Step 3: Enroll for the certificate on the TPM Virtual Smart Card](#step-3-enroll-for-the-certificate-on-the-tpm-virtual-smart-card)
-
-> **Important** This basic configuration is for test purposes only. It is not intended for use in a production environment.
+> [!IMPORTANT]
+> This basic configuration is for test purposes only. It is not intended for use in a production environment.
## Prerequisites
You will need:
-- A computer running Windows 10 with an installed and fully functional TPM (version 1.2 or version 2.0).
-
-- A test domain to which the computer listed above can be joined.
-
-- Access to a server in that domain with a fully installed and running certification authority (CA).
+- A computer running Windows 10 with an installed and fully functional TPM (version 1.2 or version 2.0)
+- A test domain to which the computer listed above can be joined
+- Access to a server in that domain with a fully installed and running certification authority (CA)
## Step 1: Create the certificate template
@@ -47,13 +43,12 @@ On your domain server, you need to create a template for the certificate that yo
### To create the certificate template
-1. On your server, open the Microsoft Management Console (MMC). One way to do this is to type **mmc.exe** from the **Start** menu, right-click **mmc.exe**, and click **Run as administrator**.
-
-2. Click **File**, and then click **Add/Remove Snap-in**.
+1. On your server, open the Microsoft Management Console (MMC). One way to do this is to type **mmc.exe** from the **Start** menu, right-click **mmc.exe**, and click **Run as administrator**
+2. Select **File** > **Add/Remove Snap-in**
-3. In the available snap-ins list, click **Certificate Templates**, and then click **Add**.
+3. In the available snap-ins list, click **Certificate Templates**, and then click **Add**
@@ -70,19 +65,16 @@ On your domain server, you need to create a template for the certificate that yo
7. On the **General** tab:
1. Specify a name, such as **TPM Virtual Smart Card Logon**.
-
2. Set the validity period to the desired value.
8. On the **Request Handling** tab:
1. Set the **Purpose** to **Signature and smartcard logon**.
-
2. Click **Prompt the user during enrollment**.
9. On the **Cryptography** tab:
1. Set the minimum key size to 2048.
-
2. Click **Requests must use one of the following providers**, and then select **Microsoft Base Smart Card Crypto Provider**.
10. On the **Security** tab, add the security group that you want to give **Enroll** access to. For example, if you want to give access to all users, select the **Authenticated users** group, and then select **Enroll** permissions for them.
@@ -155,8 +147,6 @@ The virtual smart card can now be used as an alternative credential to sign in t
## See also
-- [Understanding and Evaluating Virtual Smart Cards](virtual-smart-card-understanding-and-evaluating.md)
-
-- [Use Virtual Smart Cards](virtual-smart-card-use-virtual-smart-cards.md)
-
-- [Deploy Virtual Smart Cards](virtual-smart-card-deploy-virtual-smart-cards.md)
+- [Understanding and Evaluating Virtual Smart Cards](virtual-smart-card-understanding-and-evaluating.md)
+- [Use Virtual Smart Cards](virtual-smart-card-use-virtual-smart-cards.md)
+- [Deploy Virtual Smart Cards](virtual-smart-card-deploy-virtual-smart-cards.md)
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md
index 1445f06ad2..2790601237 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md
@@ -2,7 +2,7 @@
title: Virtual Smart Card Overview
description: Learn about virtual smart card technology for Windows.
ms.topic: conceptual
-ms.date: 02/22/2023
+ms.date: 11/06/2023
---
# Virtual Smart Card Overview
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
index 5eca1fae1e..a6719fc684 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
@@ -2,7 +2,7 @@
title: Tpmvscmgr
description: Learn about the Tpmvscmgr command-line tool, through which an administrator can create and delete TPM virtual smart cards on a computer.
ms.topic: conceptual
-ms.date: 02/22/2023
+ms.date: 11/06/2023
---
# Tpmvscmgr
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
index 77e78baaf2..89cc719e7d 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
@@ -3,7 +3,7 @@ title: Understanding and Evaluating Virtual Smart Cards
description: Learn how smart card technology can fit into your authentication design.
ms.prod: windows-client
ms.topic: conceptual
-ms.date: 02/22/2023
+ms.date: 11/06/2023
---
# Understand and Evaluate Virtual Smart Cards
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
index ddb91270e5..3143cf5fb7 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
@@ -2,7 +2,7 @@
title: Use Virtual Smart Cards
description: Learn about the requirements for virtual smart cards, how to use and manage them.
ms.topic: conceptual
-ms.date: 02/22/2023
+ms.date: 11/06/2023
---
# Use Virtual Smart Cards
@@ -13,13 +13,13 @@ Learn about the requirements for virtual smart cards, how to use and manage them
## Requirements, restrictions, and limitations
-| Area | Requirements and details |
-|-------------|---------------------------|
-| Supported operating systems | Windows Server 2016
Windows Server 2012 R2
Windows Server 2012
Windows 10
Windows 8.1
Windows 8 |
-| Supported Trusted Platform Module (TPM) | Any TPM that adheres to the TPM main specifications for version 1.2 or version 2.0 (as set by the Trusted Computing Group) is supported for use as a virtual smart card. For more information, see the [TPM Main Specification](http://www.trustedcomputinggroup.org/resources/tpm_main_specification). |
-| Supported virtual smart cards per computer | Ten smart cards can be connected to a computer or device at one time. This includes physical and virtual smart cards combined.
**Note**
You can create more than one virtual smart card; however, after creating more than four virtual smart cards, you may start to notice performance degradation. Because all smart cards appear as if they're always inserted, if more than one person shares a computer or device, each person can see all the virtual smart cards that are created on that computer or device. If the user knows the PIN values for all the virtual smart cards, the user will also be able to use them.
|
-| Supported number of certificates on a virtual smart card | A single TPM virtual smart card can contain 30 distinct certificates with the corresponding private keys. Users can continue to renew certificates on the card until the total number of certificates on a card exceeds 90. The reason that the total number of certificates is different from the total number of private keys is that sometimes the renewal can be done with the same private key—in which case a new private key isn't generated. |
-| PIN, PIN Unlock Key (PUK), and Administrative key requirements | The PIN and the PUK must be a minimum of eight characters that can include numerals, alphabetic characters, and special characters.
The Administrative key must be entered as 48 hexadecimal characters. It's a 3-key triple DES with ISO/IEC 9797 padding method 2 in CBC chaining mode. |
+| Area | Requirements and details |
+|--|--|
+| Supported operating systems | Windows Server 2016
Windows Server 2012 R2
Windows Server 2012
Windows 10
Windows 8.1
Windows 8 |
+| Supported Trusted Platform Module (TPM) | Any TPM that adheres to the TPM main specifications for version 1.2 or version 2.0 (as set by the Trusted Computing Group) is supported for use as a virtual smart card. For more information, see the [TPM Main Specification](http://www.trustedcomputinggroup.org/resources/tpm_main_specification). |
+| Supported virtual smart cards per computer | Ten smart cards can be connected to a computer or device at one time. This includes physical and virtual smart cards combined.
**Note**
You can create more than one virtual smart card; however, after creating more than four virtual smart cards, you may start to notice performance degradation. Because all smart cards appear as if they're always inserted, if more than one person shares a computer or device, each person can see all the virtual smart cards that are created on that computer or device. If the user knows the PIN values for all the virtual smart cards, the user will also be able to use them.
|
+| Supported number of certificates on a virtual smart card | A single TPM virtual smart card can contain 30 distinct certificates with the corresponding private keys. Users can continue to renew certificates on the card until the total number of certificates on a card exceeds 90. The reason that the total number of certificates is different from the total number of private keys is that sometimes the renewal can be done with the same private key—in which case a new private key isn't generated. |
+| PIN, PIN Unlock Key (PUK), and Administrative key requirements | The PIN and the PUK must be a minimum of eight characters that can include numerals, alphabetic characters, and special characters.
The Administrative key must be entered as 48 hexadecimal characters. It's a 3-key triple DES with ISO/IEC 9797 padding method 2 in CBC chaining mode. |
## Using Tpmvscmgr.exe
From e514ba7c44e05c476e93832617890b02cd2fe42e Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Mon, 6 Nov 2023 16:11:25 -0500
Subject: [PATCH 04/21] updates
---
.../smart-card-and-remote-desktop-services.md | 10 +-
.../smart-cards/smart-card-architecture.md | 94 ++++++++++---------
...rt-card-certificate-propagation-service.md | 52 +++++-----
...ertificate-requirements-and-enumeration.md | 55 +++++------
...-windows-smart-card-technical-reference.md | 2 +-
.../virtual-smart-card-get-started.md | 3 +-
6 files changed, 103 insertions(+), 113 deletions(-)
diff --git a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
index 2f0dcd3354..c71e953a49 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
@@ -9,12 +9,12 @@ ms.reviewer: ardenw
This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in.
-Smart card redirection logic and **WinSCard** API are combined to support multiple redirected sessions into a single process.
+Smart card redirection logic and *WinSCard API* are combined to support multiple redirected sessions into a single process.
Smart card support is required to enable many Remote Desktop Services scenarios. These include:
- Using Fast User Switching or Remote Desktop Services. A user is not able to establish a redirected smart card-based remote desktop connection. That is, the connect attempt is not successful in Fast User Switching or from a Remote Desktop Services session
-- Enabling Encrypting File System (EFS) to locate the user's smart card reader from the Local Security Authority (LSA) process in Fast User Switching or in a Remote Desktop Services session. If EFS is not able to locate the smart card reader or certificate, EFS cannot decrypt user files
+- Enabling *Encrypting File System* (EFS) to locate the user's smart card reader from the *Local Security Authority* (LSA) process in Fast User Switching or in a Remote Desktop Services session. If EFS is not able to locate the smart card reader or certificate, EFS cannot decrypt user files
## Remote Desktop Services redirection
@@ -86,10 +86,6 @@ For information about this option for the command-line tool, see [-addstore](/pr
> [!NOTE]
> To sign in with a smart card from a computer that is not joined to a domain, the smart card must contain the root certification of the domain controller. A public key infrastructure (PKI) secure channel cannot be established without the root certification of the domain controller.
-Sign-in to Remote Desktop Services across a domain works only if the UPN in the certificate uses the following form: <*ClientName*>@<*DomainDNSName*>
+Sign-in to Remote Desktop Services across a domain works only if the UPN in the certificate uses the following form: `@`.
The UPN in the certificate must include a domain that can be resolved. Otherwise, the Kerberos protocol cannot determine which domain to contact. You can resolve this issue by enabling GPO X509 domain hints. For more information about this setting, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md).
-
-## See also
-
-[How Smart Card Sign-in Works in Windows](smart-card-how-smart-card-sign-in-works-in-windows.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/smart-cards/smart-card-architecture.md b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
index 786822878b..3318a8ee19 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-architecture.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
@@ -135,14 +135,13 @@ In response to a CryptAcquireContext call in CryptoAPI, the Base CSP tries to ma
Similarly, in response to a NCryptOpenKey call in CNG, the smart card KSP tries to match the container the same way, and it takes the same container format, as shown in the following table.
-> **Note**
> [!NOTE]
-> Before opening a key by using the smart card KSP, a call to NCryptOpenStorageProvider (`MS\_SMART\_CARD\_KEY\_STORAGE\_PROVIDER`) must be made.
+> Before opening a key by using the smart card KSP, a call to NCryptOpenStorageProvider (`MS_SMART_CARD_KEY_STORAGE_PROVIDER`) must be made.
| **Type** | **Name** | **Format** |
|----------|----------|------------|
-| I | Reader Name and Container Name | `\\\\.\\\\` |
-| II | Reader Name and Container Name (NULL) | `\\\\.\\` |
+| I | Reader Name and Container Name | `\.\\` |
+| II | Reader Name and Container Name (NULL) | `\.\` |
| III | Container Name Only | `` |
| IV | Default Container (NULL) Only | NULL |
@@ -152,62 +151,63 @@ The Base CSP and smart card KSP cache smart card handle information about the ca
The following three container operations can be requested by using CryptAcquireContext:
-1. Create a new container. (The CNG equivalent of CryptAcquireContext with dwFlags set to CRYPT\_NEWKEYSET is NCryptCreatePersistedKey.)
+1. Create a new container. (The CNG equivalent of CryptAcquireContext with dwFlags set to CRYPT_NEWKEYSET is NCryptCreatePersistedKey.)
1. Open an existing container. (The CNG equivalent of CryptAcquireContext to open the container is NCryptOpenKey.)
-1. Delete a container. (The CNG equivalent of CryptAcquireContext with dwFlags set to CRYPT\_DELETEKEYSET is NCryptDeleteKey.)
+1. Delete a container. (The CNG equivalent of CryptAcquireContext with dwFlags set to CRYPT_DELETEKEYSET is NCryptDeleteKey.)
The heuristics that are used to associate a cryptographic handle with a particular smart card and reader are based on the container operation requested and the level of container specification used.
The following table shows the restrictions for the container creation operation.
-| **Specification** | **Restriction** |
-|------------------------------------|-----------|
-| No silent context | Key container creation must always be able to show UI, such as the PIN prompt. |
+| Specification | Restriction |
+|--|--|
+| No silent context | Key container creation must always be able to show UI, such as the PIN prompt. |
| No overwriting existing containers | If the specified container already exists on the chosen smart card, choose another smart card or cancel the operation. |
#### Context flags
The following table shows the context flags used as restrictions for the container creation operation.
-| **Flag** | **Description** |
-|------------------------|------------------------------------------------------|
-| CRYPT\_SILENT | No UI can be displayed during this operation. |
-| CRYPT\_MACHINE\_KEYSET | No cached data should be used during this operation. |
-| CRYPT\_VERIFYCONTEXT | Only public data can be accessed on the smart card. |
+| Flag | Description |
+|--|--|
+| `CRYPT_SILENT` | No UI can be displayed during this operation. |
+| `CRYPT_MACHINE_KEYSET` | No cached data should be used during this operation. |
+| `CRYPT_VERIFYCONTEXT` | Only public data can be accessed on the smart card. |
In addition to container operations and container specifications, you must consider other user options, such as the CryptAcquireContext flags, during smart card selection.
-> **Important** The CRYPT\_SILENT flag cannot be used to create a new container.
+> [!IMPORTANT]
+> The CRYPT_SILENT flag cannot be used to create a new container.
#### Create a new container in silent context
-Applications can call the Base CSP with CRYPT\_DEFAULT\_CONTAINER\_OPTIONAL, set the PIN in silent context, and then create a new container in silent context. This operation occurs as follows:
+Applications can call the Base CSP with `CRYPT_DEFAULT_CONTAINER_OPTIONAL`, set the PIN in silent context, and then create a new container in silent context. This operation occurs as follows:
-1. Call CryptAcquireContext by passing the smart card reader name in as a type II container specification level, and specifying the CRYPT\_DEFAULT\_CONTAINER\_OPTIONAL flag.
-1. Call CryptSetProvParam by specifying PP\_KEYEXCHANGE\_PIN or PP\_SIGNATURE\_PIN and a null-terminated ASCII PIN.
-1. Release the context acquired in Step 1.
-1. Call CryptAcquireContext with CRYPT\_NEWKEYSET, and specify the type I container specification level.
-1. Call CryptGenKey to create the key.
+1. Call CryptAcquireContext by passing the smart card reader name in as a type II container specification level, and specifying the `CRYPT_DEFAULT_CONTAINER_OPTIONAL` flag
+1. Call CryptSetProvParam by specifying `PP_KEYEXCHANGE_PIN` or `PP_SIGNATURE_PIN` and a null-terminated ASCII PIN.
+1. Release the context acquired in Step 1
+1. Call CryptAcquireContext with `CRYPT_NEWKEYSET`, and specify the type I container specification level
+1. Call CryptGenKey to create the key
#### Smart card selection behavior
-In some of the following scenarios, the user can be prompted to insert a smart card. If the user context is silent, this operation fails and no UI is displayed. Otherwise, in response to the UI, the user can insert a smart card or click **Cancel**. If the user cancels the operation, the operation fails. The flow chart shows the selection steps performed by the Windows operating system.
+In some of the following scenarios, the user can be prompted to insert a smart card. If the user context is silent, this operation fails and no UI is displayed. Otherwise, in response to the UI, the user can insert a smart card or select **Cancel**. If the user cancels the operation, the operation fails. The flow chart shows the selection steps performed by the Windows operating system.
In general, smart card selection behavior is handled by the SCardUIDlgSelectCard API. The Base CSP interacts with this API by calling it directly. The Base CSP also sends callback functions that have the purpose of filtering and matching candidate smart cards. Callers of CryptAcquireContext provide smart card matching information. Internally, the Base CSP uses a combination of smart card serial numbers, reader names, and container names to find specific smart cards.
-Each call to SCardUI \* may result in additional information read from a candidate smart card. The Base CSP smart card selection callbacks cache this information.
+Each call to `SCardUI *` may result in additional information read from a candidate smart card. The Base CSP smart card selection callbacks cache this information.
#### Make a smart card reader match
For type I and type II container specification levels, the smart card selection process is less complex because only the smart card in the named reader can be considered a match. The process for matching a smart card with a smart card reader is:
-1. Find the requested smart card reader. If it cannot be found, the process fails. (This requires a cache search by reader name.)
-1. If no smart card is in the reader, the user is prompted to insert a smart card. (This is only in non-silent mode; if the call is made in silent mode, it will fail.)
-1. For container specification level II only, the name of the default container on the chosen smart card is determined.
-1. To open an existing container or delete an existing container, find the specified container. If the specified container cannot be found on this smart card, the user is prompted to insert a smart card.
-1. If the system attempts to create a new container, if the specified container already exists on this smart card, the process fails.
+1. Find the requested smart card reader. If it cannot be found, the process fails (this requires a cache search by reader name)
+1. If no smart card is in the reader, the user is prompted to insert a smart card. (this is only in non-silent mode; if the call is made in silent mode, it will fail)
+1. For container specification level II only, the name of the default container on the chosen smart card is determined
+1. To open an existing container or delete an existing container, find the specified container. If the specified container cannot be found on this smart card, the user is prompted to insert a smart card
+1. If the system attempts to create a new container, if the specified container already exists on this smart card, the process fails
#### Make a smart card match
@@ -215,26 +215,28 @@ For container specification levels III and IV, a broader method is used to match
#### Open an existing default container (no reader specified)
-> **Note** This operation requires that you use the smart card with the Base CSP.
+> [!NOTE]
+> This operation requires that you use the smart card with the Base CSP.
-1. For each smart card that has been accessed by the Base CSP and the handle and container information are cached, the Base CSP looks for a valid default container. An operation is attempted on the cached SCARDHANDLE to verify its validity. If the smart card handle is not valid, the Base CSP continues to search for a new smart card.
-1. If a matching smart card is not found in the Base CSP cache, the Base CSP calls to the smart card subsystem. SCardUIDlgSelectCard() is used with an appropriate callback filter to find a matching smart card with a valid default container.
+1. For each smart card that has been accessed by the Base CSP and the handle and container information are cached, the Base CSP looks for a valid default container. An operation is attempted on the cached SCARDHANDLE to verify its validity. If the smart card handle is not valid, the Base CSP continues to search for a new smart card
+1. If a matching smart card is not found in the Base CSP cache, the Base CSP calls to the smart card subsystem. SCardUIDlgSelectCard() is used with an appropriate callback filter to find a matching smart card with a valid default container
#### Open an existing GUID-named container (no reader specified)
-> **Note** This operation requires that you use the smart card with the Base CSP.
+> [!NOTE]
+> This operation requires that you use the smart card with the Base CSP.
-1. For each smart card that is already registered with the Base CSP, search for the requested container. Attempt an operation on the cached SCARDHANDLE to verify its validity. If the smart card handle is not valid, the smart card's serial number is passed to the SCardUI \* API to continue searching for this specific smart card (rather than only a general match for the container name).
-
-1. If a matching smart card is not found in the Base CSP cache, a call is made to the smart card subsystem. SCardUIDlgSelectCard() is used with an appropriate callback filter to find a matching smart card with the requested container. Or, if a smart card serial number resulted from the search in Step 1, the callback filter attempts to match the serial number, not the container name.
+1. For each smart card that is already registered with the Base CSP, search for the requested container. Attempt an operation on the cached SCARDHANDLE to verify its validity. If the smart card handle is not valid, the smart card's serial number is passed to the `SCardUI *` API to continue searching for this specific smart card (rather than only a general match for the container name)
+1. If a matching smart card is not found in the Base CSP cache, a call is made to the smart card subsystem. `SCardUIDlgSelectCard()` is used with an appropriate callback filter to find a matching smart card with the requested container. Or, if a smart card serial number resulted from the search in Step 1, the callback filter attempts to match the serial number, not the container name
#### Create a new container (no reader specified)
-> **Note** This operation requires that you use the smart card with the Base CSP.
+> [!NOTE]
+> This operation requires that you use the smart card with the Base CSP.
-If the PIN is not cached, no CRYPT\_SILENT is allowed for the container creation because the user must be prompted for a PIN, at a minimum.
+If the PIN is not cached, no CRYPT_SILENT is allowed for the container creation because the user must be prompted for a PIN, at a minimum.
-For other operations, the caller may be able to acquire a "verify" context against the default container (CRYPT\_DEFAULT\_CONTAINER\_OPTIONAL) and then make a call with CryptSetProvParam to cache the user PIN for subsequent operations.
+For other operations, the caller may be able to acquire a *verify* context against the default container `CRYPT_DEFAULT_CONTAINER_OPTIONAL` and then make a call with CryptSetProvParam to cache the user PIN for subsequent operations.
1. For each smart card already known by the CSP, refresh the stored SCARDHANDLE and make the following checks:
1. If the smart card has been removed, continue the search
@@ -249,7 +251,7 @@ For other operations, the caller may be able to acquire a "verify" context again
1. For each smart card already known by the CSP, refresh the stored SCARDHANDLE and make the following checks:
1. If the smart card does not have the named container, continue the search
1. If the smart card has the named container, but the smart card handle is no longer valid, store the serial number of the matching smart card and pass it to SCardUI
-1. If a matching smart card is not found in the CSP cache, make a call to the smart card subsystem. The callback that is used to filter enumerated smart cards should verify that a candidate smart card has the named container. If a serial number was povided as a result of the previous cache search, the callback should filter enumerated smart cards on serial number rather than on container matches. If the context is non-silent and no suitable smart card is found, display UI that prompts the user to insert a smart card.
+1. If a matching smart card is not found in the CSP cache, make a call to the smart card subsystem. The callback that is used to filter enumerated smart cards should verify that a candidate smart card has the named container. If a serial number was povided as a result of the previous cache search, the callback should filter enumerated smart cards on serial number rather than on container matches. If the context is non-silent and no suitable smart card is found, display UI that prompts the user to insert a smart card
### Base CSP and KSP-based architecture in Windows
@@ -262,13 +264,13 @@ The following diagram shows the Cryptography architecture that is used by the Wi
> [!NOTE]
> The API definitions are located in WinCrypt.h and WinSCard.h.
-| **Property** | **Description** |
-|-----------------------|------------------|
-| PP\_USER\_CERTSTORE | - Used to return an HCERTSTORE that contains all user certificates on the smart card
- Read-only (used only by CryptGetProvParam)
- Caller responsible for closing the certificate store
- Certificate encoded using PKCS\_7\_ASN\_ENCODING or X509\_ASN\_ENCODING
- CSP should set KEY\_PROV\_INFO on certificates
- Certificate store should be assumed to be an in-memory store
- Certificates should have a valid CRYPT\_KEY\_PROV\_INFO as a property |
-| PP\_ROOT\_CERTSTORE | - Read and Write (used by CryptGetProvParam and CryptSetProvParam)
- Used to write a collection of root certificates to the smart card or return HCERTSTORE, which contains root certificates from the smart card
- Used primarily for joining a domain by using a smart card
- Caller responsible for closing the certificate store |
-| PP\_SMARTCARD\_READER | - Read-only (used only by CryptGetProvParam)
- Returns the smart card reader name as an ANSI string that is used to construct a fully qualified container name (that is, a smart card reader plus a container) |
-| PP\_SMARTCARD\_GUID | - Return smart card GUID (also known as a serial number), which should be unique for each smart card
- Used by the certificate propagation service to track the source of a root certificate|
-| PP\_UI\_PROMPT | - Used to set the search string for the SCardUIDlgSelectCard card insertion dialog box
- Persistent for the entire process when it is set
- Write-only (used only by CryptSetProvParam) |
+| Property | Description |
+|--|--|
+| `PP_USER_CERTSTORE` | - Used to return an `HCERTSTORE` that contains all user certificates on the smart card
- Read-only (used only by `CryptGetProvParam`)
- Caller responsible for closing the certificate store
- Certificate encoded using `PKCS_7_ASN_ENCODING` or `X509_ASN_ENCODING`
- CSP should set `KEY_PROV_INFO` on certificates
- Certificate store should be assumed to be an in-memory store
- Certificates should have a valid `CRYPT_KEY_PROV_INFO` as a property |
+| `PP_ROOT_CERTSTORE` | - Read and Write (used by `CryptGetProvParam` and `CryptSetProvParam`)
- Used to write a collection of root certificates to the smart card or return `HCERTSTORE`, which contains root certificates from the smart card
- Used primarily for joining a domain by using a smart card
- Caller responsible for closing the certificate store |
+| `PP_SMARTCARD_READER` | - Read-only (used only by `CryptGetProvParam`)
- Returns the smart card reader name as an ANSI string that is used to construct a fully qualified container name (that is, a smart card reader plus a container) |
+| `PP_SMARTCARD_GUID `| - Return smart card GUID (also known as a serial number), which should be unique for each smart card
- Used by the certificate propagation service to track the source of a root certificate |
+| `PP_UI_PROMPT` | - Used to set the search string for the `SCardUIDlgSelectCard` card insertion dialog box
- Persistent for the entire process when it is set
- Write-only (used only by `CryptSetProvParam`) |
### Implications for CSPs in Windows
diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
index 62737034ae..9aa4972ebf 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
@@ -12,53 +12,43 @@ This topic for the IT professional describes the certificate propagation service
The certificate propagation service activates when a signed-in user inserts a smart card in a reader that is attached to the computer. This action causes the certificate to be read from the smart card. The certificates are then added to the user's Personal store. Certificate propagation service actions are controlled by using Group Policy. For more information, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md).
-> **Note** The certificate propagation service must be running for smart card Plug and Play to work.
+> [!NOTE]
+> The certificate propagation service must be running for smart card Plug and Play to work.
The following figure shows the flow of the certificate propagation service. The action begins when a signed-in user inserts a smart card.
-1. The arrow labeled **1** indicates that the Service Control Manager (SCM) notifies the certificate propagation service (CertPropSvc) when a user signs in, and CertPropSvc begins to monitor the smart cards in the user session.
+1. The arrow labeled **1** indicates that the Service Control Manager (SCM) notifies the certificate propagation service (CertPropSvc) when a user signs in, and CertPropSvc begins to monitor the smart cards in the user session
+1. The arrow labeled **R** represents the possibility of a remote session and the use of smart card redirection
+1. The arrow labeled **2** indicates the certification to the reader
+1. The arrow labeled **3** indicates the access to the certificate store during the client session
-2. The arrow labeled **R** represents the possibility of a remote session and the use of smart card redirection.
-
-3. The arrow labeled **2** indicates the certification to the reader.
-
-4. The arrow labeled **3** indicates the access to the certificate store during the client session.
-
-**Certificate propagation service**
+### Certificate propagation service
-1. A signed-in user inserts a smart card.
+1. A signed-in user inserts a smart card
+1. CertPropSvc is notified that a smart card was inserted
+1. CertPropSvc reads all certificates from all inserted smart cards. The certificates are written to the user's personal certificate store
-2. CertPropSvc is notified that a smart card was inserted.
-
-3. CertPropSvc reads all certificates from all inserted smart cards. The certificates are written to the user's personal certificate store.
-
-> **Note** The certificate propagation service is started as a Remote Desktop Services dependency.
+> [!NOTE]
+> The certificate propagation service is started as a Remote Desktop Services dependency.
Properties of the certificate propagation service include:
-- CERT\_STORE\_ADD\_REPLACE\_EXISTING\_INHERIT\_PROPERTIES adds certificates to a user's Personal store.
-
-- If the certificate has the CERT\_ENROLLMENT\_PROP\_ID property (as defined by wincrypt.h), it filters empty requests and places them in the current user's request store, but it does not propagate them to the user's Personal store.
-
-- The service does not propagate any computer certificates to a user's Personal store or propagate user certificates to a computer store.
-
-- The service propagates certificates according to Group Policy options that are set, which may include:
-
- - **Turn on certificate propagation from the smart card** specifies whether a user's certificate should be propagated.
-
- - **Turn on root certificate propagation from smart card** specifies whether root certificates should be propagated.
-
- - **Configure root certificate cleanup** specifies how root certificates are removed.
+- `CERT_STORE_ADD_REPLACE_EXISTING_INHERIT_PROPERTIES` adds certificates to a user's Personal store
+- If the certificate has the `CERT_ENROLLMENT_PROP_ID` property (as defined by `wincrypt.h`), it filters empty requests and places them in the current user's request store, but it does not propagate them to the user's Personal store
+- The service does not propagate any computer certificates to a user's Personal store or propagate user certificates to a computer store
+- The service propagates certificates according to Group Policy options that are set, which may include:
+ - **Turn on certificate propagation from the smart card** specifies whether a user's certificate should be propagated
+ - **Turn on root certificate propagation from smart card** specifies whether root certificates should be propagated
+ - **Configure root certificate cleanup** specifies how root certificates are removed
## Root certificate propagation service
Root certificate propagation is responsible for the following smart card deployment scenarios when public key infrastructure (PKI) trust has not yet been established:
-- Joining the domain
-
-- Accessing a network remotely
+- Joining the domain
+- Accessing a network remotely
In both cases, the computer is not joined to a domain, and therefore, trust is not being managed by Group Policy. However, the objective is to authenticate to a remote server, such as the domain controller. Root certificate propagation provides the ability to use the smart card to include the missing trust chain.
diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
index 0311f04e6f..be6c3a00a1 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
@@ -13,19 +13,19 @@ This topic for the IT professional and smart card developers describes how certi
When a smart card is inserted, the following steps are performed.
> [!NOTE]
-> Unless otherwise mentioned, all operations are performed silently (CRYPT\_SILENT is passed to CryptAcquireContext).
+> Unless otherwise mentioned, all operations are performed silently (CRYPT_SILENT is passed to CryptAcquireContext).
1. The smart card resource manager database searches for the smart card's cryptographic service provider (CSP).
-1. A qualified container name is constructed by using the smart card reader name, and it is passed to the CSP. The format is *\\\\.\\<Reader name>\\
+1. A qualified container name is constructed by using the smart card reader name, and it is passed to the CSP. The format is *\\.\\
1. CryptAcquireContext is called to retrieve a context to the default container. If a failure occurs, the smart card will be unusable for smart card sign-in.
-1. The name of the container is retrieved by using the PP\_CONTAINER parameter with CryptGetProvParam.
-1. Using the context acquired in Step 3, the CSP is queried for the PP\_USER\_CERTSTORE parameter (added in Windows Vista). For more information, see [Smart Card Architecture](smart-card-architecture.md). If the operation is successful, the name of a certificate store is returned, and the program flow skips to Step 8.
-1. If the operation in Step 5 fails, the default container context from Step 3 is queried for the AT\_KEYEXCHANGE key.
-1. The certificate is then queried from the key context by using KP\_CERTIFICATE. The certificate is added to an in-memory certificate store.
+1. The name of the container is retrieved by using the PP_CONTAINER parameter with CryptGetProvParam.
+1. Using the context acquired in Step 3, the CSP is queried for the PP_USER_CERTSTORE parameter (added in Windows Vista). For more information, see [Smart Card Architecture](smart-card-architecture.md). If the operation is successful, the name of a certificate store is returned, and the program flow skips to Step 8.
+1. If the operation in Step 5 fails, the default container context from Step 3 is queried for the AT_KEYEXCHANGE key.
+1. The certificate is then queried from the key context by using KP_CERTIFICATE. The certificate is added to an in-memory certificate store.
1. For each certificate in the certificate store from Step 5 or Step 7, the following checks are performed:
1. The certificate must be valid, based on the computer system clock (not expired or valid with a future date).
- 1. The certificate must not be in the AT\_SIGNATURE part of a container.
+ 1. The certificate must not be in the AT_SIGNATURE part of a container.
1. The certificate must have a valid user principal name (UPN).
1. The certificate must have the digital signature key usage.
1. The certificate must have the smart card logon EKU.
@@ -59,9 +59,9 @@ Following are the steps that are performed during a smart card sign-in:
1. Winlogon requests the sign-in UI credential information.
1. Asynchronously, smart card resource manager starts, and the smart card credential provider does the following:
- 1. Gets credential information (a list of known credentials, or if no credentials exist, the smart card reader information that Windows detected).
- 1. Gets a list of smart card readers (by using the WinSCard API) and the list of smart cards inserted in each of them.
- 1. Enumerates each card to verify that a sign-in certificate that is controlled by Group Policy is present. If the certificate is present, the smart card credential provider copies it into a temporary, secure cache on the computer or terminal.
+ 1. Gets credential information (a list of known credentials, or if no credentials exist, the smart card reader information that Windows detected).
+ 1. Gets a list of smart card readers (by using the WinSCard API) and the list of smart cards inserted in each of them.
+ 1. Enumerates each card to verify that a sign-in certificate that is controlled by Group Policy is present. If the certificate is present, the smart card credential provider copies it into a temporary, secure cache on the computer or terminal.
> [!NOTE]
> Smartcard cache entries are created for certificates with a subject name or with a subject key identifier. If the certificate has a subject name, it is stored with an index that is based on the subject name and certificate issuer. If another certificate with the same subject name and certificate issuer is used, it will replace the existing cached entry. A change in this behavior after Windows Vista, allows for the condition when the certificate does not have a subject name, the cache is created with an index that is based on the subject key identifier and certificate issuer. If another certificate has the same the subject key identifier and certificate issuer, the cache entry is replaced. When certificates have neither a subject name nor subject key identifier, a cached entry is not created.
@@ -70,27 +70,28 @@ Following are the steps that are performed during a smart card sign-in:
1. The sign-in UI requests the new credentials from the smart card credential provider. As a response, the smart card credential provider provides each sign-in certificate to the sign-in UI, and corresponding sign-in tiles are displayed. The user selects a smart card-based sign-in certificate tile, and Windows displays a PIN dialog box.
1. The user enters the PIN, and then presses ENTER. The smart card credential provider encrypts the PIN.
-1. The credential provider that resides in the LogonUI system collects the PIN. As part of packaging credentials in the smart card credential provider, the data is packaged in a KERB\_CERTIFICATE\_LOGON structure. The main contents of the KERB\_CERTIFICATE\_LOGON structure are the smart card PIN, CSP data (such as reader name and container name), user name, and domain name. User name is required if the sign-in domain is not in the same forest because it enables a certificate to be mapped to multiple user accounts.
+1. The credential provider that resides in the LogonUI system collects the PIN. As part of packaging credentials in the smart card credential provider, the data is packaged in a KERB_CERTIFICATE_LOGON structure. The main contents of the KERB_CERTIFICATE_LOGON structure are the smart card PIN, CSP data (such as reader name and container name), user name, and domain name. User name is required if the sign-in domain is not in the same forest because it enables a certificate to be mapped to multiple user accounts.
1. The credential provider wraps the data (such as the encrypted PIN, container name, reader name, and card key specification) and sends it back to LogonUI.
1. Winlogon presents the data from LogonUI to the LSA with the user information in LSALogonUser.
-1. LSA calls the Kerberos authentication package (Kerberos SSP) to create a Kerberos authentication service request (KRB\_AS\_REQ), which containing a preauthenticator (as specified in RFC 4556: [Public Key Cryptography for Initial Authentication in Kerberos (PKINIT)](http://www.ietf.org/rfc/rfc4556.txt)).
+1. LSA calls the Kerberos authentication package (Kerberos SSP) to create a Kerberos authentication service request (KRB_AS_REQ), which containing a preauthenticator (as specified in RFC 4556: [Public Key Cryptography for Initial Authentication in Kerberos (PKINIT)](http://www.ietf.org/rfc/rfc4556.txt)).
- If the authentication is performed by using a certificate that uses a digital signature, the preauthentication data consists of the user's public certificate and the certificate that is digitally signed with the corresponding private key.
If the authentication is performed by using a certificate that uses key encipherment, the preauthentication data consists of the user's public certificate and the certificate that is encrypted with the corresponding private key.
+ If the authentication is performed by using a certificate that uses a digital signature, the preauthentication data consists of the user's public certificate and the certificate that is digitally signed with the corresponding private key.\
+ If the authentication is performed by using a certificate that uses key encipherment, the preauthentication data consists of the user's public certificate and the certificate that is encrypted with the corresponding private key.
1. To sign the request digitally (as per RFC 4556), a call is made to the corresponding CSP for a private key operation. Because the private key in this case is stored in a smart card, the smart card subsystem is called, and the necessary operation is completed. The result is sent back to the Kerberos security support provider (SSP).
1. The Kerberos SSP sends an authentication request for a ticket-granting-ticket (TGT) (per RFC 4556) to the Key Distribution Center (KDC) service that runs on a domain controller.
1. The KDC finds the user's account object in Active Directory Domain Services (AD DS), as detailed in [Client certificate requirements and mappings](#client-certificate-requirements-and-mappings), and uses the user's certificate to verify the signature.
1. The KDC validates the user's certificate (time, path, and revocation status) to ensure that the certificate is from a trusted source. The KDC uses CryptoAPI to build a certification path from the user's certificate to a root certification authority (CA) certificate that resides in the root store on the domain controller. The KDC then uses CryptoAPI to verify the digital signature on the signed authenticator that was included in the preauthentication data fields. The domain controller verifies the signature and uses the public key from the user's certificate to prove that the request originated from the owner of the private key that corresponds to the public key. The KDC also verifies that the issuer is trusted and appears in the NTAUTH certificate store.
1. The KDC service retrieves user account information from AD DS. The KDC constructs a TGT, which is based on the user account information that it retrieves from AD DS. The TGT's authorization data fields include the user's security identifier (SID), the SIDs for universal and global domain groups to which the user belongs, and (in a multidomain environment) the SIDs for any universal groups of which the user is a member.
-1. The domain controller returns the TGT to the client as part of the KRB\_AS\_REP response.
+1. The domain controller returns the TGT to the client as part of the KRB_AS_REP response.
- > [!NOTE]
- > The KRB\_AS\_REP packet consists of:
- >- Privilege attribute certificate (PAC)
- >- User's SID
- >- SIDs of any groups of which the user is a member
- >- A request for ticket-granting service (TGS)
- >- Preauthentication data
+ > [!NOTE]
+ > The KRB_AS_REP packet consists of:
+ >- Privilege attribute certificate (PAC)
+ >- User's SID
+ >- SIDs of any groups of which the user is a member
+ >- A request for ticket-granting service (TGS)
+ >- Preauthentication data
TGT is encrypted with the master key of the KDC, and the session key is encrypted with a temporary key. This temporary key is derived based on RFC 4556. Using CryptoAPI, the temporary key is decrypted. As part of the decryption process, if the private key is on a smart card, a call is made to the smart card subsystem by using the specified CSP to extract the certificate corresponding to the user's public key. (Programmatic calls for the certificate include CryptAcquireContext, CryptSetProvParam with the PIN, CryptgetUserKey, and CryptGetKeyParam.) After the temporary key is obtained, the Kerberos SSP decrypts the session key.
@@ -107,7 +108,7 @@ Following are the steps that are performed during a smart card sign-in:
For more information about the Kerberos protocol, see [Microsoft Kerberos](/windows/win32/secauthn/microsoft-kerberos).
-By default, the KDC verifies that the client's certificate contains the smart card client authentication EKU szOID\_KP\_SMARTCARD\_LOGON. However, if enabled, the **Allow certificates with no extended key usage certificate attribute** Group Policy setting allows the KDC to not require the SC-LOGON EKU. SC-LOGON EKU is not required for account mappings that are based on the public key.
+By default, the KDC verifies that the client's certificate contains the smart card client authentication EKU szOID_KP_SMARTCARD_LOGON. However, if enabled, the **Allow certificates with no extended key usage certificate attribute** Group Policy setting allows the KDC to not require the SC-LOGON EKU. SC-LOGON EKU is not required for account mappings that are based on the public key.
## KDC certificate
@@ -117,7 +118,7 @@ Active Directory Certificate Services provides three kinds of certificate templa
- Domain controller authentication
- Kerberos authentication
-Depending on the configuration of the domain controller, one of these types of certificates is sent as a part of the AS\_REP packet.
+Depending on the configuration of the domain controller, one of these types of certificates is sent as a part of the AS_REP packet.
## Client certificate requirements and mappings
@@ -135,7 +136,7 @@ The smart card certificate has specific format requirements when it is used with
| extended key usage (EKU) | The smart card sign-in object identifier is not required.
**Note** If an EKU is present, it must contain the smart card sign-in EKU. Certificates with no EKU can be used for sign-in. |
| Subject alternative name | E-mail ID is not required for smart card sign-in. |
| Subject | Not required |
-| Key exchange (AT\_KEYEXCHANGE field) | Not required for smart card sign-in certificates if a Group Policy setting is enabled. (By default, Group Policy settings are not enabled.) |
+| Key exchange (AT_KEYEXCHANGE field) | Not required for smart card sign-in certificates if a Group Policy setting is enabled. (By default, Group Policy settings are not enabled.) |
| CRL | Not required |
| UPN | Not required |
| Notes | You can enable any certificate to be visible for the smart card credential provider. |
@@ -144,7 +145,7 @@ The smart card certificate has specific format requirements when it is used with
Certificate mapping is based on the UPN that is contained in the subjectAltName (SAN) field of the certificate. Client certificates that do not contain information in the SAN field are also supported.
-SSL/TLS can map certificates that do not have SAN, and the mapping is done by using the AltSecID attributes on client accounts. The X509 AltSecID, which is used by SSL/TLS client authentication is of the form "X509: `` `` and `` are taken from the client certificate, with '\\r' and '\\n' replaced with ','.
+SSL/TLS can map certificates that do not have SAN, and the mapping is done by using the AltSecID attributes on client accounts. The X509 AltSecID, which is used by SSL/TLS client authentication is of the form "X509: `` `` and `` are taken from the client certificate, with '\r' and '\n' replaced with ','.
#### Certificate revocation list distribution points
@@ -178,7 +179,7 @@ The following figure illustrates the process of mapping user accounts for sign-i
-NT\_AUTH policy is best described in the CERT\_CHAIN\_POLICY\_NT\_AUTH parameter section of the CertVerifyCertificateChainPolicy function. For more information, see [CertVerifyCertificateChainPolicy](/windows/win32/api/wincrypt/nf-wincrypt-certverifycertificatechainpolicy).
+NT_AUTH policy is best described in the CERT_CHAIN_POLICY_NT_AUTH parameter section of the CertVerifyCertificateChainPolicy function. For more information, see [CertVerifyCertificateChainPolicy](/windows/win32/api/wincrypt/nf-wincrypt-certverifycertificatechainpolicy).
## Smart card sign-in for a single user with one certificate into multiple accounts
@@ -206,7 +207,7 @@ For example, if Certificate1 has CN=CNName1, Certificate2 has CN=User1, and Cert
## Smart card sign-in across forests
-For account mapping to work across forests, particularly in cases where there is not enough information available on the certificate, the user might enter a hint in the form of a user name, such as *domain\\user*, or a fully qualified UPN such as `user@contoso.com`.
+For account mapping to work across forests, particularly in cases where there is not enough information available on the certificate, the user might enter a hint in the form of a user name, such as *domain\user*, or a fully qualified UPN such as `user@contoso.com`.
> [!NOTE]
> For the hint field to appear during smart card sign-in, the **Allow user name hint** Group Policy setting (**X509HintsNeeded** registry key) must be enabled on the client.
diff --git a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
index 230cd5d598..677009a880 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
@@ -2,7 +2,7 @@
title: Smart Card Technical Reference
description: Learn about the Windows smart card infrastructure for physical smart cards, and how smart card-related components work in Windows.
ms.reviewer: ardenw
-ms.topic: reference
+ms.topic: overview
ms.date: 11/06/2023
---
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
index 86f7640799..afd2081f1b 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
@@ -93,7 +93,8 @@ On your domain server, you need to create a template for the certificate that yo
15. From the list, select the new template that you just created (**TPM Virtual Smart Card Logon**), and then click **OK**.
- > **Note** It can take some time for your template to replicate to all servers and become available in this list.
+ > [!NOTE]
+> It can take some time for your template to replicate to all servers and become available in this list.
From f074e91d7fe079ab9594cff178be1be8b43b3622 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Mon, 6 Nov 2023 16:35:41 -0500
Subject: [PATCH 05/21] updates
---
.../smart-cards/smart-card-architecture.md | 4 ++--
...-card-certificate-requirements-and-enumeration.md | 12 ++++++------
.../smart-cards/smart-card-debugging-information.md | 10 +++++-----
3 files changed, 13 insertions(+), 13 deletions(-)
diff --git a/windows/security/identity-protection/smart-cards/smart-card-architecture.md b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
index 3318a8ee19..97b5d943d7 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-architecture.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
@@ -140,8 +140,8 @@ Similarly, in response to a NCryptOpenKey call in CNG, the smart card KSP tries
| **Type** | **Name** | **Format** |
|----------|----------|------------|
-| I | Reader Name and Container Name | `\.\\` |
-| II | Reader Name and Container Name (NULL) | `\.\` |
+| I | Reader Name and Container Name | `\.` |
+| II | Reader Name and Container Name (NULL) | `\.` |
| III | Container Name Only | `` |
| IV | Default Container (NULL) Only | NULL |
diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
index be6c3a00a1..6d032bebd3 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
@@ -16,7 +16,7 @@ When a smart card is inserted, the following steps are performed.
> Unless otherwise mentioned, all operations are performed silently (CRYPT_SILENT is passed to CryptAcquireContext).
1. The smart card resource manager database searches for the smart card's cryptographic service provider (CSP).
-1. A qualified container name is constructed by using the smart card reader name, and it is passed to the CSP. The format is *\\.\\
+1. A qualified container name is constructed by using the smart card reader name, and it is passed to the CSP. The format is *\\.\
1. CryptAcquireContext is called to retrieve a context to the default container. If a failure occurs, the smart card will be unusable for smart card sign-in.
1. The name of the container is retrieved by using the PP_CONTAINER parameter with CryptGetProvParam.
1. Using the context acquired in Step 3, the CSP is queried for the PP_USER_CERTSTORE parameter (added in Windows Vista). For more information, see [Smart Card Architecture](smart-card-architecture.md). If the operation is successful, the name of a certificate store is returned, and the program flow skips to Step 8.
@@ -87,11 +87,11 @@ Following are the steps that are performed during a smart card sign-in:
> [!NOTE]
> The KRB_AS_REP packet consists of:
- >- Privilege attribute certificate (PAC)
- >- User's SID
- >- SIDs of any groups of which the user is a member
- >- A request for ticket-granting service (TGS)
- >- Preauthentication data
+ > - Privilege attribute certificate (PAC)
+ > - User's SID
+ > - SIDs of any groups of which the user is a member
+ > - A request for ticket-granting service (TGS)
+ > - Preauthentication data
TGT is encrypted with the master key of the KDC, and the session key is encrypted with a temporary key. This temporary key is derived based on RFC 4556. Using CryptoAPI, the temporary key is decrypted. As part of the decryption process, if the private key is on a smart card, a call is made to the smart card subsystem by using the specified CSP to extract the certificate corresponding to the user's public key. (Programmatic calls for the certificate include CryptAcquireContext, CryptSetProvParam with the PIN, CryptgetUserKey, and CryptGetKeyParam.) After the temporary key is obtained, the Kerberos SSP decrypts the session key.
diff --git a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
index 810ef34cf7..86aa2d80de 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
@@ -50,8 +50,8 @@ WPP simplifies tracing the operation of the trace provider. It provides a mechan
Using WPP, use one of the following commands to enable tracing:
```cmd
-tracelog.exe -kd -rt -start -guid \ -f .\.etl -flags -ft 1
-logman start -ets -p {} - -ft 1 -rt -o .\.etl -mode 0x00080000
+tracelog.exe -kd -rt -start -guid -f ..etl -flags -ft 1
+logman.exe start -ets -p {} - -ft 1 -rt -o ..etl -mode 0x00080000
```
You can use the parameters in the following table.
@@ -74,7 +74,7 @@ To enable tracing for the SCardSvr service:
```cmd
tracelog.exe -kd -rt -start scardsvr -guid \#13038e47-ffec-425d-bc69-5707708075fe -f .\scardsvr.etl -flags 0xffff -ft 1
-logman start scardsvr -ets -p {13038e47-ffec-425d-bc69-5707708075fe} 0xffff -ft 1 -rt -o .\scardsvr.etl -mode 0x00080000
+logman.exe start scardsvr -ets -p {13038e47-ffec-425d-bc69-5707708075fe} 0xffff -ft 1 -rt -o .\scardsvr.etl -mode 0x00080000
```
To enable tracing for `scfilter.sys`:
@@ -89,7 +89,7 @@ Using WPP, use one of the following commands to stop the tracing:
```cmd
tracelog.exe -stop <*FriendlyName*>
-logman -stop <*FriendlyName*> -ets
+logman.exe -stop <*FriendlyName*> -ets
```
#### Examples
@@ -98,7 +98,7 @@ To stop a trace:
```cmd
tracelog.exe -stop scardsvr
-logman -stop scardsvr -ets
+logman.exe -stop scardsvr -ets
```
## Kerberos protocol, KDC, and NTLM debugging and tracing
From 5beab6114fb803eb3208accda2fcc0ea5d2d31e1 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Tue, 7 Nov 2023 08:07:39 -0500
Subject: [PATCH 06/21] metadata updates
---
windows/security/docfx.json | 4 +++-
.../smart-card-and-remote-desktop-services.md | 13 ++++++-------
.../smart-cards/smart-card-architecture.md | 1 -
.../smart-card-certificate-propagation-service.md | 1 -
...card-certificate-requirements-and-enumeration.md | 1 -
.../smart-cards/smart-card-debugging-information.md | 4 ----
...smart-card-group-policy-and-registry-settings.md | 1 -
...-card-how-smart-card-sign-in-works-in-windows.md | 1 -
.../smart-card-removal-policy-service.md | 1 -
.../smart-card-smart-cards-for-windows-service.md | 1 -
.../smart-cards/smart-card-tools-and-settings.md | 1 -
...t-card-windows-smart-card-technical-reference.md | 1 -
...rtual-smart-card-understanding-and-evaluating.md | 1 -
13 files changed, 9 insertions(+), 22 deletions(-)
diff --git a/windows/security/docfx.json b/windows/security/docfx.json
index 040348819b..aa4f877c04 100644
--- a/windows/security/docfx.json
+++ b/windows/security/docfx.json
@@ -218,6 +218,8 @@
"identity-protection/hello-for-business/*.md": "erikdau",
"identity-protection/credential-guard/*.md": "zwhittington",
"identity-protection/access-control/*.md": "sulahiri",
+ "identity-protection/smart-cards/*.md": "ardenw",
+ "identity-protection/virtual-smart-cards/*.md": "ardenw",
"operating-system-security/network-security/windows-firewall/*.md": "paoloma",
"operating-system-security/network-security/vpn/*.md": "pesmith",
"operating-system-security/data-protection/personal-data-encryption/*.md":"rhonnegowda",
@@ -231,7 +233,7 @@
"threat-protection/auditing/*.md": "tier3",
"operating-system-security/data-protection/bitlocker/*.md": "tier1",
"operating-system-security/data-protection/personal-data-encryption/*.md": "tier1",
- "operating-system-security/network-security/windows-firewall/*.md": [ "tier3", "must-keep" ]
+ "operating-system-security/network-security/windows-firewall/*.md": [ "tier2", "must-keep" ]
}
},
"template": [],
diff --git a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
index c71e953a49..d4578ba511 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
@@ -3,7 +3,6 @@ ms.date: 11/06/2023
title: Smart Card and Remote Desktop Services
description: This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in.
ms.topic: conceptual
-ms.reviewer: ardenw
---
# Smart Card and Remote Desktop Services
@@ -13,8 +12,8 @@ Smart card redirection logic and *WinSCard API* are combined to support multiple
Smart card support is required to enable many Remote Desktop Services scenarios. These include:
-- Using Fast User Switching or Remote Desktop Services. A user is not able to establish a redirected smart card-based remote desktop connection. That is, the connect attempt is not successful in Fast User Switching or from a Remote Desktop Services session
-- Enabling *Encrypting File System* (EFS) to locate the user's smart card reader from the *Local Security Authority* (LSA) process in Fast User Switching or in a Remote Desktop Services session. If EFS is not able to locate the smart card reader or certificate, EFS cannot decrypt user files
+- Using Fast User Switching or Remote Desktop Services. A user isn't able to establish a redirected smart card-based remote desktop connection. That is, the connect attempt isn't successful in Fast User Switching or from a Remote Desktop Services session
+- Enabling *Encrypting File System* (EFS) to locate the user's smart card reader from the *Local Security Authority* (LSA) process in Fast User Switching or in a Remote Desktop Services session. If EFS isn't able to locate the smart card reader or certificate, EFS can't decrypt user files
## Remote Desktop Services redirection
@@ -37,9 +36,9 @@ Notes about the redirection model:
As a part of the Common Criteria compliance, the RDC client must be configurable to use Credential Manager to acquire and save the user's password or smart card PIN. Common Criteria compliance requires that applications not have direct access to the user's password or PIN.
-Common Criteria compliance requires specifically that the password or PIN never leave the LSA unencrypted. A distributed scenario should allow the password or PIN to travel between one trusted LSA and another, and it cannot be unencrypted during transit.
+Common Criteria compliance requires specifically that the password or PIN never leave the LSA unencrypted. A distributed scenario should allow the password or PIN to travel between one trusted LSA and another, and it can't be unencrypted during transit.
-When smart card-enabled single sign-in (SSO) is used for Remote Desktop Services sessions, users still need to sign in for every new Remote Desktop Services session. However, the user is not prompted for a PIN more than once to establish a Remote Desktop Services session. For example, after the user double-clicks a Microsoft Word document icon that resides on a remote computer, the user is prompted to enter a PIN. This PIN is sent by using a secure channel that the credential SSP has established. The PIN is routed back to the RDC client over the secure channel and sent to Winlogon. The user does not receive any additional prompts for the PIN, unless the PIN is incorrect or there are smart card-related failures.
+When smart card-enabled single sign-in (SSO) is used for Remote Desktop Services sessions, users still need to sign in for every new Remote Desktop Services session. However, the user isn't prompted for a PIN more than once to establish a Remote Desktop Services session. For example, after the user double-clicks a Microsoft Word document icon that resides on a remote computer, the user is prompted to enter a PIN. This PIN is sent by using a secure channel that the credential SSP has established. The PIN is routed back to the RDC client over the secure channel and sent to Winlogon. The user doesn't receive any additional prompts for the PIN, unless the PIN is incorrect or there are smart card-related failures.
### Remote Desktop Services and smart card sign-in
@@ -47,7 +46,7 @@ Remote Desktop Services enables users to sign in with a smart card by entering a
In addition, Group Policy settings that are specific to Remote Desktop Services need to be enabled for smart card-based sign-in.
-To enable smart card sign-in to a Remote Desktop Session Host (RD Session Host) server, the Key Distribution Center (KDC) certificate must be present on the RDC client computer. If the computer is not in the same domain or workgroup, the following command can be used to deploy the certificate:
+To enable smart card sign-in to a Remote Desktop Session Host (RD Session Host) server, the Key Distribution Center (KDC) certificate must be present on the RDC client computer. If the computer isn't in the same domain or workgroup, the following command can be used to deploy the certificate:
```cmd
certutil.exe -dspublish NTAuthCA "DSCDPContainer"
@@ -88,4 +87,4 @@ For information about this option for the command-line tool, see [-addstore](/pr
Sign-in to Remote Desktop Services across a domain works only if the UPN in the certificate uses the following form: `@`.
-The UPN in the certificate must include a domain that can be resolved. Otherwise, the Kerberos protocol cannot determine which domain to contact. You can resolve this issue by enabling GPO X509 domain hints. For more information about this setting, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md).
+The UPN in the certificate must include a domain that can be resolved. Otherwise, the Kerberos protocol can't determine which domain to contact. You can resolve this issue by enabling GPO X509 domain hints. For more information about this setting, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md).
diff --git a/windows/security/identity-protection/smart-cards/smart-card-architecture.md b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
index 97b5d943d7..1146a19d8a 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-architecture.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
@@ -1,7 +1,6 @@
---
title: Smart Card Architecture
description: This topic for the IT professional describes the system architecture that supports smart cards in the Windows operating system.
-ms.reviewer: ardenw
ms.topic: reference-architecture
ms.date: 11/06/2023
---
diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
index 9aa4972ebf..9c38e2a06c 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
@@ -1,7 +1,6 @@
---
title: Certificate Propagation Service
description: This topic for the IT professional describes the certificate propagation service (CertPropSvc), which is used in smart card implementation.
-ms.reviewer: ardenw
ms.topic: concept-article
ms.date: 08/24/2021
---
diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
index 6d032bebd3..bbde74b92e 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
@@ -1,7 +1,6 @@
---
title: Certificate Requirements and Enumeration
description: This topic for the IT professional and smart card developers describes how certificates are managed and used for smart card sign-in.
-ms.reviewer: ardenw
ms.topic: concept-article
ms.date: 11/06/2023
---
diff --git a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
index 86aa2d80de..df3203f5f6 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
@@ -1,10 +1,6 @@
---
title: Smart Card Troubleshooting
description: Describes the tools and services that smart card developers can use to help identify certificate issues with the smart card deployment.
-ms.reviewer: ardenw
-ms.collection:
- - highpri
- - tier2
ms.topic: troubleshooting
ms.date: 11/06/2023
---
diff --git a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
index 9cd57a98c5..f502e16622 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
@@ -1,7 +1,6 @@
---
title: Smart Card Group Policy and Registry Settings
description: Discover the Group Policy, registry key, local security policy, and credential delegation policy settings that are available for configuring smart cards.
-ms.reviewer: ardenw
ms.topic: reference
ms.date: 11/06/2023
---
diff --git a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
index d3cd7bcdca..15ffe7ff5d 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
@@ -1,7 +1,6 @@
---
title: How Smart Card Sign-in Works in Windows
description: This topic for IT professional provides links to resources about the implementation of smart card technologies in the Windows operating system.
-ms.reviewer: ardenw
ms.topic: overview
ms.date: 1/06/2023
---
diff --git a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
index 4b9fd9a3fd..73879b5833 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
@@ -1,7 +1,6 @@
---
title: Smart Card Removal Policy Service
description: This topic for the IT professional describes the role of the removal policy service (ScPolicySvc) in smart card implementation.
-ms.reviewer: ardenw
ms.topic: concept-article
ms.date: 09/24/2021
---
diff --git a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
index c982c67613..6d468b9bda 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
@@ -1,7 +1,6 @@
---
title: Smart Cards for Windows Service
description: This topic for the IT professional and smart card developers describes how the Smart Cards for Windows service manages readers and application interactions.
-ms.reviewer: ardenw
ms.topic: concept-article
ms.date: 11/06/2023
---
diff --git a/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md b/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md
index 00d223bfe5..737d2d83fc 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md
@@ -1,7 +1,6 @@
---
title: Smart Card Tools and Settings
description: This topic for the IT professional and smart card developer links to information about smart card debugging, settings, and events.
-ms.reviewer: ardenw
ms.topic: conceptual
ms.date: 11/06/2023
---
diff --git a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
index 677009a880..23a8ac72f8 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
@@ -1,7 +1,6 @@
---
title: Smart Card Technical Reference
description: Learn about the Windows smart card infrastructure for physical smart cards, and how smart card-related components work in Windows.
-ms.reviewer: ardenw
ms.topic: overview
ms.date: 11/06/2023
---
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
index 89cc719e7d..8fafa7059b 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
@@ -1,7 +1,6 @@
---
title: Understanding and Evaluating Virtual Smart Cards
description: Learn how smart card technology can fit into your authentication design.
-ms.prod: windows-client
ms.topic: conceptual
ms.date: 11/06/2023
---
From 062433f00ae40c92b8bb52096f4c30badc3cf5c4 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Tue, 7 Nov 2023 09:06:46 -0500
Subject: [PATCH 07/21] updates
---
.../smart-card-and-remote-desktop-services.md | 4 +-
.../smart-cards/smart-card-architecture.md | 14 +--
...rt-card-certificate-propagation-service.md | 8 +-
...ertificate-requirements-and-enumeration.md | 18 +--
.../smart-card-debugging-information.md | 6 +-
...card-group-policy-and-registry-settings.md | 22 ++--
...how-smart-card-sign-in-works-in-windows.md | 2 +-
.../smart-card-removal-policy-service.md | 13 +-
...-windows-smart-card-technical-reference.md | 2 +-
...l-smart-card-deploy-virtual-smart-cards.md | 6 +-
.../virtual-smart-card-get-started.md | 114 ++++++------------
.../virtual-smart-card-overview.md | 12 +-
.../virtual-smart-card-tpmvscmgr.md | 2 +-
...smart-card-understanding-and-evaluating.md | 26 ++--
...tual-smart-card-use-virtual-smart-cards.md | 50 ++++----
15 files changed, 125 insertions(+), 174 deletions(-)
diff --git a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
index d4578ba511..61e9d781c0 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
@@ -1,6 +1,6 @@
---
-ms.date: 11/06/2023
-title: Smart Card and Remote Desktop Services
+ms.date: 11/07/2023
+title: Smart Card and Remote Desktop Services
description: This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in.
ms.topic: conceptual
---
diff --git a/windows/security/identity-protection/smart-cards/smart-card-architecture.md b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
index 1146a19d8a..bd8330d478 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-architecture.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
@@ -248,8 +248,8 @@ For other operations, the caller may be able to acquire a *verify* context again
1. If the specified container name is NULL, the default container is deleted. Deleting the default container causes a new default container to be selected arbitrarily. For this reason, this operation is not recommended
1. For each smart card already known by the CSP, refresh the stored SCARDHANDLE and make the following checks:
- 1. If the smart card does not have the named container, continue the search
- 1. If the smart card has the named container, but the smart card handle is no longer valid, store the serial number of the matching smart card and pass it to SCardUI
+ 1. If the smart card does not have the named container, continue the search
+ 1. If the smart card has the named container, but the smart card handle is no longer valid, store the serial number of the matching smart card and pass it to SCardUI
1. If a matching smart card is not found in the CSP cache, make a call to the smart card subsystem. The callback that is used to filter enumerated smart cards should verify that a candidate smart card has the named container. If a serial number was povided as a result of the previous cache search, the callback should filter enumerated smart cards on serial number rather than on container matches. If the context is non-silent and no suitable smart card is found, display UI that prompts the user to insert a smart card
### Base CSP and KSP-based architecture in Windows
@@ -265,11 +265,11 @@ The following diagram shows the Cryptography architecture that is used by the Wi
| Property | Description |
|--|--|
-| `PP_USER_CERTSTORE` | - Used to return an `HCERTSTORE` that contains all user certificates on the smart card
- Read-only (used only by `CryptGetProvParam`)
- Caller responsible for closing the certificate store
- Certificate encoded using `PKCS_7_ASN_ENCODING` or `X509_ASN_ENCODING`
- CSP should set `KEY_PROV_INFO` on certificates
- Certificate store should be assumed to be an in-memory store
- Certificates should have a valid `CRYPT_KEY_PROV_INFO` as a property |
-| `PP_ROOT_CERTSTORE` | - Read and Write (used by `CryptGetProvParam` and `CryptSetProvParam`)
- Used to write a collection of root certificates to the smart card or return `HCERTSTORE`, which contains root certificates from the smart card
- Used primarily for joining a domain by using a smart card
- Caller responsible for closing the certificate store |
-| `PP_SMARTCARD_READER` | - Read-only (used only by `CryptGetProvParam`)
- Returns the smart card reader name as an ANSI string that is used to construct a fully qualified container name (that is, a smart card reader plus a container) |
-| `PP_SMARTCARD_GUID `| - Return smart card GUID (also known as a serial number), which should be unique for each smart card
- Used by the certificate propagation service to track the source of a root certificate |
-| `PP_UI_PROMPT` | - Used to set the search string for the `SCardUIDlgSelectCard` card insertion dialog box
- Persistent for the entire process when it is set
- Write-only (used only by `CryptSetProvParam`) |
+| `PP_USER_CERTSTORE` | - Used to return an `HCERTSTORE` that contains all user certificates on the smart card
- Read-only (used only by `CryptGetProvParam`)
- Caller responsible for closing the certificate store
- Certificate encoded using `PKCS_7_ASN_ENCODING` or `X509_ASN_ENCODING`
- CSP should set `KEY_PROV_INFO` on certificates
- Certificate store should be assumed to be an in-memory store
- Certificates should have a valid `CRYPT_KEY_PROV_INFO` as a property |
+| `PP_ROOT_CERTSTORE` | - Read and Write (used by `CryptGetProvParam` and `CryptSetProvParam`)
- Used to write a collection of root certificates to the smart card or return `HCERTSTORE`, which contains root certificates from the smart card
- Used primarily for joining a domain by using a smart card
- Caller responsible for closing the certificate store |
+| `PP_SMARTCARD_READER` | - Read-only (used only by `CryptGetProvParam`)
- Returns the smart card reader name as an ANSI string that is used to construct a fully qualified container name (that is, a smart card reader plus a container) |
+| `PP_SMARTCARD_GUID` | - Return smart card GUID (also known as a serial number), which should be unique for each smart card
- Used by the certificate propagation service to track the source of a root certificate |
+| `PP_UI_PROMPT` | - Used to set the search string for the `SCardUIDlgSelectCard` card insertion dialog box
- Persistent for the entire process when it is set
- Write-only (used only by `CryptSetProvParam`) |
### Implications for CSPs in Windows
diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
index 9c38e2a06c..8cfae399fd 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
@@ -21,8 +21,6 @@ The following figure shows the flow of the certificate propagation service. The
1. The arrow labeled **2** indicates the certification to the reader
1. The arrow labeled **3** indicates the access to the certificate store during the client session
-### Certificate propagation service
-
1. A signed-in user inserts a smart card
@@ -38,9 +36,9 @@ Properties of the certificate propagation service include:
- If the certificate has the `CERT_ENROLLMENT_PROP_ID` property (as defined by `wincrypt.h`), it filters empty requests and places them in the current user's request store, but it does not propagate them to the user's Personal store
- The service does not propagate any computer certificates to a user's Personal store or propagate user certificates to a computer store
- The service propagates certificates according to Group Policy options that are set, which may include:
- - **Turn on certificate propagation from the smart card** specifies whether a user's certificate should be propagated
- - **Turn on root certificate propagation from smart card** specifies whether root certificates should be propagated
- - **Configure root certificate cleanup** specifies how root certificates are removed
+ - **Turn on certificate propagation from the smart card** specifies whether a user's certificate should be propagated
+ - **Turn on root certificate propagation from smart card** specifies whether root certificates should be propagated
+ - **Configure root certificate cleanup** specifies how root certificates are removed
## Root certificate propagation service
diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
index bbde74b92e..1ac825dde6 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
@@ -15,7 +15,7 @@ When a smart card is inserted, the following steps are performed.
> Unless otherwise mentioned, all operations are performed silently (CRYPT_SILENT is passed to CryptAcquireContext).
1. The smart card resource manager database searches for the smart card's cryptographic service provider (CSP).
-1. A qualified container name is constructed by using the smart card reader name, and it is passed to the CSP. The format is *\\.\
+1. A qualified container name is constructed by using the smart card reader name, and it is passed to the CSP. The format is `\\.\`
1. CryptAcquireContext is called to retrieve a context to the default container. If a failure occurs, the smart card will be unusable for smart card sign-in.
1. The name of the container is retrieved by using the PP_CONTAINER parameter with CryptGetProvParam.
1. Using the context acquired in Step 3, the CSP is queried for the PP_USER_CERTSTORE parameter (added in Windows Vista). For more information, see [Smart Card Architecture](smart-card-architecture.md). If the operation is successful, the name of a certificate store is returned, and the program flow skips to Step 8.
@@ -84,13 +84,13 @@ Following are the steps that are performed during a smart card sign-in:
1. The KDC service retrieves user account information from AD DS. The KDC constructs a TGT, which is based on the user account information that it retrieves from AD DS. The TGT's authorization data fields include the user's security identifier (SID), the SIDs for universal and global domain groups to which the user belongs, and (in a multidomain environment) the SIDs for any universal groups of which the user is a member.
1. The domain controller returns the TGT to the client as part of the KRB_AS_REP response.
- > [!NOTE]
- > The KRB_AS_REP packet consists of:
- > - Privilege attribute certificate (PAC)
- > - User's SID
- > - SIDs of any groups of which the user is a member
- > - A request for ticket-granting service (TGS)
- > - Preauthentication data
+ > [!NOTE]
+ > The KRB_AS_REP packet consists of:
+ > - Privilege attribute certificate (PAC)
+ > - User's SID
+ > - SIDs of any groups of which the user is a member
+ > - A request for ticket-granting service (TGS)
+ > - Preauthentication data
TGT is encrypted with the master key of the KDC, and the session key is encrypted with a temporary key. This temporary key is derived based on RFC 4556. Using CryptoAPI, the temporary key is decrypted. As part of the decryption process, if the private key is on a smart card, a call is made to the smart card subsystem by using the specified CSP to extract the certificate corresponding to the user's public key. (Programmatic calls for the certificate include CryptAcquireContext, CryptSetProvParam with the PIN, CryptgetUserKey, and CryptGetKeyParam.) After the temporary key is obtained, the Kerberos SSP decrypts the session key.
@@ -150,7 +150,7 @@ SSL/TLS can map certificates that do not have SAN, and the mapping is done by us
-#### UPN in Subject Alternative Name field
+#### UPN in Subject Alternative Name field
diff --git a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
index df3203f5f6..0ba2519568 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
@@ -88,9 +88,7 @@ tracelog.exe -stop <*FriendlyName*>
logman.exe -stop <*FriendlyName*> -ets
```
-#### Examples
-
-To stop a trace:
+For example, to stop a trace:
```cmd
tracelog.exe -stop scardsvr
@@ -102,7 +100,7 @@ logman.exe -stop scardsvr -ets
You can use these resources to troubleshoot these protocols and the KDC:
- [Kerberos and LDAP Troubleshooting Tips](/previous-versions/tn-archive/bb463167(v=technet.10))
-- [Windows Driver Kit (WDK) and Debugging Tools for Windows (WinDbg)](https://developer.microsoft.com/en-us/windows/hardware/windows-driver-kit). You can use the trace log tool in this SDK to debug Kerberos authentication failures.
+- [Windows Driver Kit (WDK) and Debugging Tools for Windows (WinDbg)](https://developer.microsoft.com/windows/hardware/windows-driver-kit). You can use the trace log tool in this SDK to debug Kerberos authentication failures.
To begin tracing, you can use `Tracelog`. Different components use different control GUIDs as explained in these examples. For more information, see [`Tracelog`](/windows-hardware/drivers/devtest/tracelog)
diff --git a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
index f502e16622..6f8e44fde7 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
@@ -82,9 +82,9 @@ When this policy setting isn't turned on, only certificates that contain the sma
### Allow ECC certificates to be used for logon and authentication
-You can use this policy setting to control whether elliptic curve cryptography (ECC) certificates on a smart card can be used to sign in to a domain.
+You can use this policy setting to control whether elliptic curve cryptography (ECC) certificates on a smart card can be used to sign in to a domain.
-When this setting is turned on, ECC certificates on a smart card can be used to sign in to a domain.
+When this setting is turned on, ECC certificates on a smart card can be used to sign in to a domain.
When this setting isn't turned on, ECC certificates on a smart card can't be used to sign in to a domain.
@@ -99,7 +99,7 @@ When this setting isn't turned on, ECC certificates on a smart card can't be use
You can use this policy setting to determine whether the integrated unblock feature is available in the sign-in user interface (UI). The feature was introduced as a standard feature in the Credential Security Support Provider in Windows Vista.
-When this setting is turned on, the integrated unblock feature is available.
+When this setting is turned on, the integrated unblock feature is available.
When this setting isn't turned on, the feature is not available.
@@ -145,7 +145,7 @@ When this policy setting isn't turned on, certificates that are expired or not y
You can use this policy setting to determine whether an optional field appears during sign-in and provides a subsequent elevation process where users can enter their username or username and domain, which associates a certificate with the user.
-When this policy setting is turned on, users see an optional field where they can enter their username or username and domain.
+When this policy setting is turned on, users see an optional field where they can enter their username or username and domain.
When this policy setting isn't turned on, users don't see this optional field.
@@ -177,7 +177,7 @@ When this policy setting isn't turned on, root certificates are automatically re
You can use this policy setting to change the default message that a user sees if their smart card is blocked.
-When this policy setting is turned on, you can create and manage the displayed message that the user sees when a smart card is blocked.
+When this policy setting is turned on, you can create and manage the displayed message that the user sees when a smart card is blocked.
When this policy setting isn't turned on (and the integrated unblock feature is also enabled), the user sees the system's default message when the smart card is blocked.
@@ -189,14 +189,14 @@ When this policy setting isn't turned on (and the integrated unblock feature is
### Filter duplicate logon certificates
-You can use this policy setting to configure which valid sign-in certificates are displayed.
+You can use this policy setting to configure which valid sign-in certificates are displayed.
> [!NOTE]
> During the certificate renewal period, a user's smart card can have multiple valid sign-in certificates issued from the same certificate template, which can cause confusion about which certificate to select. This behavior can occur when a certificate is renewed and the old certificate has not expired yet.
->
+>
> If two certificates are issued from the same template with the same major version and they are for the same user (this is determined by their UPN), they are determined to be the same.
-When this policy setting is turned on, filtering occurs so that the user can select from only the most current valid certificates.
+When this policy setting is turned on, filtering occurs so that the user can select from only the most current valid certificates.
If this policy setting isn't turned on, all the certificates are displayed to the user.
@@ -292,7 +292,7 @@ When this policy setting is turned off, certificate propagation doesn't occur, a
### Turn on root certificate propagation from smart card
-You can use this policy setting to manage the root certificate propagation that occurs when a smart card is inserted.
+You can use this policy setting to manage the root certificate propagation that occurs when a smart card is inserted.
> [!NOTE]
> The certificate propagation service applies when a signed-in user inserts a smart card in a reader that is attached to the computer. This action causes the certificate to be read from the smart card. The certificates are then added to the user's Personal store.
@@ -344,7 +344,7 @@ The registry keys for the smart card KSP are in `HKEY_LOCAL_MACHINE\SYSTEM\Contr
| **RequireOnCardPrivateKeyGen** | This key sets the flag that requires on-card private key generation (default). If this value is set, a key generated on a host can be imported into the smart card. This is used for smart cards that don't support on-card key generation or where key escrow is required.
Default value: 00000000 |
| **TransactionTimeoutMilliseconds** | Default timeout values allow you to specify whether transactions that take an excessive amount of time will fail.
Default value: 000005dc
The default timeout for holding transactions to the smart card is 1.5 seconds. |
-**Additional registry keys for the smart card KSP**
+Additional registry keys for the smart card KSP:
| Registry Key | Description |
|--|--|
@@ -355,8 +355,6 @@ The registry keys for the smart card KSP are in `HKEY_LOCAL_MACHINE\SYSTEM\Contr
The following table lists the keys and the corresponding values to turn off certificate revocation list (CRL) checking at the Key Distribution Center (KDC) or client. To manage CRL checking, you must configure settings for both the KDC and the client.
-### CRL checking registry keys
-
| Registry Key | Details |
|--|--|
| `HKEY_LOCAL_MACHINE\SYSTEM\CCS\Services\Kdc\UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors` | Type = DWORD
Value = 1 |
diff --git a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
index 15ffe7ff5d..2641967e6d 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
@@ -16,4 +16,4 @@ This topic for IT professional provides links to resources about the implementat
- [Certificate Propagation Service](smart-card-certificate-propagation-service.md): Learn about how the certificate propagation service works when a smart card is inserted into a computer
- [Smart Card Removal Policy Service](smart-card-removal-policy-service.md): Learn about using Group Policy to control what happens when a user removes a smart card
-[!INCLUDE [smart-cards-for-windows-service](../../../../includes/licensing/smart-cards-for-windows-service.md)]
\ No newline at end of file
+[!INCLUDE [smart-cards-for-windows-service](../../../../includes/licensing/smart-cards-for-windows-service.md)]
diff --git a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
index 73879b5833..970bee548f 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
@@ -11,19 +11,14 @@ This topic for the IT professional describes the role of the removal policy serv
The smart card removal policy service is applicable when a user has signed in with a smart card and then removes that smart card from the reader. The action that is performed when the smart card is removed is controlled by Group Policy settings. For more information, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md).
-**Smart card removal policy service**
-
The numbers in the previous figure represent the following actions:
-1. Winlogon is not directly involved in monitoring for smart card removal events. The sequence of steps that are involved when a smart card is removed begins with the smart card credential provider in the sign-in UI process. When a user successfully signs in with a smart card, the smart card credential provider captures the reader name. This information is then stored in the registry with the session identifier where the sign-in was initiated.
-
-2. The smart card resource manager service notifies the smart card removal policy service that a sign-in has occurred.
-
-3. ScPolicySvc retrieves the smart card information that the smart card credential provider stored in the registry. This call is redirected if the user is in a remote session. If the smart card is removed, ScPolicySvc is notified.
-
-4. ScPolicySvc calls Remote Desktop Services to take the appropriate action if the request is to sign out the user or to disconnect the user's session, which might result in data loss. If the setting is configured to lock the computer when the smart card is removed, ScPolicySvc sends a message to Winlogon to lock the computer.
+1. Winlogon is not directly involved in monitoring for smart card removal events. The sequence of steps that are involved when a smart card is removed begins with the smart card credential provider in the sign-in UI process. When a user successfully signs in with a smart card, the smart card credential provider captures the reader name. This information is then stored in the registry with the session identifier where the sign-in was initiated.
+1. The smart card resource manager service notifies the smart card removal policy service that a sign-in has occurred.
+1. ScPolicySvc retrieves the smart card information that the smart card credential provider stored in the registry. This call is redirected if the user is in a remote session. If the smart card is removed, ScPolicySvc is notified.
+1. ScPolicySvc calls Remote Desktop Services to take the appropriate action if the request is to sign out the user or to disconnect the user's session, which might result in data loss. If the setting is configured to lock the computer when the smart card is removed, ScPolicySvc sends a message to Winlogon to lock the computer.
## See also
diff --git a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
index 23a8ac72f8..b832cf3024 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
@@ -28,7 +28,7 @@ Smart cards provide:
Smart cards can be used to sign in to domain accounts only, not local accounts. When you use a password to sign in interactively to a domain account, Windows uses the Kerberos version 5 (v5) protocol for authentication. If you use a smart card, the operating system uses Kerberos v5 authentication with X.509 v3 certificates.
-**Virtual smart cards** were introduced in Windows Server 2012 and Windows 8 to alleviate the need for a physical smart card, the smart card reader, and the associated administration of that hardware.
+Virtual smart cards were introduced to alleviate the need for a physical smart card, the smart card reader, and the associated administration of that hardware.
[!INCLUDE [virtual-smart-card-deprecation-notice](../../includes/virtual-smart-card-deprecation-notice.md)]
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
index c0e66c8f7e..9b7ee29239 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
@@ -157,7 +157,7 @@ Similar to physical smart cards, virtual smart cards require certificate enrollm
#### Certificate issuance
-Users can enroll for certificates from within a remote desktop session that is established to provision the card. This process can also be managed by the smart card management tool that the user runs through the remote desktop connection. This model works for deployments that require the user to sign a request for enrollment by using a physical smart card. The driver for the physical smart card doesn't need to be installed on the client computer if it's installed on the remote computer. This is made possible by smart card redirection functionality that was introduced in Windows Server 2003, which ensures that smart cards that are connected to the client computer are available for use during a remote session.
+Users can enroll for certificates from within a remote desktop session that is established to provision the card. This process can also be managed by the smart card management tool that the user runs through the remote desktop connection. This model works for deployments that require the user to sign a request for enrollment by using a physical smart card. The driver for the physical smart card doesn't need to be installed on the client computer if it's installed on the remote computer. This is made possible by smart card redirection functionality, which ensures that smart cards that are connected to the client computer are available for use during a remote session.
Alternatively, without establishing a remote desktop connection, users can enroll for certificates from the Certificate Management console (certmgr.msc) on a client computer. Users can also create a request and submit it to a server from within a custom certificate enrollment application (for example, a registration authority) that has controlled access to the certification authority (CA). This requires specific enterprise configuration and deployments for Certificate Enrollment Policies (CEP) and Certificate Enrollment Services (CES).
@@ -211,9 +211,7 @@ For deployments that require users to use a physical smart card to sign the cert
Another option to ensure that users are strongly authenticated before virtual smart card certificates are issued, is to send a user a one-time password through SMS, email, or phone. The user then types the one-time password during the certificate enrollment from an application or a script on a desktop that invokes built-in command-line tools.
-#### Certificate lifecycle management
-
-Certificate renewal can be done from the same tools that are used for the initial certificate enrollment. Certificate enrollment policies and certificate enrollment services can also be used to perform automatic renewal.
+**Certificate lifecycle management**: certificate renewal can be done from the same tools that are used for the initial certificate enrollment. Certificate enrollment policies and certificate enrollment services can also be used to perform automatic renewal.
Certificate revocation requires careful planning. When information about the certificate to be revoked is reliably available, the specific certificate can be easily revoked. When information about the certificate to be revoked isn't easy to determine, all certificates issued to the user under the policy that was used to issue the certificate might need to be revoked. For example, if an employee reports a lost or compromised device, and information that associates the device with a certificate isn't available.
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
index afd2081f1b..fd30cb8172 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
@@ -15,11 +15,9 @@ Virtual smart cards are a technology from Microsoft that offer comparable securi
This step-by-step walkthrough shows you how to set up a basic test environment for using TPM virtual smart cards. After you complete this walkthrough, you will have a functional virtual smart card installed on the Windows computer.
-### Time requirements
-
You should be able to complete this walkthrough in less than one hour, excluding installing software and setting up the test domain.
-### Walkthrough steps
+## Walkthrough steps
- [Prerequisites](#prerequisites)
- [Step 1: Create the certificate template](#step-1-create-the-certificate-template)
@@ -44,63 +42,41 @@ On your domain server, you need to create a template for the certificate that yo
### To create the certificate template
1. On your server, open the Microsoft Management Console (MMC). One way to do this is to type **mmc.exe** from the **Start** menu, right-click **mmc.exe**, and click **Run as administrator**
-2. Select **File** > **Add/Remove Snap-in**
-
+1. Select **File** > **Add/Remove Snap-in**
-
-3. In the available snap-ins list, click **Certificate Templates**, and then click **Add**
-
+1. In the available snap-ins list, click **Certificate Templates**, and then click **Add**
-
-4. Certificate Templates is now located under **Console Root** in the MMC. Double-click it to view all the available certificate templates.
-
-5. Right-click the **Smartcard Logon** template, and click **Duplicate Template**.
-
+1. Certificate Templates is now located under **Console Root** in the MMC. Double-click it to view all the available certificate templates.
+1. Right-click the **Smartcard Logon** template, and click **Duplicate Template**.
-
-6. On the **Compatibility** tab, under **Certification Authority**, review the selection, and change it if needed.
-
+1. On the **Compatibility** tab, under **Certification Authority**, review the selection, and change it if needed.
-
-7. On the **General** tab:
-
- 1. Specify a name, such as **TPM Virtual Smart Card Logon**.
- 2. Set the validity period to the desired value.
-
-8. On the **Request Handling** tab:
-
- 1. Set the **Purpose** to **Signature and smartcard logon**.
- 2. Click **Prompt the user during enrollment**.
-
-9. On the **Cryptography** tab:
-
- 1. Set the minimum key size to 2048.
- 2. Click **Requests must use one of the following providers**, and then select **Microsoft Base Smart Card Crypto Provider**.
-
-10. On the **Security** tab, add the security group that you want to give **Enroll** access to. For example, if you want to give access to all users, select the **Authenticated users** group, and then select **Enroll** permissions for them.
-
-11. Click **OK** to finalize your changes and create the new template. Your new template should now appear in the list of Certificate Templates.
-
-12. Select **File**, then click **Add/Remove Snap-in** to add the Certification Authority snap-in to your MMC console. When asked which computer you want to manage, select the computer on which the CA is located, probably **Local Computer**.
-
+1. On the **General** tab:
+ 1. Specify a name, such as **TPM Virtual Smart Card Logon**.
+ 1. Set the validity period to the desired value.
+1. On the **Request Handling** tab:
+ 1. Set the **Purpose** to **Signature and smartcard logon**.
+ 1. Click **Prompt the user during enrollment**.
+1. On the **Cryptography** tab:
+ 1. Set the minimum key size to 2048.
+ 1. Click **Requests must use one of the following providers**, and then select **Microsoft Base Smart Card Crypto Provider**.
+1. On the **Security** tab, add the security group that you want to give **Enroll** access to. For example, if you want to give access to all users, select the **Authenticated users** group, and then select **Enroll** permissions for them.
+1. Click **OK** to finalize your changes and create the new template. Your new template should now appear in the list of Certificate Templates.
+1. Select **File**, then click **Add/Remove Snap-in** to add the Certification Authority snap-in to your MMC console. When asked which computer you want to manage, select the computer on which the CA is located, probably **Local Computer**.
-
-13. In the left pane of the MMC, expand **Certification Authority (Local)**, and then expand your CA within the Certification Authority list.
-
-14. Right-click **Certificate Templates**, click **New**, and then click **Certificate Template to Issue**.
-
+1. In the left pane of the MMC, expand **Certification Authority (Local)**, and then expand your CA within the Certification Authority list.
+1. Right-click **Certificate Templates**, click **New**, and then click **Certificate Template to Issue**.
+1. From the list, select the new template that you just created (**TPM Virtual Smart Card Logon**), and then click **OK**.
-15. From the list, select the new template that you just created (**TPM Virtual Smart Card Logon**), and then click **OK**.
+ > [!NOTE]
+ > It can take some time for your template to replicate to all servers and become available in this list.
- > [!NOTE]
-> It can take some time for your template to replicate to all servers and become available in this list.
+ 
- 
+1. After the template replicates, in the MMC, right-click in the Certification Authority list, click **All Tasks**, and then click **Stop Service**. Then, right-click the name of the CA again, click **All Tasks**, and then click **Start Service**.
-16. After the template replicates, in the MMC, right-click in the Certification Authority list, click **All Tasks**, and then click **Stop Service**. Then, right-click the name of the CA again, click **All Tasks**, and then click **Start Service**.
-
- 
+ 
## Step 2: Create the TPM virtual smart card
@@ -108,19 +84,16 @@ In this step, you will create the virtual smart card on the client computer by u
### To create the TPM virtual smart card
-1. On a domain-joined computer, open a Command Prompt window with Administrative credentials.
-
+1. On a domain-joined computer, open a Command Prompt window with Administrative credentials.
+1. At the command prompt, type the following, and then press ENTER:
-2. At the command prompt, type the following, and then press ENTER:
+ `tpmvscmgr.exe create /name TestVSC /pin default /adminkey random /generate`
- `tpmvscmgr.exe create /name TestVSC /pin default /adminkey random /generate`
+ This will create a virtual smart card with the name **TestVSC**, omit the unlock key, and generate the file system on the card. The PIN will be set to the default, 12345678. To be prompted for a PIN, instead of **/pin default** you can type **/pin prompt**.\
+ For more information about the Tpmvscmgr command-line tool, see [Use Virtual Smart Cards](virtual-smart-card-use-virtual-smart-cards.md) and [Tpmvscmgr](virtual-smart-card-tpmvscmgr.md).
- This will create a virtual smart card with the name **TestVSC**, omit the unlock key, and generate the file system on the card. The PIN will be set to the default, 12345678. To be prompted for a PIN, instead of **/pin default** you can type **/pin prompt**.
-
- For more information about the Tpmvscmgr command-line tool, see [Use Virtual Smart Cards](virtual-smart-card-use-virtual-smart-cards.md) and [Tpmvscmgr](virtual-smart-card-tpmvscmgr.md).
-
-4. Wait several seconds for the process to finish. Upon completion, Tpmvscmgr.exe will provide you with the device instance ID for the TPM Virtual Smart Card. Store this ID for later reference because you will need it to manage or remove the virtual smart card.
+1. Wait several seconds for the process to finish. Upon completion, Tpmvscmgr.exe will provide you with the device instance ID for the TPM Virtual Smart Card. Store this ID for later reference because you will need it to manage or remove the virtual smart card.
## Step 3: Enroll for the certificate on the TPM Virtual Smart Card
@@ -128,21 +101,14 @@ The virtual smart card must be provisioned with a sign-in certificate for it to
### To enroll the certificate
-1. Open the Certificates console by typing **certmgr.msc** on the **Start** menu.
-
-2. Right-click **Personal**, click **All Tasks**, and then click **Request New Certificate**.
-
- 
-
-3. Follow the prompts and when offered a list of templates, select the **TPM Virtual Smart Card Logon** check box (or whatever you named the template in Step 1).
-
- 
-
-4. If prompted for a device, select the Microsoft virtual smart card that corresponds to the one you created in the previous section. It displays as **Identity Device (Microsoft Profile)**.
-
-5. Enter the PIN that was established when you created the TPM virtual smart card, and then click **OK**.
-
-6. Wait for the enrollment to finish, and then click **Finish**.
+1. Open the Certificates console by typing **certmgr.msc** on the **Start** menu
+1. Right-click **Personal**, click **All Tasks**, and then click **Request New Certificate**
+ 
+1. Follow the prompts and when offered a list of templates, select the **TPM Virtual Smart Card Logon** check box (or whatever you named the template in Step 1)
+ 
+1. If prompted for a device, select the Microsoft virtual smart card that corresponds to the one you created in the previous section. It displays as **Identity Device (Microsoft Profile)**
+1. Enter the PIN that was established when you created the TPM virtual smart card, and then click **OK**
+1. Wait for the enrollment to finish, and then click **Finish**
The virtual smart card can now be used as an alternative credential to sign in to your domain. To verify that your virtual smart card configuration and certificate enrollment were successful, sign out of your current session, and then sign in. When you sign in, you will see the icon for the new TPM virtual smart card on the Secure Desktop (sign in) screen or you will be automatically directed to the TPM smart card sign-in dialog box. Click the icon, enter your PIN (if necessary), and then click **OK**. You should be signed in to your domain account.
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md
index 2790601237..ed3cbe24d1 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md
@@ -23,27 +23,27 @@ Virtual smart cards are functionally similar to physical smart cards, appearing
### Authentication use cases
-**Two-factor authentication‒based remote access**
+#### Two-factor authentication‒based remote access
After a user has a fully functional TPM virtual smart card, provisioned with a sign-in certificate, the certificate is used to gain authenticated access to corporate resources. When the proper certificate is provisioned to the virtual card, the user need only provide the PIN for the virtual smart card, as if it was a physical smart card, to sign in to the domain.
In practice, this is as easy as entering a password to access the system. Technically, it's far more secure. Using the virtual smart card to access the system proves to the domain that the user who is requesting authentication has possession of the personal computer upon which the card has been provisioned and knows the virtual smart card PIN. Because this request couldn't have possibly originated from a system other than the system certified by the domain for this user's access, and the user couldn't have initiated the request without knowing the PIN, a strong two-factor authentication is established.
-**Client authentication**
+#### Client authentication
Virtual smart cards can also be used for client authentication by using TLS/SSL or a similar technology. Similar to domain access with a virtual smart card, an authentication certificate can be provisioned for the virtual smart card, provided to a remote service, as requested in the client authentication process. This adheres to the principles of two-factor authentication because the certificate is only accessible from the computer that hosts the virtual smart card, and the user is required to enter the PIN for initial access to the card.
-**Virtual smart card redirection for remote desktop connections**
+#### Virtual smart card redirection for remote desktop connections
The concept of two-factor authentication associated with virtual smart cards relies on the proximity of users to the devices that they use to access domain. When you connect to a device that is hosting virtual smart cards, you can't use the virtual smart cards located on the remote device during the remote session. However, you can access the virtual smart cards on the connecting device (which is under your physical control), which are loaded onto the remote device. You can use the virtual smart cards as if they were installed by using the remote devices' TPM, extending your privileges to the remote device, while maintaining the principles of two-factor authentication.
### Confidentiality use cases
-**S/MIME email encryption**
+#### S/MIME email encryption
Physical smart cards are designed to hold private keys. You can use the private keys for email encryption and decryption. The same functionality exists in virtual smart cards. By using S/MIME with a user's public key to encrypt email, the sender of an email is assured that only the person with the corresponding private key can decrypt the email. This assurance is a result of the non-exportability of the private key. It never exists within reach of malicious software, and it remains protected by the TPM—even during decryption.
-**BitLocker for data volumes**
+#### BitLocker for data volumes
BitLocker Drive Encryption technology makes use of symmetric-key encryption to protect the content of a user's hard drive. BitLocker ensures that if the physical ownership of a hard drive is compromised, an adversary won't be able to read data off the drive. The key used to encrypt the drive can be stored in a virtual smart card, which necessitates knowledge of the virtual smart card PIN to access the drive, and possession of the device that is hosting the TPM virtual smart card. If the drive is obtained without access to the TPM that hosts the virtual smart card, any brute force attack will be difficult.
@@ -51,7 +51,7 @@ You can use BitLocker to encrypt portable drives, storing keys in virtual smart
### Data integrity use case
-**Signing data**
+#### Signing data
To verify authorship of data, a user can sign it by using a private key stored in the virtual smart card. Digital signatures confirm the integrity and origin of the data.
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
index a6719fc684..89752f473d 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
@@ -84,4 +84,4 @@ The following command will create a TPM virtual smart card with the default valu
```console
tpmvscmgr.exe create /name "VirtualSmartCardForCorpAccess" /PIN PROMPT /pinpolicy minlen 4 maxlen 8 /AdminKey DEFAULT /attestation AIK_AND_CERT /generate
-```
\ No newline at end of file
+```
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
index 8fafa7059b..2ab0167682 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
@@ -17,10 +17,10 @@ Virtual smart cards are functionally similar to physical smart cards. They appea
This topic contains the following sections:
-- [Comparing virtual smart cards with physical smart cards](#comparing-virtual-smart-cards-with-physical-smart-cards):
+- [Comparing virtual smart cards with physical smart cards](#comparing-virtual-smart-cards-with-physical-smart-cards):
Compares properties, functional aspects, security, and cost.
-- [Authentication design options](#authentication-design-options):
+- [Authentication design options](#authentication-design-options):
Describes how passwords, smart cards, and virtual smart cards can be used to reach authentication goals in your organization.
## Comparing virtual smart cards with physical smart cards
@@ -33,17 +33,17 @@ All cryptographic operations occur in the secure, isolated environment of the TP
Virtual smart cards maintain the three key properties of physical smart cards:
-- **Non-exportability**: Because all private information on the virtual smart card is encrypted by using the TPM on the host computer, it can't be used on a different computer with a different TPM. Additionally, TPMs are designed to be tamper-resistant and non-exportable, so a malicious user can't reverse engineer an identical TPM or install the same TPM on a different computer.
+- **Non-exportability**: Because all private information on the virtual smart card is encrypted by using the TPM on the host computer, it can't be used on a different computer with a different TPM. Additionally, TPMs are designed to be tamper-resistant and non-exportable, so a malicious user can't reverse engineer an identical TPM or install the same TPM on a different computer.
For more information, see [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md).
-- **Isolated cryptography**: TPMs provide the same properties of isolated cryptography that are offered by physical smart cards, and this is utilized by virtual smart cards. Unencrypted copies of private keys are loaded only within the TPM and never into memory that is accessible by the operating system. All cryptographic operations with these private keys occur inside the TPM.
+- **Isolated cryptography**: TPMs provide the same properties of isolated cryptography that are offered by physical smart cards, and this is utilized by virtual smart cards. Unencrypted copies of private keys are loaded only within the TPM and never into memory that is accessible by the operating system. All cryptographic operations with these private keys occur inside the TPM.
-- **Anti-hammering**: If a user enters a PIN incorrectly, the virtual smart card responds by using the anti-hammering logic of the TPM, which rejects further attempts for a period of time instead of blocking the card. This is also known as lockout.
+- **Anti-hammering**: If a user enters a PIN incorrectly, the virtual smart card responds by using the anti-hammering logic of the TPM, which rejects further attempts for a period of time instead of blocking the card. This is also known as lockout.
For more information, see [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md).
The following subsections compare the functionality, security, and cost of virtual smart cards and physical smart cards.
-**Functionality**
+### Functionality
The virtual smart card system that was designed by Microsoft closely mimics the functionality of conventional smart cards. The most striking difference to the end user is that the virtual smart card is essentially a smart card that is always inserted into the computer. There's no method to export the user's virtual smart card for use on other computers, which adds to the security of virtual smart cards. If a user requires access to network resources on multiple computers, multiple virtual smart cards can be issued for that user. Additionally, a computer that is shared among multiple users can host multiple virtual smart cards for different users.
@@ -51,7 +51,7 @@ The basic user experience for a virtual smart card is as simple as using a passw
Additionally, although the anti-hammering functionality of the virtual smart card is equally secure to that of a physical smart card, virtual smart card users are never required to contact an administrator to unblock the card. Instead, they simply wait a period of time (depending on the TPM specifications) before they reattempt to enter the PIN. Alternatively, the administrator can reset the lockout by providing owner authentication data to the TPM on the host computer.
-**Security**
+### Security
Physical smart cards and virtual smart cards offer comparable levels of security. They both implement two-factor authentication for using network resources. However, they differ in certain aspects, including physical security and the practicality of an attack. Due to their compact and portable design, conventional smart cards are most frequently kept close to their intended user. They offer little opportunity for acquisition by a potential adversary, so any sort of interaction with the card is difficult without committing some variety of theft.
@@ -59,13 +59,13 @@ TPM virtual smart cards, however, reside on a user's computer that may frequentl
However, there are several advantages provided by virtual smart cards to mitigate these slight security deficits. Most importantly, a virtual smart card is much less likely to be lost. Virtual smart cards are integrated into computers and devices that the user already owns for other purposes and has incentive to keep safe. If the computer or device that hosts the virtual smart card is lost or stolen, a user will more immediately notice its loss than the loss of a physical smart card. When a computer or device is identified as lost, the user can notify the administrator of the system, who can revoke the certificate that is associated with the virtual smart card on that device. This precludes any future unauthorized access on that computer or device if the PIN for the virtual smart card is compromised.
-**Cost**
+### Cost
If a company wants to deploy physical smart cards, they need to purchase smart cards and smart card readers for all employees. Although relatively inexpensive options can be found, options that ensure the three key properties of smart card security (most notably, non-exportability) are more expensive. If employees have computers with a built-in TPM, virtual smart cards can be deployed with no additional material costs. These computers and devices are relatively common in the market.
The maintenance cost of virtual smart cards is less than that for physical smart cards, which are easily lost, stolen, or broken from normal wear. TPM virtual smart cards are only lost or broken if the host computer or device is lost or broken, which in most cases is much less frequently.
-**Comparison summary**
+### Comparison summary
| Physical Smart Cards | TPM virtual smart cards |
|---------------------|-------------------|
@@ -87,17 +87,17 @@ The maintenance cost of virtual smart cards is less than that for physical smart
The following section presents several commonly used options and their respective strengths and weaknesses, which organizations can consider for authentication.
-**Passwords**
+### Passwords
A password is a secret string of characters that is tied to the identification credentials for a user's account. This establishes the user's identity. Although passwords are the most commonly used form of authentication, they're also the weakest. In a system where passwords are used as the sole method of user authentication, only individuals who know their passwords are considered valid users.
Password authentication places a great deal of responsibility on the user. Passwords must be sufficiently complex so they can't be easily guessed, but they must be simple enough to be committed to memory and not stored in a physical location. Even if this balance is successfully achieved, a wide variety of attacks exist (such as brute force attacks, eavesdropping, and social engineering tactics) where a malicious user can acquire a user's password and impersonate that person's identity. A user often won't realize that the password is compromised, which makes it's easy for a malicious user to maintain access to a system if a valid password has been obtained.
-**One-time passwords**
+### One-time passwords
A one-time password (OTP) is similar to a traditional password, but it's more secure in that it can be used only once to authenticate a user. The method for determining each new password varies by implementation. Assuming a secure deployment of each new password, OTPs have several advantages over the classic password model of authentication. Most importantly, if a given OTP token is intercepted in transmission between the user and the system, the interceptor can't use it for any future transactions. Similarly, if a malicious user obtains a valid user's OTP, the interceptor will have limited access to the system (only one session).
-**Smart cards**
+### Smart cards
Smart cards are physical authentication devices, which improve on the concept of a password by requiring that users actually have their smart card device with them to access the system, in addition to knowing the PIN that provides access to the smart card. Smart cards have three key properties that help maintain their security:
@@ -111,7 +111,7 @@ Additional security is achieved by the singular nature of the card because only
The additional security comes with added material and support costs. Traditional smart cards are expensive to purchase (cards and card readers must be supplied to employees), and users can misplace or lose them.
-**Virtual smart cards**
+### Virtual smart cards
Virtual smart cards emulate the functionality of traditional smart cards. Instead of requiring the purchase of additional hardware, virtual smart cards utilize technology that users already own and are more likely to always have with them. Theoretically, any device that can provide the three key properties of smart cards (non-exportability, isolated cryptography, and anti-hammering) can be commissioned as a virtual smart card. The virtual smart card platform is limited to the use of the Trusted Platform Module (TPM) chip, which is on most modern devices.
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
index 3143cf5fb7..dd75945f31 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
@@ -29,35 +29,31 @@ To create and delete TPM virtual smart cards for end users, the Tpmvscmgr comman
Virtual smart cards can also be created and deleted by using APIs. For more information, see the following classes and interfaces:
-- [TpmVirtualSmartCardManager](/previous-versions/windows/desktop/legacy/hh707171(v=vs.85))
-
-- [RemoteTpmVirtualSmartCardManager](/previous-versions/windows/desktop/legacy/hh707166(v=vs.85))
-
-- [ITpmVirtualSmartCardManager](/windows/win32/api/tpmvscmgr/nn-tpmvscmgr-itpmvirtualsmartcardmanager)
-
-- [ITPMVirtualSmartCardManagerStatusCallBack](/windows/win32/api/tpmvscmgr/nn-tpmvscmgr-itpmvirtualsmartcardmanagerstatuscallback)
+- [TpmVirtualSmartCardManager](/previous-versions/windows/desktop/legacy/hh707171(v=vs.85))
+- [RemoteTpmVirtualSmartCardManager](/previous-versions/windows/desktop/legacy/hh707166(v=vs.85))
+- [ITpmVirtualSmartCardManager](/windows/win32/api/tpmvscmgr/nn-tpmvscmgr-itpmvirtualsmartcardmanager)
+- [ITPMVirtualSmartCardManagerStatusCallBack](/windows/win32/api/tpmvscmgr/nn-tpmvscmgr-itpmvirtualsmartcardmanagerstatuscallback)
You can use APIs that were introduced in the Windows.Device.SmartCards namespace in Windows Server 2012 R2 and Windows 8.1 to build Microsoft Store apps to manage the full lifecycle of virtual smart cards. For information about how to build an app to do this, see [Strong Authentication: Building Apps That Leverage Virtual Smart Cards in Enterprise, BYOD, and Consumer Environments | Build 2013 | Channel 9](https://channel9.msdn.com/events/build/2013/2-041).
The following table describes the features that can be developed in a Microsoft Store app:
-| Feature | Physical Smart Card | Virtual Smart Card |
-|----------------------------------------------|---------------------|--------------------|
-| Query and monitor smart card readers | Yes | Yes |
-| List available smart cards in a reader, and retrieve the card name and card ID | Yes | Yes |
-| Verify if the administrative key of a card is correct | Yes | Yes |
-| Provision (or reformat) a card with a given card ID | Yes | Yes |
-| Change the PIN by entering the old PIN and specifying a new PIN | Yes | Yes |
-| Change the administrative key, reset the PIN, or unblock the smart card by using a challenge/response method | Yes | Yes |
-| Create a virtual smart card | Not applicable | Yes |
-| Delete a virtual smart card | Not applicable | Yes |
-| Set PIN policies | No | Yes |
+| Feature | Physical Smart Card | Virtual Smart Card |
+|--|--|--|
+| Query and monitor smart card readers | Yes | Yes |
+| List available smart cards in a reader, and retrieve the card name and card ID | Yes | Yes |
+| Verify if the administrative key of a card is correct | Yes | Yes |
+| Provision (or reformat) a card with a given card ID | Yes | Yes |
+| Change the PIN by entering the old PIN and specifying a new PIN | Yes | Yes |
+| Change the administrative key, reset the PIN, or unblock the smart card by using a challenge/response method | Yes | Yes |
+| Create a virtual smart card | Not applicable | Yes |
+| Delete a virtual smart card | Not applicable | Yes |
+| Set PIN policies | No | Yes |
For more information about these Windows APIs, see:
-- [Windows.Devices.SmartCards namespace (Windows)](/uwp/api/Windows.Devices.SmartCards)
-
-- [Windows.Security.Cryptography.Certificates namespace (Windows)](/uwp/api/Windows.Security.Cryptography.Certificates)
+- [Windows.Devices.SmartCards namespace (Windows)](/uwp/api/Windows.Devices.SmartCards)
+- [Windows.Security.Cryptography.Certificates namespace (Windows)](/uwp/api/Windows.Security.Cryptography.Certificates)
## Distinguishing TPM-based virtual smart cards from physical smart cards
@@ -70,11 +66,13 @@ A TPM-based virtual smart card is labeled **Security Device** in the user interf
## Changing the PIN
The PIN for a virtual smart card can be changed by following these steps:
-- Sign in with the old PIN or password.
-- Press Ctrl+Alt+Del and choose **Change a password**.
-- Select **Sign-in Options**.
-- Select the virtual smart card icon.
-- Enter and confirm the new PIN.
+
+- Sign in with the old PIN or password
+- Press Ctrl+Alt+Del and choose **Change a password**
+- Select **Sign-in Options**
+- Select the virtual smart card icon
+- Enter and confirm the new PIN
+
## Resolving issues
### TPM not provisioned
From c4c2b75ce9eda783ff6a631e92376daadcb147f5 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Tue, 7 Nov 2023 09:24:13 -0500
Subject: [PATCH 08/21] acrolinx
---
.../smart-cards/smart-card-architecture.md | 46 +++++++-------
...rt-card-certificate-propagation-service.md | 12 ++--
...ertificate-requirements-and-enumeration.md | 56 ++++++++---------
.../smart-card-removal-policy-service.md | 2 +-
.../virtual-smart-card-get-started.md | 42 ++++++-------
...smart-card-understanding-and-evaluating.md | 61 +++++++++----------
6 files changed, 107 insertions(+), 112 deletions(-)
diff --git a/windows/security/identity-protection/smart-cards/smart-card-architecture.md b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
index bd8330d478..5e28ca6340 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-architecture.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
@@ -9,7 +9,7 @@ ms.date: 11/06/2023
This topic for the IT professional describes the system architecture that supports smart cards in the Windows operating system, including credential provider architecture and the smart card subsystem architecture.
-Authentication is a process for verifying the identity of an object or person. When you authenticate an object, such as a smart card, the goal is to verify that the object is genuine. When you authenticate a person, the goal is to verify that you are not dealing with an imposter.
+Authentication is a process for verifying the identity of an object or person. When you authenticate an object, such as a smart card, the goal is to verify that the object is genuine. When you authenticate a person, the goal is to verify that you aren't dealing with an imposter.
In a networking context, authentication is the act of proving identity to a network application or resource. Typically, identity is proven by a cryptographic operation that uses a key only the user knows (such as with public key cryptography), or a shared key. The server side of the authentication exchange compares the signed data with a known cryptographic key to validate the authentication attempt. Storing the cryptographic keys in a secure central location makes the authentication process scalable and maintainable.
@@ -51,7 +51,7 @@ Credential providers can be designed to support single sign-in (SSO). In this pr
Multiple credential providers can coexist on a computer.
-Credential providers must be registered on a computer running Windows, and they are responsible for:
+Credential providers must be registered on a computer running Windows, and they're responsible for:
- Describing the credential information that is required for authentication
- Handling communication and logic with external authentication authorities
@@ -74,7 +74,7 @@ The following graphic shows the relationship between the CryptoAPI, CSPs, the Sm
### Caching with Base CSP and smart card KSP
-Smart card architecture uses caching mechanisms to assist in streamlining operations and to improve a user's access to a PIN.
+Smart card architecture uses caching mechanisms to help streamlining operations and to improve a user's access to a PIN.
- [Data caching](#data-caching): The data cache provides for a single process to minimize smart card I/O operations
- [PIN caching](#pin-caching): The PIN cache helps the user from having to reenter a PIN each time the smart card is unauthenticated
@@ -87,8 +87,8 @@ The existing global cache works as follows:
1. The application requests a cryptographic operation. For example, a user certificate is to be read from the smart card
1. The CSP checks its cache for the item
-1. If the item is not found in the cache, or if the item is cached but is not up-to-date, the item is read from the smart card
-1. After any item has been read from the smart card, it is added to the cache. Any existing out-of-date copy of that item is replaced
+1. If the item isn't found in the cache, or if the item is cached but isn't up-to-date, the item is read from the smart card
+1. After any item has been read from the smart card, it's added to the cache. Any existing out-of-date copy of that item is replaced
Three types of objects or data are cached by the CSP: pins (for more information, see [PIN caching](#pin-caching)), certificates, and files. If any of the cached data changes, the corresponding object is read from the smart card in successive operations. For example, if a file is written to the smart card, the CSP cache becomes out-of-date for the files, and other processes read the smart card at least once to refresh their CSP cache.
@@ -98,7 +98,7 @@ The global data cache is hosted in the Smart Cards for Windows service. Windows
The PIN cache protects the user from entering a PIN every time the smart card is unauthenticated. After a smart card is authenticated, it will not differentiate among host-side applications—any application can access private data on the smart card.
-To mitigate this, the smart card enters an exclusive state when an application authenticates to the smart card. However, this means that other applications cannot communicate with the smart card and will be blocked. Therefore, such exclusive connections are minimized. The issue is that a protocol (such as the Kerberos protocol) requires multiple signing operations. Therefore, the protocol requires exclusive access to the smart card over an extended period, or it requires multiple authentication operations. This is where the PIN cache is used to minimize exclusive use of the smart card without forcing the user to enter a PIN multiple times.
+To mitigate this, the smart card enters an exclusive state when an application authenticates to the smart card. However, this means that other applications can't communicate with the smart card and will be blocked. Therefore, such exclusive connections are minimized. The issue is that a protocol (such as the Kerberos protocol) requires multiple signing operations. Therefore, the protocol requires exclusive access to the smart card over an extended period, or it requires multiple authentication operations. This is where the PIN cache is used to minimize exclusive use of the smart card without forcing the user to enter a PIN multiple times.
The following example illustrates how this works. In this scenario, there are two applications: Outlook and Internet Explorer. The applications use smart cards for different purposes.
@@ -108,13 +108,13 @@ The following example illustrates how this works. In this scenario, there are tw
1. The user opens Internet Explorer and tries to access a protected site that requires Transport Layer Security (TLS) authentication for the client
1. Internet Explorer prompts the user for the smart card PIN. The user enters the correct PIN
1. The TLS-related private key operation occurs on the smart card, and the user is authenticated and signed in
-1. The user returns to Outlook to send another signed e-mail. This time, the user is not prompted for a PIN because the PIN is cached from the previous operation. Similarly, if the user uses Internet Explorer again for another operation, Internet Explorer will not prompt the user for a PIN
+1. The user returns to Outlook to send another signed e-mail. This time, the user isn't prompted for a PIN because the PIN is cached from the previous operation. Similarly, if the user uses Internet Explorer again for another operation, Internet Explorer won't prompt the user for a PIN
The Base CSP internally maintains a per-process cache of the PIN. The PIN is encrypted and stored in memory. The functions that are used to secure the PIN are RtlEncryptMemory, RtlDecryptMemory, and RtlSecureZeroMemory, which will empty buffers that contained the PIN.
### Smart card selection
-The following sections in this topic describe how Windows leverages the smart card architecture to select the correct smart card reader software, provider, and credentials for a successful smart card sign-in:
+The following sections in this article describe how Windows uses the smart card architecture to select the correct smart card reader software, provider, and credentials for a successful smart card sign-in:
- [Container specification levels](#container-specification-levels)
- [Container operations](#container-operations)
@@ -202,10 +202,10 @@ Each call to `SCardUI *` may result in additional information read from a candid
For type I and type II container specification levels, the smart card selection process is less complex because only the smart card in the named reader can be considered a match. The process for matching a smart card with a smart card reader is:
-1. Find the requested smart card reader. If it cannot be found, the process fails (this requires a cache search by reader name)
-1. If no smart card is in the reader, the user is prompted to insert a smart card. (this is only in non-silent mode; if the call is made in silent mode, it will fail)
+1. Find the requested smart card reader. If it can't be found, the process fails (this requires a cache search by reader name)
+1. If no smart card is in the reader, the user is prompted to insert a smart card. (this is only in nonsilent mode; if the call is made in silent mode, it fails)
1. For container specification level II only, the name of the default container on the chosen smart card is determined
-1. To open an existing container or delete an existing container, find the specified container. If the specified container cannot be found on this smart card, the user is prompted to insert a smart card
+1. To open an existing container or delete an existing container, find the specified container. If the specified container can't be found on this smart card, the user is prompted to insert a smart card
1. If the system attempts to create a new container, if the specified container already exists on this smart card, the process fails
#### Make a smart card match
@@ -217,23 +217,23 @@ For container specification levels III and IV, a broader method is used to match
> [!NOTE]
> This operation requires that you use the smart card with the Base CSP.
-1. For each smart card that has been accessed by the Base CSP and the handle and container information are cached, the Base CSP looks for a valid default container. An operation is attempted on the cached SCARDHANDLE to verify its validity. If the smart card handle is not valid, the Base CSP continues to search for a new smart card
-1. If a matching smart card is not found in the Base CSP cache, the Base CSP calls to the smart card subsystem. SCardUIDlgSelectCard() is used with an appropriate callback filter to find a matching smart card with a valid default container
+1. For each smart card that has been accessed by the Base CSP and the handle and container information are cached, the Base CSP looks for a valid default container. An operation is attempted on the cached SCARDHANDLE to verify its validity. If the smart card handle isn't valid, the Base CSP continues to search for a new smart card
+1. If a matching smart card isn't found in the Base CSP cache, the Base CSP calls to the smart card subsystem. SCardUIDlgSelectCard() is used with an appropriate callback filter to find a matching smart card with a valid default container
#### Open an existing GUID-named container (no reader specified)
> [!NOTE]
> This operation requires that you use the smart card with the Base CSP.
-1. For each smart card that is already registered with the Base CSP, search for the requested container. Attempt an operation on the cached SCARDHANDLE to verify its validity. If the smart card handle is not valid, the smart card's serial number is passed to the `SCardUI *` API to continue searching for this specific smart card (rather than only a general match for the container name)
-1. If a matching smart card is not found in the Base CSP cache, a call is made to the smart card subsystem. `SCardUIDlgSelectCard()` is used with an appropriate callback filter to find a matching smart card with the requested container. Or, if a smart card serial number resulted from the search in Step 1, the callback filter attempts to match the serial number, not the container name
+1. For each smart card that is already registered with the Base CSP, search for the requested container. Attempt an operation on the cached SCARDHANDLE to verify its validity. If the smart card handle isn't valid, the smart card's serial number is passed to the `SCardUI *` API to continue searching for this specific smart card (rather than only a general match for the container name)
+1. If a matching smart card isn't found in the Base CSP cache, a call is made to the smart card subsystem. `SCardUIDlgSelectCard()` is used with an appropriate callback filter to find a matching smart card with the requested container. Or, if a smart card serial number resulted from the search in Step 1, the callback filter attempts to match the serial number, not the container name
#### Create a new container (no reader specified)
> [!NOTE]
> This operation requires that you use the smart card with the Base CSP.
-If the PIN is not cached, no CRYPT_SILENT is allowed for the container creation because the user must be prompted for a PIN, at a minimum.
+If the PIN isn't cached, no CRYPT_SILENT is allowed for the container creation because the user must be prompted for a PIN, at a minimum.
For other operations, the caller may be able to acquire a *verify* context against the default container `CRYPT_DEFAULT_CONTAINER_OPTIONAL` and then make a call with CryptSetProvParam to cache the user PIN for subsequent operations.
@@ -242,15 +242,15 @@ For other operations, the caller may be able to acquire a *verify* context again
1. If the smart card is present, but it already has the named container, continue the search
1. If the smart card is available, but a call to CardQueryFreeSpace indicates that the smart card has insufficient storage for an additional key container, continue the search
1. Otherwise, use the first available smart card that meets the above criteria for the container creation
-1. If a matching smart card is not found in the CSP cache, make a call to the smart card subsystem. The callback that is used to filter enumerated smart cards verifies that a candidate smart card does not already have the named container, and that CardQueryFreeSpace indicates the smart card has sufficient space for an additional container. If no suitable smart card is found, the user is prompted to insert a smart card
+1. If a matching smart card isn't found in the CSP cache, make a call to the smart card subsystem. The callback that is used to filter enumerated smart cards verifies that a candidate smart card doesn't already have the named container, and that CardQueryFreeSpace indicates the smart card has sufficient space for an additional container. If no suitable smart card is found, the user is prompted to insert a smart card
#### Delete a container
-1. If the specified container name is NULL, the default container is deleted. Deleting the default container causes a new default container to be selected arbitrarily. For this reason, this operation is not recommended
+1. If the specified container name is NULL, the default container is deleted. Deleting the default container causes a new default container to be selected arbitrarily. For this reason, this operation isn't recommended
1. For each smart card already known by the CSP, refresh the stored SCARDHANDLE and make the following checks:
- 1. If the smart card does not have the named container, continue the search
+ 1. If the smart card doesn't have the named container, continue the search
1. If the smart card has the named container, but the smart card handle is no longer valid, store the serial number of the matching smart card and pass it to SCardUI
-1. If a matching smart card is not found in the CSP cache, make a call to the smart card subsystem. The callback that is used to filter enumerated smart cards should verify that a candidate smart card has the named container. If a serial number was povided as a result of the previous cache search, the callback should filter enumerated smart cards on serial number rather than on container matches. If the context is non-silent and no suitable smart card is found, display UI that prompts the user to insert a smart card
+1. If a matching smart card isn't found in the CSP cache, make a call to the smart card subsystem. The callback that is used to filter enumerated smart cards should verify that a candidate smart card has the named container. If a serial number was povided as a result of the previous cache search, the callback should filter enumerated smart cards on serial number rather than on container matches. If the context is non-silent and no suitable smart card is found, display UI that prompts the user to insert a smart card
### Base CSP and KSP-based architecture in Windows
@@ -269,16 +269,16 @@ The following diagram shows the Cryptography architecture that is used by the Wi
| `PP_ROOT_CERTSTORE` | - Read and Write (used by `CryptGetProvParam` and `CryptSetProvParam`)
- Used to write a collection of root certificates to the smart card or return `HCERTSTORE`, which contains root certificates from the smart card
- Used primarily for joining a domain by using a smart card
- Caller responsible for closing the certificate store |
| `PP_SMARTCARD_READER` | - Read-only (used only by `CryptGetProvParam`)
- Returns the smart card reader name as an ANSI string that is used to construct a fully qualified container name (that is, a smart card reader plus a container) |
| `PP_SMARTCARD_GUID` | - Return smart card GUID (also known as a serial number), which should be unique for each smart card
- Used by the certificate propagation service to track the source of a root certificate |
-| `PP_UI_PROMPT` | - Used to set the search string for the `SCardUIDlgSelectCard` card insertion dialog box
- Persistent for the entire process when it is set
- Write-only (used only by `CryptSetProvParam`) |
+| `PP_UI_PROMPT` | - Used to set the search string for the `SCardUIDlgSelectCard` card insertion dialog box
- Persistent for the entire process when it's set
- Write-only (used only by `CryptSetProvParam`) |
### Implications for CSPs in Windows
-Cryptographic Service Providers (CSPs), including custom smart card CSPs, continue to be supported but this approach is not recommended. Using the existing Base CSP and smart card KSP with the smart card minidriver model for smart cards provides significant benefits in terms of performance, and PIN and data caching. One minidriver can be configured to work under CryptoAPI and CNG layers. This provides benefits from enhanced cryptographic support, including elliptic curve cryptography and AES.
+Cryptographic Service Providers (CSPs), including custom smart card CSPs, continue to be supported but this approach isn't recommended. Using the existing Base CSP and smart card KSP with the smart card minidriver model for smart cards provides significant benefits in terms of performance, and PIN and data caching. One minidriver can be configured to work under CryptoAPI and CNG layers. This provides benefits from enhanced cryptographic support, including elliptic curve cryptography and AES.
If a smart card is registered by a CSP and a smart card minidriver, the one that was installed most recently will be used to communicate with the smart card.
### Write a smart card minidriver, CSP, or KSP
-CSPs and KSPs are meant to be written only if specific functionality is not available in the current smart card minidriver architecture. For example, the smart card minidriver architecture supports hardware security modules, so a minidriver could be written for a hardware security module, and a CSP or KSP may not be required unless it is needed to support algorithms that are not implemented in the Base CSP or smart card KSP.
+CSPs and KSPs are meant to be written only if specific functionality isn't available in the current smart card minidriver architecture. For example, the smart card minidriver architecture supports hardware security modules, so a minidriver could be written for a hardware security module, and a CSP or KSP may not be required unless it's needed to support algorithms that aren't implemented in the Base CSP or smart card KSP.
For more information about how to write a smart card minidriver, CSP, or KSP, see [Smart Card Minidrivers](/windows-hardware/drivers/smartcard/smart-card-minidrivers).
diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
index 8cfae399fd..851e89b13a 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
@@ -33,23 +33,23 @@ The following figure shows the flow of the certificate propagation service. The
Properties of the certificate propagation service include:
- `CERT_STORE_ADD_REPLACE_EXISTING_INHERIT_PROPERTIES` adds certificates to a user's Personal store
-- If the certificate has the `CERT_ENROLLMENT_PROP_ID` property (as defined by `wincrypt.h`), it filters empty requests and places them in the current user's request store, but it does not propagate them to the user's Personal store
-- The service does not propagate any computer certificates to a user's Personal store or propagate user certificates to a computer store
-- The service propagates certificates according to Group Policy options that are set, which may include:
+- If the certificate has the `CERT_ENROLLMENT_PROP_ID` property (as defined by `wincrypt.h`), it filters empty requests and places them in the current user's request store, but it doesn't propagate them to the user's Personal store
+- The service doesn't propagate any computer certificates to a user's Personal store or propagate user certificates to a computer store
+- The service propagates certificates according to Group Policy options that are set, which might include:
- **Turn on certificate propagation from the smart card** specifies whether a user's certificate should be propagated
- **Turn on root certificate propagation from smart card** specifies whether root certificates should be propagated
- **Configure root certificate cleanup** specifies how root certificates are removed
## Root certificate propagation service
-Root certificate propagation is responsible for the following smart card deployment scenarios when public key infrastructure (PKI) trust has not yet been established:
+Root certificate propagation is responsible for the following smart card deployment scenarios when public key infrastructure (PKI) trust hasn't yet been established:
- Joining the domain
- Accessing a network remotely
-In both cases, the computer is not joined to a domain, and therefore, trust is not being managed by Group Policy. However, the objective is to authenticate to a remote server, such as the domain controller. Root certificate propagation provides the ability to use the smart card to include the missing trust chain.
+In both cases, the computer isn't joined to a domain, and therefore, trust isn't being managed by Group Policy. However, the objective is to authenticate to a remote server, such as the domain controller. Root certificate propagation provides the ability to use the smart card to include the missing trust chain.
-When the smart card is inserted, the certificate propagation service propagates any root certificates on the card to the trusted smart card root computer certificate stores. This process establishes a trust relationship with the enterprise resources. You may also use a subsequent cleanup action when the user's smart card is removed from the reader, or when the user signs out. This is configurable with Group Policy. For more information, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md).
+When the smart card is inserted, the certificate propagation service propagates any root certificates on the card to the trusted smart card root computer certificate stores. This process establishes a trust relationship with the enterprise resources. You might also use a subsequent cleanup action when the user's smart card is removed from the reader, or when the user signs out. This is configurable with Group Policy. For more information, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md).
For more information about root certificate requirements, see [Smart card root certificate requirements for use with domain sign-in](smart-card-certificate-requirements-and-enumeration.md#smart-card-root-certificate-requirements-for-use-with-domain-sign-in).
diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
index 1ac825dde6..79cf20942a 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
@@ -15,8 +15,8 @@ When a smart card is inserted, the following steps are performed.
> Unless otherwise mentioned, all operations are performed silently (CRYPT_SILENT is passed to CryptAcquireContext).
1. The smart card resource manager database searches for the smart card's cryptographic service provider (CSP).
-1. A qualified container name is constructed by using the smart card reader name, and it is passed to the CSP. The format is `\\.\`
-1. CryptAcquireContext is called to retrieve a context to the default container. If a failure occurs, the smart card will be unusable for smart card sign-in.
+1. A qualified container name is constructed by using the smart card reader name, and it's passed to the CSP. The format is `\\.\`
+1. CryptAcquireContext is called to retrieve a context to the default container. If a failure occurs, the smart card is unusable for smart card sign-in.
1. The name of the container is retrieved by using the PP_CONTAINER parameter with CryptGetProvParam.
1. Using the context acquired in Step 3, the CSP is queried for the PP_USER_CERTSTORE parameter (added in Windows Vista). For more information, see [Smart Card Architecture](smart-card-architecture.md). If the operation is successful, the name of a certificate store is returned, and the program flow skips to Step 8.
1. If the operation in Step 5 fails, the default container context from Step 3 is queried for the AT_KEYEXCHANGE key.
@@ -40,13 +40,13 @@ When a smart card is inserted, the following steps are performed.
## Smart card sign-in flow in Windows
-Most issues during authentication occur because of session behavior changes. When changes occur, the Local Security Authority (LSA) does not reacquire the session context; it relies instead on the Cryptographic Service Provider to handle the session change.
+Most issues during authentication occur because of session behavior changes. When changes occur, the Local Security Authority (LSA) doesn't reacquire the session context; it relies instead on the Cryptographic Service Provider to handle the session change.
-Client certificates that do not contain a UPN in the `subjectAltName`` (SAN) field of the certificate can be enabled for sign-in, which supports a wider variety of certificates and supports multiple sign-in certificates on the same card.
+Client certificates that don't contain a UPN in the `subjectAltName`` (SAN) field of the certificate can be enabled for sign-in, which supports a wider variety of certificates and supports multiple sign-in certificates on the same card.
Support for multiple certificates on the same card is enabled by default. New certificate types must be enabled through Group Policy.
-If you enable the **Allow signature keys valid for Logon** credential provider policy, any certificates that are available on the smart card with a signature-only key are listed on the sign-in screen. This allows users to select their sign-in experience. If the policy is disabled or not configured, smart card signature-key-based certificates are not listed on the sign-in screen.
+If you enable the **Allow signature keys valid for Logon** credential provider policy, any certificates that are available on the smart card with a signature-only key are listed on the sign-in screen. This allows users to select their sign-in experience. If the policy is disabled or not configured, smart card signature-key-based certificates aren't listed on the sign-in screen.
The following diagram illustrates how smart card sign-in works in the supported versions of Windows.
@@ -69,7 +69,7 @@ Following are the steps that are performed during a smart card sign-in:
1. The sign-in UI requests the new credentials from the smart card credential provider. As a response, the smart card credential provider provides each sign-in certificate to the sign-in UI, and corresponding sign-in tiles are displayed. The user selects a smart card-based sign-in certificate tile, and Windows displays a PIN dialog box.
1. The user enters the PIN, and then presses ENTER. The smart card credential provider encrypts the PIN.
-1. The credential provider that resides in the LogonUI system collects the PIN. As part of packaging credentials in the smart card credential provider, the data is packaged in a KERB_CERTIFICATE_LOGON structure. The main contents of the KERB_CERTIFICATE_LOGON structure are the smart card PIN, CSP data (such as reader name and container name), user name, and domain name. User name is required if the sign-in domain is not in the same forest because it enables a certificate to be mapped to multiple user accounts.
+1. The credential provider that resides in the LogonUI system collects the PIN. As part of packaging credentials in the smart card credential provider, the data is packaged in a KERB_CERTIFICATE_LOGON structure. The main contents of the KERB_CERTIFICATE_LOGON structure are the smart card PIN, CSP data (such as reader name and container name), user name, and domain name. User name is required if the sign-in domain isn't in the same forest because it enables a certificate to be mapped to multiple user accounts.
1. The credential provider wraps the data (such as the encrypted PIN, container name, reader name, and card key specification) and sends it back to LogonUI.
1. Winlogon presents the data from LogonUI to the LSA with the user information in LSALogonUser.
1. LSA calls the Kerberos authentication package (Kerberos SSP) to create a Kerberos authentication service request (KRB_AS_REQ), which containing a preauthenticator (as specified in RFC 4556: [Public Key Cryptography for Initial Authentication in Kerberos (PKINIT)](http://www.ietf.org/rfc/rfc4556.txt)).
@@ -107,7 +107,7 @@ Following are the steps that are performed during a smart card sign-in:
For more information about the Kerberos protocol, see [Microsoft Kerberos](/windows/win32/secauthn/microsoft-kerberos).
-By default, the KDC verifies that the client's certificate contains the smart card client authentication EKU szOID_KP_SMARTCARD_LOGON. However, if enabled, the **Allow certificates with no extended key usage certificate attribute** Group Policy setting allows the KDC to not require the SC-LOGON EKU. SC-LOGON EKU is not required for account mappings that are based on the public key.
+By default, the KDC verifies that the client's certificate contains the smart card client authentication EKU szOID_KP_SMARTCARD_LOGON. However, if enabled, the **Allow certificates with no extended key usage certificate attribute** Group Policy setting allows the KDC to not require the SC-LOGON EKU. SC-LOGON EKU isn't required for account mappings that are based on the public key.
## KDC certificate
@@ -125,26 +125,26 @@ Certificate requirements are listed by versions of the Windows operating system.
### Certificate requirements
-The smart card certificate has specific format requirements when it is used with Windows XP and earlier operating systems. You can enable any certificate to be visible for the smart card credential provider.
+The smart card certificate has specific format requirements when it's used with Windows XP and earlier operating systems. You can enable any certificate to be visible for the smart card credential provider.
| Component | Requirements |
|--|--|
| CRL distribution point location | Not required |
| Key usage | Digital signature |
| Basic constraints | Not required |
-| extended key usage (EKU) | The smart card sign-in object identifier is not required.
**Note** If an EKU is present, it must contain the smart card sign-in EKU. Certificates with no EKU can be used for sign-in. |
-| Subject alternative name | E-mail ID is not required for smart card sign-in. |
+| extended key usage (EKU) | The smart card sign-in object identifier isn't required.
**Note** If an EKU is present, it must contain the smart card sign-in EKU. Certificates with no EKU can be used for sign-in. |
+| Subject alternative name | E-mail ID isn't required for smart card sign-in. |
| Subject | Not required |
-| Key exchange (AT_KEYEXCHANGE field) | Not required for smart card sign-in certificates if a Group Policy setting is enabled. (By default, Group Policy settings are not enabled.) |
+| Key exchange (AT_KEYEXCHANGE field) | Not required for smart card sign-in certificates if a Group Policy setting is enabled. (By default, Group Policy settings aren't enabled.) |
| CRL | Not required |
| UPN | Not required |
| Notes | You can enable any certificate to be visible for the smart card credential provider. |
### Client certificate mappings
-Certificate mapping is based on the UPN that is contained in the subjectAltName (SAN) field of the certificate. Client certificates that do not contain information in the SAN field are also supported.
+Certificate mapping is based on the UPN that is contained in the subjectAltName (SAN) field of the certificate. Client certificates that don't contain information in the SAN field are also supported.
-SSL/TLS can map certificates that do not have SAN, and the mapping is done by using the AltSecID attributes on client accounts. The X509 AltSecID, which is used by SSL/TLS client authentication is of the form "X509: `` `` and `` are taken from the client certificate, with '\r' and '\n' replaced with ','.
+SSL/TLS can map certificates that don't have SAN, and the mapping is done by using the AltSecID attributes on client accounts. The X509 AltSecID, which is used by SSL/TLS client authentication is of the form "X509: `` `` and `` are taken from the client certificate, with '\r' and '\n' replaced with ','.
#### Certificate revocation list distribution points
@@ -167,10 +167,10 @@ This account mapping is supported by the KDC in addition to six other mapping me
The certificate object is parsed to look for content to perform user account mapping.
- When a user name is provided with the certificate, the user name is used to locate the account object. This operation is the fastest, because string matching occurs
-- When only the certificate object is provided, a series of operations are performed to locate the user name to map the user name to an account object
+- When only the certificate object is provided, multiple operations are performed to locate the user name to map the user name to an account object
- When no domain information is available for authentication, the local domain is used by default. If any other domain is to be used for lookup, a domain name hint should be provided to perform the mapping and binding
-Mapping based on generic attributes is not possible because there is no generic API to retrieve attributes from a certificate. Currently, the first method that locates an account successfully stops the search. But a configuration error occurs if two methods map the same certificate to different user accounts when the client does not supply the client name through the mapping hints.
+Mapping based on generic attributes isn't possible because there's no generic API to retrieve attributes from a certificate. Currently, the first method that locates an account successfully stops the search. But a configuration error occurs if two methods map the same certificate to different user accounts when the client doesn't supply the client name through the mapping hints.
The following figure illustrates the process of mapping user accounts for sign-in in the directory by viewing various entries in the certificate.
@@ -190,23 +190,23 @@ A single user certificate can be mapped to multiple accounts. For example, a use
Based on the information that is available in the certificate, the sign-in conditions are:
1. If no UPN is present in the certificate:
- 1. Sign-in can occur in the local forest or in another forest if a single user with one certificate needs to sign in to different accounts
- 1. A hint must be supplied if mapping is not unique (for example, if multiple users are mapped to the same certificate)
+ 1. Sign-in can occur in the local forest or in another forest if a single user with one certificate needs to sign in to different accounts
+ 1. A hint must be supplied if mapping isn't unique (for example, if multiple users are mapped to the same certificate)
1. If a UPN is present in the certificate:
- 1. The certificate cannot be mapped to multiple users in the same forest
- 1. The certificate can be mapped to multiple users in different forests. For a user to sign in to other forests, an X509 hint must be supplied to the user
+ 1. The certificate can't be mapped to multiple users in the same forest
+ 1. The certificate can be mapped to multiple users in different forests. For a user to sign in to other forests, an X509 hint must be supplied to the user
## Smart card sign-in for multiple users into a single account
-A group of users might sign in to a single account (for example, an administrator account). For that account, user certificates are mapped so that they are enabled for sign-in.
+A group of users might sign in to a single account (for example, an administrator account). For that account, user certificates are mapped so that they're enabled for sign-in.
-Several distinct certificates can be mapped to a single account. For this to work properly, the certificate cannot have UPNs.
+Several distinct certificates can be mapped to a single account. For this to work properly, the certificate can't have UPNs.
For example, if Certificate1 has CN=CNName1, Certificate2 has CN=User1, and Certificate3 has CN=User2, the AltSecID of these certificates can be mapped to a single account by using the Active Directory Users and Computers name mapping.
## Smart card sign-in across forests
-For account mapping to work across forests, particularly in cases where there is not enough information available on the certificate, the user might enter a hint in the form of a user name, such as *domain\user*, or a fully qualified UPN such as `user@contoso.com`.
+For account mapping to work across forests, particularly in cases where there isn't enough information available on the certificate, the user might enter a hint in the form of a user name, such as *domain\user*, or a fully qualified UPN such as `user@contoso.com`.
> [!NOTE]
> For the hint field to appear during smart card sign-in, the **Allow user name hint** Group Policy setting (**X509HintsNeeded** registry key) must be enabled on the client.
@@ -215,9 +215,9 @@ For account mapping to work across forests, particularly in cases where there is
Online Certificate Status Protocol (OCSP), which is defined in RFC 2560, enables applications to obtain timely information about the revocation status of a certificate. Because OCSP responses are small and well bound, constrained clients might want to use OCSP to check the validity of the certificates for Kerberos on the KDC, to avoid transmission of large CRLs, and to save bandwidth on constrained networks. For information about CRL registry keys, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md).
-The KDCs in Windows attempt to get OCSP responses and use them when available. This behavior cannot be disabled. CryptoAPI for OCSP caches OCSP responses and the status of the responses. The KDC supports only OCSP responses for the signer certificate.
+The KDCs in Windows attempt to get OCSP responses and use them when available. This behavior can't be disabled. CryptoAPI for OCSP caches OCSP responses and the status of the responses. The KDC supports only OCSP responses for the signer certificate.
-Windows client computers attempt to request the OCSP responses and use them in the reply when they are available. This behavior cannot be disabled.
+Windows client computers attempt to request the OCSP responses and use them in the reply when they're available. This behavior can't be disabled.
## Smart card root certificate requirements for use with domain sign-in
@@ -227,10 +227,10 @@ For sign-in to work in a smart card-based domain, the smart card certificate mus
- The smart card sign-in certificate must have the HTTP CRL distribution point listed in its certificate
- The CRL distribution point must have a valid CRL published and a delta CRL, if applicable, even if the CRL distribution point is empty
- The smart card certificate must contain one of the following:
- - A subject field that contains the DNS domain name in the distinguished name. If it does not, resolution to an appropriate domain fails, so Remote Desktop Services and the domain sign-in with the smart card fail
- - A UPN where the domain name resolves to the actual domain. For example, if the domain name is `Engineering.Corp.Contoso`, the UPN is `username@engineering.corp.contoso.com`. If any part of the domain name is omitted, the Kerberos client cannot find the appropriate domain
+ - A subject field that contains the DNS domain name in the distinguished name. If it doesn't, resolution to an appropriate domain fails, so Remote Desktop Services and the domain sign-in with the smart card fail
+ - A UPN where the domain name resolves to the actual domain. For example, if the domain name is `Engineering.Corp.Contoso`, the UPN is `username@engineering.corp.contoso.com`. If any part of the domain name is omitted, the Kerberos client can't find the appropriate domain
-Although the HTTP CRL distribution points are on by default in Windows Server 2008, subsequent versions of the Windows Server operating system do not include HTTP CRL distribution points. To allow smart card sign-in to a domain in these versions, do the following:
+Although the HTTP CRL distribution points are on by default in Windows Server 2008, subsequent versions of the Windows Server operating system don't include HTTP CRL distribution points. To allow smart card sign-in to a domain in these versions, do the following:
1. Enable HTTP CRL distribution points on the CA
1. Restart the CA
@@ -240,7 +240,7 @@ Although the HTTP CRL distribution points are on by default in Windows Server 20
The workaround is to enable the **Allow user name hint** Group Policy setting (**X509HintsNeeded** registry key), which allows the user to supply a hint in the credentials user interface for domain sign-in.
-If the client computer is not joined to the domain or if it is joined to a different domain, the client computer can resolve the server domain only by looking at the distinguished name on the certificate, not the UPN. For this scenario to work, the certificate requires a full subject, including `DC=`, for domain name resolution.
+If the client computer isn't joined to the domain or if it's joined to a different domain, the client computer can resolve the server domain only by looking at the distinguished name on the certificate, not the UPN. For this scenario to work, the certificate requires a full subject, including `DC=`, for domain name resolution.
To deploy root certificates on a smart card for the currently joined domain, you can use the following command:
diff --git a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
index 970bee548f..616ea96b49 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
@@ -15,7 +15,7 @@ The smart card removal policy service is applicable when a user has signed in wi
The numbers in the previous figure represent the following actions:
-1. Winlogon is not directly involved in monitoring for smart card removal events. The sequence of steps that are involved when a smart card is removed begins with the smart card credential provider in the sign-in UI process. When a user successfully signs in with a smart card, the smart card credential provider captures the reader name. This information is then stored in the registry with the session identifier where the sign-in was initiated.
+1. Winlogon isn't directly involved in monitoring for smart card removal events. The sequence of steps that are involved when a smart card is removed begins with the smart card credential provider in the sign-in UI process. When a user successfully signs in with a smart card, the smart card credential provider captures the reader name. This information is then stored in the registry with the session identifier where the sign-in was initiated.
1. The smart card resource manager service notifies the smart card removal policy service that a sign-in has occurred.
1. ScPolicySvc retrieves the smart card information that the smart card credential provider stored in the registry. This call is redirected if the user is in a remote session. If the smart card is removed, ScPolicySvc is notified.
1. ScPolicySvc calls Remote Desktop Services to take the appropriate action if the request is to sign out the user or to disconnect the user's session, which might result in data loss. If the setting is configured to lock the computer when the smart card is removed, ScPolicySvc sends a message to Winlogon to lock the computer.
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
index fd30cb8172..9993a82970 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
@@ -11,9 +11,9 @@ ms.date: 11/06/2023
This topic for the IT professional describes how to set up a basic test environment for using TPM virtual smart cards.
-Virtual smart cards are a technology from Microsoft that offer comparable security benefits in two-factor authentication to physical smart cards. They also offer more convenience for users and lower cost for organizations to deploy. By utilizing Trusted Platform Module (TPM) devices that provide the same cryptographic capabilities as physical smart cards, virtual smart cards accomplish the three key properties that are desired by smart cards: non-exportability, isolated cryptography, and anti-hammering.
+Virtual smart cards are a technology from Microsoft that offers comparable security benefits in two-factor authentication to physical smart cards. They also offer more convenience for users and lower cost for organizations to deploy. By utilizing Trusted Platform Module (TPM) devices that provide the same cryptographic capabilities as physical smart cards, virtual smart cards accomplish the three key properties that are desired by smart cards: nonexportability, isolated cryptography, and anti-hammering.
-This step-by-step walkthrough shows you how to set up a basic test environment for using TPM virtual smart cards. After you complete this walkthrough, you will have a functional virtual smart card installed on the Windows computer.
+This step-by-step walkthrough shows you how to set up a basic test environment for using TPM virtual smart cards. After you complete this walkthrough, you'll have a functional virtual smart card installed on the Windows computer.
You should be able to complete this walkthrough in less than one hour, excluding installing software and setting up the test domain.
@@ -29,7 +29,7 @@ You should be able to complete this walkthrough in less than one hour, excluding
## Prerequisites
-You will need:
+You'll need:
- A computer running Windows 10 with an installed and fully functional TPM (version 1.2 or version 2.0)
- A test domain to which the computer listed above can be joined
@@ -37,17 +37,17 @@ You will need:
## Step 1: Create the certificate template
-On your domain server, you need to create a template for the certificate that you will request for the virtual smart card.
+On your domain server, you need to create a template for the certificate that you request for the virtual smart card.
### To create the certificate template
-1. On your server, open the Microsoft Management Console (MMC). One way to do this is to type **mmc.exe** from the **Start** menu, right-click **mmc.exe**, and click **Run as administrator**
+1. On your server, open the Microsoft Management Console (MMC). One way to do this is to type **mmc.exe** from the **Start** menu, right-click **mmc.exe**, and select **Run as administrator**
1. Select **File** > **Add/Remove Snap-in**
-1. In the available snap-ins list, click **Certificate Templates**, and then click **Add**
+1. In the available snap-ins list, select **Certificate Templates**, and then select **Add**
1. Certificate Templates is now located under **Console Root** in the MMC. Double-click it to view all the available certificate templates.
-1. Right-click the **Smartcard Logon** template, and click **Duplicate Template**.
+1. Right-click the **Smartcard Logon** template, and select **Duplicate Template**.
1. On the **Compatibility** tab, under **Certification Authority**, review the selection, and change it if needed.
@@ -56,31 +56,31 @@ On your domain server, you need to create a template for the certificate that yo
1. Set the validity period to the desired value.
1. On the **Request Handling** tab:
1. Set the **Purpose** to **Signature and smartcard logon**.
- 1. Click **Prompt the user during enrollment**.
+ 1. Select **Prompt the user during enrollment**.
1. On the **Cryptography** tab:
1. Set the minimum key size to 2048.
- 1. Click **Requests must use one of the following providers**, and then select **Microsoft Base Smart Card Crypto Provider**.
+ 1. Select **Requests must use one of the following providers**, and then select **Microsoft Base Smart Card Crypto Provider**.
1. On the **Security** tab, add the security group that you want to give **Enroll** access to. For example, if you want to give access to all users, select the **Authenticated users** group, and then select **Enroll** permissions for them.
-1. Click **OK** to finalize your changes and create the new template. Your new template should now appear in the list of Certificate Templates.
-1. Select **File**, then click **Add/Remove Snap-in** to add the Certification Authority snap-in to your MMC console. When asked which computer you want to manage, select the computer on which the CA is located, probably **Local Computer**.
+1. Select **OK** to finalize your changes and create the new template. Your new template should now appear in the list of Certificate Templates.
+1. Select **File**, then select **Add/Remove Snap-in** to add the Certification Authority snap-in to your MMC console. When asked which computer you want to manage, select the computer on which the CA is located, probably **Local Computer**.
1. In the left pane of the MMC, expand **Certification Authority (Local)**, and then expand your CA within the Certification Authority list.
-1. Right-click **Certificate Templates**, click **New**, and then click **Certificate Template to Issue**.
+1. Right-click **Certificate Templates**, select **New**, and then select **Certificate Template to Issue**.
-1. From the list, select the new template that you just created (**TPM Virtual Smart Card Logon**), and then click **OK**.
+1. From the list, select the new template that you created (**TPM Virtual Smart Card Logon**), and then select **OK**.
> [!NOTE]
> It can take some time for your template to replicate to all servers and become available in this list.
-1. After the template replicates, in the MMC, right-click in the Certification Authority list, click **All Tasks**, and then click **Stop Service**. Then, right-click the name of the CA again, click **All Tasks**, and then click **Start Service**.
+1. After the template replicates, in the MMC, right-click in the Certification Authority list, select **All Tasks**, and then select **Stop Service**. Then, right-click the name of the CA again, select **All Tasks**, and then select **Start Service**.
## Step 2: Create the TPM virtual smart card
-In this step, you will create the virtual smart card on the client computer by using the command-line tool, [Tpmvscmgr.exe](virtual-smart-card-tpmvscmgr.md).
+In this step, you create the virtual smart card on the client computer by using the command-line tool, [Tpmvscmgr.exe](virtual-smart-card-tpmvscmgr.md).
### To create the TPM virtual smart card
@@ -90,10 +90,10 @@ In this step, you will create the virtual smart card on the client computer by u
`tpmvscmgr.exe create /name TestVSC /pin default /adminkey random /generate`
- This will create a virtual smart card with the name **TestVSC**, omit the unlock key, and generate the file system on the card. The PIN will be set to the default, 12345678. To be prompted for a PIN, instead of **/pin default** you can type **/pin prompt**.\
+ This creates a virtual smart card with the name **TestVSC**, omit the unlock key, and generate the file system on the card. The PIN is set to the default, 12345678. To be prompted for a PIN, instead of **/pin default** you can type **/pin prompt**.\
For more information about the Tpmvscmgr command-line tool, see [Use Virtual Smart Cards](virtual-smart-card-use-virtual-smart-cards.md) and [Tpmvscmgr](virtual-smart-card-tpmvscmgr.md).
-1. Wait several seconds for the process to finish. Upon completion, Tpmvscmgr.exe will provide you with the device instance ID for the TPM Virtual Smart Card. Store this ID for later reference because you will need it to manage or remove the virtual smart card.
+1. Wait several seconds for the process to finish. Upon completion, Tpmvscmgr.exe provides you with the device instance ID for the TPM Virtual Smart Card. Store this ID for later reference because you need it to manage or remove the virtual smart card.
## Step 3: Enroll for the certificate on the TPM Virtual Smart Card
@@ -102,15 +102,15 @@ The virtual smart card must be provisioned with a sign-in certificate for it to
### To enroll the certificate
1. Open the Certificates console by typing **certmgr.msc** on the **Start** menu
-1. Right-click **Personal**, click **All Tasks**, and then click **Request New Certificate**
+1. Right-click **Personal**, select **All Tasks**, and then select **Request New Certificate**
1. Follow the prompts and when offered a list of templates, select the **TPM Virtual Smart Card Logon** check box (or whatever you named the template in Step 1)
1. If prompted for a device, select the Microsoft virtual smart card that corresponds to the one you created in the previous section. It displays as **Identity Device (Microsoft Profile)**
-1. Enter the PIN that was established when you created the TPM virtual smart card, and then click **OK**
-1. Wait for the enrollment to finish, and then click **Finish**
+1. Enter the PIN that was established when you created the TPM virtual smart card, and then select **OK**
+1. Wait for the enrollment to finish, and then select **Finish**
-The virtual smart card can now be used as an alternative credential to sign in to your domain. To verify that your virtual smart card configuration and certificate enrollment were successful, sign out of your current session, and then sign in. When you sign in, you will see the icon for the new TPM virtual smart card on the Secure Desktop (sign in) screen or you will be automatically directed to the TPM smart card sign-in dialog box. Click the icon, enter your PIN (if necessary), and then click **OK**. You should be signed in to your domain account.
+The virtual smart card can now be used as an alternative credential to sign in to your domain. To verify that your virtual smart card configuration and certificate enrollment were successful, sign out of your current session, and then sign in. When you sign in, you'll see the icon for the new TPM virtual smart card on the Secure Desktop (sign in) screen or you are automatically directed to the TPM smart card sign-in dialog box. Select the icon, enter your PIN (if necessary), and then select **OK**. You should be signed in to your domain account.
## See also
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
index 2ab0167682..c5ac24e838 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
@@ -11,17 +11,14 @@ ms.date: 11/06/2023
This article describes the virtual smart card technology and how it can fit into your authentication design.
-Virtual smart card technology uses cryptographic keys that are stored on computers that have the Trusted Platform Module (TPM) installed. Virtual smart cards offer comparable security benefits to conventional smart cards by using two-factor authentication. The technology also offers more convenience for users and has a lower cost to deploy. By utilizing TPM devices that provide the same cryptographic capabilities as conventional smart cards, virtual smart cards accomplish the three key properties that are desired for smart cards: non-exportability, isolated cryptography, and anti-hammering.
+Virtual smart card technology uses cryptographic keys that are stored on computers that have the Trusted Platform Module (TPM) installed. Virtual smart cards offer comparable security benefits to conventional smart cards by using two-factor authentication. The technology also offers more convenience for users and has a lower cost to deploy. By utilizing TPM devices that provide the same cryptographic capabilities as conventional smart cards, virtual smart cards accomplish the three key properties that are desired for smart cards: nonexportability, isolated cryptography, and anti-hammering.
-Virtual smart cards are functionally similar to physical smart cards. They appear as always-inserted smart cards, and they can be used for authentication to external resources, protection of data by secure encryption, and integrity through reliable signing. Because TPM-enabled hardware is readily available and virtual smart cards can be easily deployed by using existing certificate enrollment methods, virtual smart cards can become a full replacement for other methods of strong authentication in a corporate setting of any scale.
+Virtual smart cards are functionally similar to physical smart cards. They appear as always-inserted smart cards, and they can be used for authentication to external resources, protection of data by secure encryption, and integrity through reliable signing. Since TPM-enabled hardware is readily available and virtual smart cards can be deployed using existing certificate enrollment methods, virtual smart cards can become a replacement for other methods of strong authentication in a corporate setting of any scale.
This topic contains the following sections:
-- [Comparing virtual smart cards with physical smart cards](#comparing-virtual-smart-cards-with-physical-smart-cards):
- Compares properties, functional aspects, security, and cost.
-
-- [Authentication design options](#authentication-design-options):
- Describes how passwords, smart cards, and virtual smart cards can be used to reach authentication goals in your organization.
+- [Comparing virtual smart cards with physical smart cards](#comparing-virtual-smart-cards-with-physical-smart-cards): compares properties, functional aspects, security, and cost.
+- [Authentication design options](#authentication-design-options): describes how passwords, smart cards, and virtual smart cards can be used to reach authentication goals in your organization.
## Comparing virtual smart cards with physical smart cards
@@ -33,13 +30,11 @@ All cryptographic operations occur in the secure, isolated environment of the TP
Virtual smart cards maintain the three key properties of physical smart cards:
-- **Non-exportability**: Because all private information on the virtual smart card is encrypted by using the TPM on the host computer, it can't be used on a different computer with a different TPM. Additionally, TPMs are designed to be tamper-resistant and non-exportable, so a malicious user can't reverse engineer an identical TPM or install the same TPM on a different computer.
- For more information, see [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md).
+- **Non-exportability**: Because all private information on the virtual smart card is encrypted by using the TPM on the host computer, it can't be used on a different computer with a different TPM. Additionally, TPMs are designed to be tamper-resistant and nonexportable, so a malicious user can't reverse engineer an identical TPM or install the same TPM on a different computer. For more information, see [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md).
- **Isolated cryptography**: TPMs provide the same properties of isolated cryptography that are offered by physical smart cards, and this is utilized by virtual smart cards. Unencrypted copies of private keys are loaded only within the TPM and never into memory that is accessible by the operating system. All cryptographic operations with these private keys occur inside the TPM.
-- **Anti-hammering**: If a user enters a PIN incorrectly, the virtual smart card responds by using the anti-hammering logic of the TPM, which rejects further attempts for a period of time instead of blocking the card. This is also known as lockout.
- For more information, see [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md).
+- **Anti-hammering**: If a user enters a PIN incorrectly, the virtual smart card responds by using the anti-hammering logic of the TPM, which rejects further attempts for a period of time instead of blocking the card. This is also known as lockout. For more information, see [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md).
The following subsections compare the functionality, security, and cost of virtual smart cards and physical smart cards.
@@ -47,41 +42,41 @@ The following subsections compare the functionality, security, and cost of virtu
The virtual smart card system that was designed by Microsoft closely mimics the functionality of conventional smart cards. The most striking difference to the end user is that the virtual smart card is essentially a smart card that is always inserted into the computer. There's no method to export the user's virtual smart card for use on other computers, which adds to the security of virtual smart cards. If a user requires access to network resources on multiple computers, multiple virtual smart cards can be issued for that user. Additionally, a computer that is shared among multiple users can host multiple virtual smart cards for different users.
-The basic user experience for a virtual smart card is as simple as using a password to access a network. Because the smart card is loaded by default, the user must simply enter the PIN that is tied to the card to gain access. Users are no longer required to carry cards and readers or to take physical action to use the card.
+The basic user experience for a virtual smart card is as simple as using a password to access a network. Because the smart card is loaded by default, the user must enter the PIN that is tied to the card to gain access. Users are no longer required to carry cards and readers or to take physical action to use the card.
-Additionally, although the anti-hammering functionality of the virtual smart card is equally secure to that of a physical smart card, virtual smart card users are never required to contact an administrator to unblock the card. Instead, they simply wait a period of time (depending on the TPM specifications) before they reattempt to enter the PIN. Alternatively, the administrator can reset the lockout by providing owner authentication data to the TPM on the host computer.
+Additionally, although the anti-hammering functionality of the virtual smart card is equally secure to that of a physical smart card, virtual smart card users are never required to contact an administrator to unblock the card. Instead, they wait a period of time (depending on the TPM specifications) before they reattempt to enter the PIN. Alternatively, the administrator can reset the lockout by providing owner authentication data to the TPM on the host computer.
### Security
Physical smart cards and virtual smart cards offer comparable levels of security. They both implement two-factor authentication for using network resources. However, they differ in certain aspects, including physical security and the practicality of an attack. Due to their compact and portable design, conventional smart cards are most frequently kept close to their intended user. They offer little opportunity for acquisition by a potential adversary, so any sort of interaction with the card is difficult without committing some variety of theft.
-TPM virtual smart cards, however, reside on a user's computer that may frequently be left unattended, which provides an opportunity for a malicious user to hammer the TPM. Although virtual smart cards are fully protected from hammering (as are physical smart cards), this accessibility makes the logistics of an attack somewhat simpler. Additionally, the anti-hammering behavior of a TPM smart card differs in that it only presents a time delay in response to repeated PIN failures, as opposed to fully blocking the user.
+TPM virtual smart cards, however, reside on a user's computer that may frequently be left unattended, which provides an opportunity for a malicious user to hammer the TPM. Although virtual smart cards are fully protected from hammering (as are physical smart cards), this accessibility makes the logistics of an attack simpler. Additionally, the anti-hammering behavior of a TPM smart card differs in that it only presents a time delay in response to repeated PIN failures, as opposed to fully blocking the user.
-However, there are several advantages provided by virtual smart cards to mitigate these slight security deficits. Most importantly, a virtual smart card is much less likely to be lost. Virtual smart cards are integrated into computers and devices that the user already owns for other purposes and has incentive to keep safe. If the computer or device that hosts the virtual smart card is lost or stolen, a user will more immediately notice its loss than the loss of a physical smart card. When a computer or device is identified as lost, the user can notify the administrator of the system, who can revoke the certificate that is associated with the virtual smart card on that device. This precludes any future unauthorized access on that computer or device if the PIN for the virtual smart card is compromised.
+However, there are several advantages provided by virtual smart cards to mitigate these slight security deficits. Most importantly, a virtual smart card is much less likely to be lost. Virtual smart cards are integrated into computers and devices that the user already owns for other purposes and has incentive to keep safe. If the computer or device that hosts the virtual smart card is lost or stolen, a user notices its loss quicker than the loss of a physical smart card. When a computer or device is identified as lost, the user can notify the administrator of the system, who can revoke the certificate that is associated with the virtual smart card on that device. This precludes any future unauthorized access on that computer or device if the PIN for the virtual smart card is compromised.
### Cost
-If a company wants to deploy physical smart cards, they need to purchase smart cards and smart card readers for all employees. Although relatively inexpensive options can be found, options that ensure the three key properties of smart card security (most notably, non-exportability) are more expensive. If employees have computers with a built-in TPM, virtual smart cards can be deployed with no additional material costs. These computers and devices are relatively common in the market.
+If a company wants to deploy physical smart cards, they need to purchase smart cards and smart card readers for all employees. Although relatively inexpensive options can be found, options that ensure the three key properties of smart card security (most notably, nonexportability) are more expensive. If employees have computers with a built-in TPM, virtual smart cards can be deployed with no additional material costs. These computers and devices are relatively common in the market.
The maintenance cost of virtual smart cards is less than that for physical smart cards, which are easily lost, stolen, or broken from normal wear. TPM virtual smart cards are only lost or broken if the host computer or device is lost or broken, which in most cases is much less frequently.
### Comparison summary
-| Physical Smart Cards | TPM virtual smart cards |
-|---------------------|-------------------|
-| Protects private keys by using the built-in cryptographic functionality of the card. | Protects private keys by using the cryptographic functionality of the TPM. |
-| Stores private keys in isolated non-volatile memory on the card, which means that access to private keys is only from the card, and access is never allowed to the operating system. | Stores encrypted private keys on the hard drive. The encryption ensures that these keys can only be decrypted and used in the TPM, not in the accessible memory of the operating system. |
-| Guarantees non-exportability through the card manufacturer, which includes isolating private information from operating system access. | Guarantees non-exportability through the TPM manufacturer, which includes the inability of an adversary to replicate or remove the TPM. |
-| Performs and isolates cryptographic operations within the built-in capabilities of the card. | Performs and isolates cryptographic operations in the TPM of the user's computer or device. |
-| Provides anti-hammering through the card. After a certain number of failed PIN entry attempts, the card blocks further access until administrative action is taken. | Provides anti-hammering through the TPM. Successive failed attempts increase the device lockout time (the time the user has to wait before trying again). This can be reset by an administrator. |
-| Requires that users carry their smart card and smart card reader with them to access network resources. | Allows users to access their TPM-enabled computers or devices, and potentially access the network, without other equipment. |
-| Enables credential portability by inserting the smart card into smart card readers that are attached to other computers. | Prevents exporting credentials from a given computer or device. However, virtual smart cards can be issued for the same user on multiple computers or devices by using additional certificates. |
-| Enables multiple users to access network resources through the same computer by inserting their personal smart cards. | Enables multiple users to access network resources through the same computer or device by issuing a virtual smart card for each user on that computer or device. |
-| Requires the user to carry the card, making it more difficult for an attacker to access the device and launch a hammering attempt. | Stores virtual smart card on the user's computer, which may be left unattended and allow a greater risk window for hammering attempts. |
-| Provides a generally single-purpose device that is carried explicitly for the purpose of authentication. The smart card can be easily misplaced or forgotten. | Installs the virtual smart card on a device that has other purposes for the user, so the user has greater incentive to be responsible for the computer or device. |
-| Alerts users that their card is lost or stolen only when they need to sign in and notice it's missing. | Installs the virtual smart card on a device that the user likely needs for other purposes, so users will notice its loss much more quickly. This reduces the associated risk window. |
-| Requires companies to invest in smart cards and smart card readers for all employees. | Requires that companies ensure all employees have TPM-enabled computers, which are relatively common. |
-| Enables using a smart card removal policy to affect system behavior when the smart card is removed. For example, the policy can dictate if the user's sign-in session is locked or terminated when the user removes the card. | Eliminates the necessity for a smart card removal policy because a TPM virtual smart card is always present and can't be removed from the computer. |
+| Physical Smart Cards | TPM virtual smart cards |
+|--|--|
+| Protects private keys by using the built-in cryptographic functionality of the card. | Protects private keys by using the cryptographic functionality of the TPM. |
+| Stores private keys in isolated non-volatile memory on the card, which means that access to private keys is only from the card, and access is never allowed to the operating system. | Stores encrypted private keys on the hard drive. The encryption ensures that these keys can only be decrypted and used in the TPM, not in the accessible memory of the operating system. |
+| Guarantees nonexportability through the card manufacturer, which includes isolating private information from operating system access. | Guarantees nonexportability through the TPM manufacturer, which includes the inability of an adversary to replicate or remove the TPM. |
+| Performs and isolates cryptographic operations within the built-in capabilities of the card. | Performs and isolates cryptographic operations in the TPM of the user's computer or device. |
+| Provides anti-hammering through the card. After some failed PIN entry attempts, the card blocks further access until administrative action is taken. | Provides anti-hammering through the TPM. Successive failed attempts increase the device lockout time (the time the user has to wait before trying again). This can be reset by an administrator. |
+| Requires that users carry their smart card and smart card reader with them to access network resources. | Allows users to access their TPM-enabled computers or devices, and potentially access the network, without other equipment. |
+| Enables credential portability by inserting the smart card into smart card readers that are attached to other computers. | Prevents exporting credentials from a given computer or device. However, virtual smart cards can be issued for the same user on multiple computers or devices by using additional certificates. |
+| Enables multiple users to access network resources through the same computer by inserting their personal smart cards. | Enables multiple users to access network resources through the same computer or device by issuing a virtual smart card for each user on that computer or device. |
+| Requires the user to carry the card, making it more difficult for an attacker to access the device and launch a hammering attempt. | Stores virtual smart card on the user's computer, which might be left unattended and allow a greater risk window for hammering attempts. |
+| Provides a generally single-purpose device that is carried explicitly for the purpose of authentication. The smart card can be easily misplaced or forgotten. | Installs the virtual smart card on a device that has other purposes for the user, so the user has greater incentive to be responsible for the computer or device. |
+| Alerts users that their card is lost or stolen only when they need to sign in and notice it's missing. | Installs the virtual smart card on a device that the user likely needs for other purposes, so users will notice its loss much more quickly. This reduces the associated risk window. |
+| Requires companies to invest in smart cards and smart card readers for all employees. | Requires that companies ensure all employees have TPM-enabled computers, which are relatively common. |
+| Enables using a smart card removal policy to affect system behavior when the smart card is removed. For example, the policy can dictate if the user's sign-in session is locked or terminated when the user removes the card. | Eliminates the necessity for a smart card removal policy because a TPM virtual smart card is always present and can't be removed from the computer. |
## Authentication design options
@@ -113,6 +108,6 @@ The additional security comes with added material and support costs. Traditional
### Virtual smart cards
-Virtual smart cards emulate the functionality of traditional smart cards. Instead of requiring the purchase of additional hardware, virtual smart cards utilize technology that users already own and are more likely to always have with them. Theoretically, any device that can provide the three key properties of smart cards (non-exportability, isolated cryptography, and anti-hammering) can be commissioned as a virtual smart card. The virtual smart card platform is limited to the use of the Trusted Platform Module (TPM) chip, which is on most modern devices.
+Virtual smart cards emulate the functionality of traditional smart cards. Instead of requiring the purchase of additional hardware, virtual smart cards utilize technology that users already own and are more likely to always have with them. Theoretically, any device that can provide the three key properties of smart cards (nonexportability, isolated cryptography, and anti-hammering) can be commissioned as a virtual smart card. The virtual smart card platform is limited to the use of the Trusted Platform Module (TPM) chip, which is on most modern devices.
-Virtual smart cards that utilize a TPM provide the three main security principles of traditional smart cards: non-exportability, isolated cryptography, and anti-hammering. Virtual smart cards are less expensive to implement and more convenient for users. Since many corporate computers already have a built-in TPM, there's no cost associated with purchasing new hardware. The user's possession of a computer or device is equivalent to the possession of a smart card, and a user's identity can't be assumed from any other computer or device without administrative provisioning of further credentials. Thus, two-factor authentication is achieved because the user must have a computer that is set up with a virtual smart card and know the PIN to use the virtual smart card.
+Virtual smart cards that utilize a TPM provide the three main security principles of traditional smart cards: nonexportability, isolated cryptography, and anti-hammering. Virtual smart cards are less expensive to implement and more convenient for users. Since many corporate computers already have a built-in TPM, there's no cost associated with purchasing new hardware. The user's possession of a computer or device is equivalent to the possession of a smart card, and a user's identity can't be assumed from any other computer or device without administrative provisioning of further credentials. Thus, two-factor authentication is achieved because the user must have a computer that is set up with a virtual smart card and know the PIN to use the virtual smart card.
From f1418cc69c9b780fe21642af00ad810bae79fa15 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Tue, 7 Nov 2023 09:26:38 -0500
Subject: [PATCH 09/21] TOC updates
---
.../identity-protection/smart-cards/toc.yml | 47 +++++++++----------
.../virtual-smart-cards/toc.yml | 26 +++++-----
2 files changed, 35 insertions(+), 38 deletions(-)
diff --git a/windows/security/identity-protection/smart-cards/toc.yml b/windows/security/identity-protection/smart-cards/toc.yml
index 0d82f8c3a7..2b7e51db7b 100644
--- a/windows/security/identity-protection/smart-cards/toc.yml
+++ b/windows/security/identity-protection/smart-cards/toc.yml
@@ -1,28 +1,27 @@
items:
- name: Smart Card Technical Reference
href: smart-card-windows-smart-card-technical-reference.md
+- name: How Smart Card Sign-in Works in Windows
+ href: smart-card-how-smart-card-sign-in-works-in-windows.md
items:
- - name: How Smart Card Sign-in Works in Windows
- href: smart-card-how-smart-card-sign-in-works-in-windows.md
- items:
- - name: Smart Card Architecture
- href: smart-card-architecture.md
- - name: Certificate Requirements and Enumeration
- href: smart-card-certificate-requirements-and-enumeration.md
- - name: Smart Card and Remote Desktop Services
- href: smart-card-and-remote-desktop-services.md
- - name: Smart Cards for Windows Service
- href: smart-card-smart-cards-for-windows-service.md
- - name: Certificate Propagation Service
- href: smart-card-certificate-propagation-service.md
- - name: Smart Card Removal Policy Service
- href: smart-card-removal-policy-service.md
- - name: Smart Card Tools and Settings
- href: smart-card-tools-and-settings.md
- items:
- - name: Smart Cards Debugging Information
- href: smart-card-debugging-information.md
- - name: Smart Card Group Policy and Registry Settings
- href: smart-card-group-policy-and-registry-settings.md
- - name: Smart Card Events
- href: smart-card-events.md
\ No newline at end of file
+ - name: Smart Card Architecture
+ href: smart-card-architecture.md
+ - name: Certificate Requirements and Enumeration
+ href: smart-card-certificate-requirements-and-enumeration.md
+ - name: Smart Card and Remote Desktop Services
+ href: smart-card-and-remote-desktop-services.md
+ - name: Smart Cards for Windows Service
+ href: smart-card-smart-cards-for-windows-service.md
+ - name: Certificate Propagation Service
+ href: smart-card-certificate-propagation-service.md
+ - name: Smart Card Removal Policy Service
+ href: smart-card-removal-policy-service.md
+- name: Smart Card Tools and Settings
+ href: smart-card-tools-and-settings.md
+ items:
+ - name: Smart Cards Debugging Information
+ href: smart-card-debugging-information.md
+ - name: Smart Card Group Policy and Registry Settings
+ href: smart-card-group-policy-and-registry-settings.md
+ - name: Smart Card Events
+ href: smart-card-events.md
\ No newline at end of file
diff --git a/windows/security/identity-protection/virtual-smart-cards/toc.yml b/windows/security/identity-protection/virtual-smart-cards/toc.yml
index 68842b6001..0eec1122c0 100644
--- a/windows/security/identity-protection/virtual-smart-cards/toc.yml
+++ b/windows/security/identity-protection/virtual-smart-cards/toc.yml
@@ -1,17 +1,15 @@
items:
- name: Virtual Smart Card overview
href: virtual-smart-card-overview.md
- items:
- - name: Understand and evaluate virtual smart cards
- href: virtual-smart-card-understanding-and-evaluating.md
- items:
- - name: Get started with virtual smart cards
- href: virtual-smart-card-get-started.md
- - name: Use virtual smart cards
- href: virtual-smart-card-use-virtual-smart-cards.md
- - name: Deploy virtual smart cards
- href: virtual-smart-card-deploy-virtual-smart-cards.md
- - name: Evaluate virtual smart card security
- href: virtual-smart-card-evaluate-security.md
- - name: Tpmvscmgr
- href: virtual-smart-card-tpmvscmgr.md
\ No newline at end of file
+- name: Understand and evaluate virtual smart cards
+ href: virtual-smart-card-understanding-and-evaluating.md
+- name: Get started with virtual smart cards
+ href: virtual-smart-card-get-started.md
+- name: Use virtual smart cards
+ href: virtual-smart-card-use-virtual-smart-cards.md
+- name: Deploy virtual smart cards
+ href: virtual-smart-card-deploy-virtual-smart-cards.md
+- name: Evaluate virtual smart card security
+ href: virtual-smart-card-evaluate-security.md
+- name: Tpmvscmgr
+ href: virtual-smart-card-tpmvscmgr.md
\ No newline at end of file
From 93425b5eaf88c586a3a294a20cddd96f17c35c0c Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Tue, 7 Nov 2023 09:45:20 -0500
Subject: [PATCH 10/21] updates
---
.../smart-cards/smart-card-architecture.md | 2 +-
...ertificate-requirements-and-enumeration.md | 11 ++---
...card-group-policy-and-registry-settings.md | 4 +-
.../images/vsc-02-mmc-add-snap-in.png | Bin 31991 -> 0 bytes
...c-03-add-certificate-templates-snap-in.png | Bin 69792 -> 0 bytes
...4-right-click-smartcard-logon-template.png | Bin 20834 -> 0 bytes
...-05-certificate-template-compatibility.png | Bin 45705 -> 0 bytes
...06-add-certification-authority-snap-in.png | Bin 77728 -> 0 bytes
...c-07-right-click-certificate-templates.png | Bin 43125 -> 0 bytes
.../vsc-08-enable-certificate-template.png | Bin 90194 -> 0 bytes
.../vsc-09-stop-service-start-service.png | Bin 60622 -> 0 bytes
.../vsc-10-cmd-run-as-administrator.png | Bin 29695 -> 0 bytes
...1-certificates-request-new-certificate.png | Bin 87263 -> 0 bytes
...tificate-enrollment-select-certificate.png | Bin 82088 -> 0 bytes
.../virtual-smart-card-get-started.md | 38 +++++++-----------
...smart-card-understanding-and-evaluating.md | 8 ++--
...tual-smart-card-use-virtual-smart-cards.md | 14 +++----
17 files changed, 30 insertions(+), 47 deletions(-)
delete mode 100644 windows/security/identity-protection/virtual-smart-cards/images/vsc-02-mmc-add-snap-in.png
delete mode 100644 windows/security/identity-protection/virtual-smart-cards/images/vsc-03-add-certificate-templates-snap-in.png
delete mode 100644 windows/security/identity-protection/virtual-smart-cards/images/vsc-04-right-click-smartcard-logon-template.png
delete mode 100644 windows/security/identity-protection/virtual-smart-cards/images/vsc-05-certificate-template-compatibility.png
delete mode 100644 windows/security/identity-protection/virtual-smart-cards/images/vsc-06-add-certification-authority-snap-in.png
delete mode 100644 windows/security/identity-protection/virtual-smart-cards/images/vsc-07-right-click-certificate-templates.png
delete mode 100644 windows/security/identity-protection/virtual-smart-cards/images/vsc-08-enable-certificate-template.png
delete mode 100644 windows/security/identity-protection/virtual-smart-cards/images/vsc-09-stop-service-start-service.png
delete mode 100644 windows/security/identity-protection/virtual-smart-cards/images/vsc-10-cmd-run-as-administrator.png
delete mode 100644 windows/security/identity-protection/virtual-smart-cards/images/vsc-11-certificates-request-new-certificate.png
delete mode 100644 windows/security/identity-protection/virtual-smart-cards/images/vsc-12-certificate-enrollment-select-certificate.png
diff --git a/windows/security/identity-protection/smart-cards/smart-card-architecture.md b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
index 5e28ca6340..9aed975124 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-architecture.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
@@ -20,7 +20,7 @@ For smart cards, Windows supports a provider architecture that meets the secure
## Credential provider architecture
-The following table lists the components that are included in the interactive sign-in architecture of the Windows Server and Windows operating systems.
+The following table lists the components that are included in the interactive sign-in architecture:
| Component | Description |
|--|--|
diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
index 79cf20942a..4e345d6a7b 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
@@ -18,7 +18,7 @@ When a smart card is inserted, the following steps are performed.
1. A qualified container name is constructed by using the smart card reader name, and it's passed to the CSP. The format is `\\.\`
1. CryptAcquireContext is called to retrieve a context to the default container. If a failure occurs, the smart card is unusable for smart card sign-in.
1. The name of the container is retrieved by using the PP_CONTAINER parameter with CryptGetProvParam.
-1. Using the context acquired in Step 3, the CSP is queried for the PP_USER_CERTSTORE parameter (added in Windows Vista). For more information, see [Smart Card Architecture](smart-card-architecture.md). If the operation is successful, the name of a certificate store is returned, and the program flow skips to Step 8.
+1. Using the context acquired in Step 3, the CSP is queried for the PP_USER_CERTSTORE parameter. For more information, see [Smart Card Architecture](smart-card-architecture.md). If the operation is successful, the name of a certificate store is returned, and the program flow skips to Step 8.
1. If the operation in Step 5 fails, the default container context from Step 3 is queried for the AT_KEYEXCHANGE key.
1. The certificate is then queried from the key context by using KP_CERTIFICATE. The certificate is added to an in-memory certificate store.
1. For each certificate in the certificate store from Step 5 or Step 7, the following checks are performed:
@@ -31,9 +31,6 @@ When a smart card is inserted, the following steps are performed.
Any certificate that meets these requirements is displayed to the user with the certificate's UPN (or e-mail address or subject, depending on the presence of the certificate extensions).
- > [!NOTE]
- > These requirements are the same as those in Windows Server 2003, but they are performed before the user enters the PIN. You can override many of them by using Group Policy settings.
-
1. The process then chooses a certificate, and the PIN is entered.
1. LogonUI.exe packages the information and sends it to Lsass.exe to process the sign-in attempt.
1. If successful, LogonUI.exe closes. This causes the context acquired in Step 3 to be released.
@@ -63,7 +60,7 @@ Following are the steps that are performed during a smart card sign-in:
1. Enumerates each card to verify that a sign-in certificate that is controlled by Group Policy is present. If the certificate is present, the smart card credential provider copies it into a temporary, secure cache on the computer or terminal.
> [!NOTE]
- > Smartcard cache entries are created for certificates with a subject name or with a subject key identifier. If the certificate has a subject name, it is stored with an index that is based on the subject name and certificate issuer. If another certificate with the same subject name and certificate issuer is used, it will replace the existing cached entry. A change in this behavior after Windows Vista, allows for the condition when the certificate does not have a subject name, the cache is created with an index that is based on the subject key identifier and certificate issuer. If another certificate has the same the subject key identifier and certificate issuer, the cache entry is replaced. When certificates have neither a subject name nor subject key identifier, a cached entry is not created.
+ > Smartcard cache entries are created for certificates with a subject name or with a subject key identifier. If the certificate has a subject name, it is stored with an index that is based on the subject name and certificate issuer. If another certificate with the same subject name and certificate issuer is used, it will replace the existing cached entry. A change in this behavior, allows for the condition when the certificate does not have a subject name, the cache is created with an index that is based on the subject key identifier and certificate issuer. If another certificate has the same the subject key identifier and certificate issuer, the cache entry is replaced. When certificates have neither a subject name nor subject key identifier, a cached entry is not created.
1. Notifies the sign-in UI that it has new credentials.
@@ -125,8 +122,6 @@ Certificate requirements are listed by versions of the Windows operating system.
### Certificate requirements
-The smart card certificate has specific format requirements when it's used with Windows XP and earlier operating systems. You can enable any certificate to be visible for the smart card credential provider.
-
| Component | Requirements |
|--|--|
| CRL distribution point location | Not required |
@@ -230,7 +225,7 @@ For sign-in to work in a smart card-based domain, the smart card certificate mus
- A subject field that contains the DNS domain name in the distinguished name. If it doesn't, resolution to an appropriate domain fails, so Remote Desktop Services and the domain sign-in with the smart card fail
- A UPN where the domain name resolves to the actual domain. For example, if the domain name is `Engineering.Corp.Contoso`, the UPN is `username@engineering.corp.contoso.com`. If any part of the domain name is omitted, the Kerberos client can't find the appropriate domain
-Although the HTTP CRL distribution points are on by default in Windows Server 2008, subsequent versions of the Windows Server operating system don't include HTTP CRL distribution points. To allow smart card sign-in to a domain in these versions, do the following:
+To allow smart card sign-in to a domain in these versions, do the following:
1. Enable HTTP CRL distribution points on the CA
1. Restart the CA
diff --git a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
index 6f8e44fde7..270eda4a77 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
@@ -207,7 +207,7 @@ This policy setting is applied to the computer after the [Allow time invalid cer
| Registry key | `FilterDuplicateCerts` |
| Default values | No changes per operating system versions
Disabled and not configured are equivalent |
| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None |
-| Notes and resources | If there are two or more of the same certificates on a smart card and this policy setting is enabled, the certificate that is used to sign in to computers running Windows 2000, Windows XP, or Windows Server 2003 will be displayed. Otherwise, the certificate with the most distant expiration time will be displayed. |
+| Notes and resources | If there are two or more of the same certificates on a smart card and this policy setting is enabled, the certificate with the most distant expiration time is displayed. |
### Force the reading of all certificates from the smart card
@@ -374,7 +374,7 @@ The following smart card-related Group Policy settings are in **Computer Configu
| Group Policy setting and registry key | Default | Description |
|--|--|--|
| Interactive logon: Require smart card
**scforceoption** | Disabled | This security policy setting requires users to sign in to a computer by using a smart card.
**Enabled** Users can sign in to the computer only by using a smart card.
**Disabled** Users can sign in to the computer by using any method.
NOTE: the Windows LAPS-managed local account is exempted from this policy when Enabled. For more information see [Windows LAPS integration with smart card policy](/windows-server/identity/laps/laps-concepts#windows-laps-integration-with-smart-card-policy).
|
-| Interactive logon: Smart card removal behavior
**scremoveoption** | This policy setting isn't defined, which means that the system treats it as **No Action**. | This setting determines what happens when the smart card for a signed-in user is removed from the smart card reader. The options are:
**No Action**
**Lock Workstation**: The workstation is locked when the smart card is removed, so users can leave the area, take their smart card with them, and still maintain a protected session.
**Force Logoff**: The user is automatically signed out when the smart card is removed.
**Disconnect if a Remote Desktop Services session**: Removal of the smart card disconnects the session without signing out the user. The user can reinsert the smart card and resume the session later, or at another computer that's equipped with a smart card reader, without having to sign in again. If the session is local, this policy setting functions identically to the **Lock Workstation** option.
**Note**: In earlier versions of Windows Server, Remote Desktop Services was called Terminal Services. |
+| Interactive logon: Smart card removal behavior
**scremoveoption** | This policy setting isn't defined, which means that the system treats it as **No Action**. | This setting determines what happens when the smart card for a signed-in user is removed from the smart card reader. The options are:
**No Action**
**Lock Workstation**: The workstation is locked when the smart card is removed, so users can leave the area, take their smart card with them, and still maintain a protected session.
**Force Logoff**: The user is automatically signed out when the smart card is removed.
**Disconnect if a Remote Desktop Services session**: Removal of the smart card disconnects the session without signing out the user. The user can reinsert the smart card and resume the session later, or at another computer that's equipped with a smart card reader, without having to sign in again. If the session is local, this policy setting functions identically to the **Lock Workstation** option. |
From the Local Security Policy Editor (secpol.msc), you can edit and apply system policies to manage credential delegation for local or domain computers.
diff --git a/windows/security/identity-protection/virtual-smart-cards/images/vsc-02-mmc-add-snap-in.png b/windows/security/identity-protection/virtual-smart-cards/images/vsc-02-mmc-add-snap-in.png
deleted file mode 100644
index 2d626ecf9494aa2a5b58183cc5dc517bc63b7027..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001
literal 31991
zcmYIP1yI{hu*Th`xO;)%#oZlRq(E>eP%IQE?(PJ4FIu2bB)GdvNpW{~he!YO-n^TM
z{AMn9dwY9(-?zJo&`^`dL?cCmfq}tPRFL@y0|N_q`~HA}^!84bRzCjr0qguxUJ9ma
zoP7W70l`XART2iKCJz0{6!GmD6{Mi&3cK%qwVj=vL;@5F<@d0+kGVWJc)y#RoUCeO
zWVEvN7#9yuhe?W7sw_KJU8Tg02kgz~wFHEp@`!|foxgwo
z&a(RQ<%5T(XGVJZJz|af^Y-Djj!7Z{w`QyYT$(^ssfU`+wx&M=s(wKy9&$3hLLTh>MANlS-UHx!gIPtggl&t5WXD&-Uq`}Q
zZLim2=`T2rFSlymL2R!Njbgpf!3RfgKV+lF6Q-rw>SrkO(gkz{w>50MaKxD5b^l@M
z(eI4Jh+(8dZP#h0C!l|5bPOKKL?Id`Yz!vD*0gq-5!eb?X{BBvc)L
z+Yki*ul*6}tHVP}k;>{~1hk_gO68PkkEj&?&0?Pdj0E4
zP^0g+@YdX<2o=8|Hm^%2Eh&sA%)GESn@I?gwP+%FAleQLADy@J>Z7YPhsR4;rV9+FRwcZ_DX
z>$0vyU5u+=LE?JtsjXK0E7UWqd5@2$K6j+ctLm}wHnl#@Sm&AIqLI2GZ>v^G?O+6|
zm8^Q7GPg^P^r)UP98%%7rzQoozqXlgJzEH}A{Js2PivtF+jS>)gqGo~^Xl#O;B>2d2T7y$AWG+m7>@ME9uHTtK1kW?Q1g
zy<)9#*JHwmQMpm|^jW(T78Cm(VxkC{wNDVFk5Ss(AITPmlYQ&4}UA
zHfx+*-@wo^P*3-$XR+PX_%^tjK``fS_v?IFYAw9**7pNrmbPs$?9KUV3N
z@%VaEJ??xsbK9ZxbmLfbPMWU%d@!N5IcA)=?LyUC4c>Nq)*-D<^l7~pwrN$I^Lcb5
zIu~M@;otv0*l@oOwH6%mT776^Gol-5KR-lw&;I#3N40gfQ2k?wcRBXThZ7%pJ_zPU
z;4A?J(0uWFd+Borb$rI7%9-?UGiDog2
z(7&jgeBu>%tk{m@8q=HRef6yHuvnPoyIbLQ(6h>XX;^_PmR66YE}$v!#Z(;H4i|DA*fWyg51F
zJY-~KL2OJ+Q+M|}vG8+EV(gj;^lJ95>-yIxm>XCp^16bNFx*dE-J_$UPZGD+*G?y=
zrvsgxFvwhJoL`;%BTC{n&O9wZ=aU7j9p}&4oNgUGnpX~8@8xj~_#|KA?7!Ll5!fha
z5}4Vpu@IdKGJTsYfgT=SN+TL4lnL8i6GmT+H?fQz8td!x+uA7Jnj4KA
zY`?szNT)R#3#w587#j4kzgi*io#B15qt7oAAcD;LJq4)!82NP);Vz`t84E+%zfhjo
zA+4onavB{AV1zPew^qP$9%T0A%geWxvNF`Mu`z2Kn}OVPvRIog7?uM5_hm
zFRZIgake*SEil8wi8mVP>>GW;Yc4NG`}5~dX=UX$%-rN;r>rS~NkRdKlY7L9y|>0N
zgaLvObD7yin6w;u7ff)4iABxagd+w<1zlf;99$nx^78uoY0*pJC$1aM#z2~FdVjTm
zM@Ko5M}~(rjErK3hlf>RHt9IUe2S)Y)zv2$-KRcqOtr*_w9?BO8smn&`$1-S|L4@(
zg$ferynsWI8(rKjMNgL5DLBC{n}YDR5=e_Zpv<4mv@!OdQcA-_u~FDN0{oA2U098@37WL&4csdwU<|*4|HY=cR{YAkF3}LgV}KXL}&;hSKn`bS0Ql
zA7CgkaX(`%`U`p6?-5B9SiW^}-mb=1d`N~)s`$`V{eU27v`IJ!*@
zTIY979e232Y80|-$bOOwaqU5~ZmW`=D-&yvkH$2|udOk675(8322H1(Y3b=5t>dGk
zGT*=7F#0DaB`E|G#k5)%iiQv!187(*m);+|8HtkM`G=}Bw1qMkVps&Dh%oH@wT@S8
zxU6GSPj{*d-zR&5mxHh~XSaa9faSrLI6t|h6fQGjNLsq_`;wv}YIb%^5)u;f&WnqS
z6FK9JvjUq!_u;#|Qd@k;9u*~!m%PxWFsZN*u(ayzi&4WqGAQJY(f4}0igQ`AN)uTW
z7INy1F1zZ7JmvR7VK(G4ms!0L+sbGrJjYK#@CHj#7g14B6_k`VU{Z2&+EIfqh=DfqlaoMs!_PjdS7HM+?7
zQHc59Ry3NMo8wYZ#r5{~hIL29HScB1EvQO;ob4-#db9f+
z#*f2o=h6%P3>ohu)8LM1iVv4=#s2-So{o+Vmx3Y&0)afP$u73;8Okr17;9<L(~2I
z*f600;28!M!=ujuM6Mccb;{=Vl|;BOkmj^qWUKd*?xw#rs-v|vli-k$_3>c5w
zg~e9uAkntXw8X@qz(6>FWsy&-wE@v_*6^w+fhv)#*GyD#ltExrs8zN1t~o$kg=Q@h
zK()?BJQs>(erX*`7h9b}P3hO2L%m3u3Q>Ps+U~BuKMa;petv%DT5?uaD~n|kfolZ+
zwBw)gdQ_kb<7&HX&+kUxy0F86zM!b@VJI9&0e+rzPdpivL$K+pXR7x8@@DKJi8;~x
z4c;FQhZ-^&P7>ch;Qc%ldJAZ^-g?uPnVA`+CB}PL;n966)bqg|=a^EGYP9&d*}7Sw
zMJ~KJDq*3Cxw-)X3hnrfk4i6|ZMe`my7B&;6iuH|W05N+Wu+;s*~|J}ge=A1{Nvb}
zFQx*Pqz^LQ{UR8-*3EQmzhOmtep?^BdGi&(&BaACdUbq!JhGf2uOWeB(e6xN*qcHO
zd7tnQi45v#k$=K+39+Bp7=xGfb$V1B2Ch2y|@Cfm8kV$deF46w*_1xaEzPdy&lq1M-wH;Gk
zUH$Iv&W^WZ@fHQdR8-n46kSuoXk
z?k62g_l_ppsz*_oDUD#`&mqwVG}btvWOX~c$c$PqA`MQYq{JxyW@~rE5OXqSVj%71
z{%fD=VN{00q5fb{7oSjDfaFISIR<~Tcz-u<+_W^h>H(d}DgHQL?o&mhXn2d3CtJ__
z+qmld7C*{mI$LrrS?F^?vHuZShP?7FLWb8)`(zD9Ecyhphp6oMaU$ID8ibm5*F;T3
zYG>-Qn>}+$;&c*D2sx!`LglILRz>X7#k{i7O<$YGqQUXue#-iYiLNeGRZ~|(0|zQg
z`~LmcPt6Lafa&jmg%ahD!bJ9Yev{dKZ!lxn%}qHPV%>)lr6eWcPD_hli<_MkboLix
zDPlxM%M8m2(E3Cdud5MpRW6CTrZ4ky23K$yX?j2bC*7!VN6<*eT!UhIO&31yDB;pW
z@C}*1=g@R5!)RW@(;qR`s78Xd3`L~XT8sOGavmQxua;|GyBjL}@t}yGB+Nb7TN0yDr)#tyuc@tb$%3aUN2f146!T}C
zYxmzi_{O%A&arBkwk`CKVzQ^3d;3X_jFkqwy&?U4P_RTY+wL$28@yX|_p1ob{VO()
zXhT<*9P!YKlv3E*()F!QkH#E9x~PS5(UXfYzJ;%wG8an_16tUSr-j(9AleAE%_2vk
zArN>H_0Kgte*e!-yBeKEoj^Xv+1Yqqe}u7Q`hFBZ>fp{<1W_WCB&D6nzM)5g(?9u_
zXCPfPqj=D7C{-sRR1qePsY@Kr(md_^<858BnWXBVSD&c_*Vjp1mts_f))l0|)J6jd
z2)E!yPyJ*-;OpJc7N^4uQY@+tjOq=N(J3Vr5nhp~&<0J6@tE$TA_5okC{E7CP*YOO
zc%SGAhrA{q0`{%UT%8S?+T8UTOWyA)d0|PGN4Turyeyv*QW?gL)nUpU!#TP9Bh+z2
ziRKiyXkcXc1tTyioPl**ypqEb!=f@NQwqU4VgM=J#VYz4G{ao{P-XeiDV3Z02Dt{w
z2I!n%WdAq`M*J~WEE}qc?2>qMsATOkID+8>=#o&HDwiX@Nw!Dx>nqcM7q%RyGpZy59GPt&FK7e
zOq_~&6+g^F3c#4r>flT127al6_Tq6T7w}+ajwz0mm
zSV69up2xM$)eUr-#u!W`{rW`*M|UCS>IG1m-5P9*E6Pko7S^VV6YYHwKiv`C>MQvc
zFaS+OF2$!J(0%fgVUp{b6v7Nf-m_r|sXAiG5^#pSd4Uyp>Tx^IRM*By$VMMw{lH9b
zDw7lgxFK)ze;(Mz(c}q8V8+f`W(_hQz&3?4AZx`{nP=%>fu9vGh*_lNH8HA~N%EV`
ziIE=q6%MlG>(W`s=@uvT!RUPZBM|p-oRcmZ$o4@{%Dyb*YiSql7nE#Q63z>@wf1c)
z9g@BChNS+r-rTsJV43QCmhC-8gsXb3fZ2#k&gN_^M`3sf0h_sb0e&d|7^tKa>-#~f
zQ*c()=C?U!Dm{rbFyqaUR-k<+#pi>??u`_{%Hy2ZUoTcT_A%98vl?Mb42XZ_wCMy{
zh?!ysCAucz`RFgw+=HFD>)Qi9dzlOLrqb|rA}@UH|K+MA`_T*``X`S@23deXKiA-R
zbYEXv5wIj~Es>{D<3mm0120w9Umv&z6Gu@?n*z}9nNGZ#Lx{;CdP4O`tS4{+jiPzVd$_FX4q=)Uv
zvcTH?gl!TQe|97f({MkMl{+1$VE~3%O?FqD&xUf=+J6zZ!pO_Z0}j5qx$T~CPP>4=
z$KcrS7A(`sknQbf_YEKstrAL+1FN6+{ChtDNS*qASQN4eqcf!FoQZiOh&_HUe8>Pa
zkE-DKJTU`bb~%`JKS>wK6Y#=cqT0!vzMl@a#cSS;-AJX%?Z(x^6iDTlx~zk%8X(v_
z@E{~+|E4N$V+QIgZ8LIZf7%QWpt{wX6q{xKxrrAZ{aHSF3#8&^U3
zBaIe!NF-&Ats0|Z(jgi{dt=y$LdKFo`b#5e$@`Hw(<
z1}Ub_?e9q@>@1Geid|Se(?L@bE##
zUp1la=_E%N{hCDEXbhId^s+4*zn2>)1w|2`%`ZS|fY6#+ByZ=PDI?;*&Btn*4?I}A
zxBCU2B+M5rh=%xH#0FlSTt#pJasy{I3lzPNLefwG+A?o;;eKT>_xYPOkyM5~8M{d+
z^+X4?oM^)psn^8=bHeCOpK+Nis!eY5FF7%zyJMV-70SlDhE}sB+!uM3f}&}vPZ9AX
z#61(cQ~zRNVQu|(ZO;TuSK)dKr&_~{9?PmzweFml~2(LF2qm?)&%~do95T-r&s=LmC4?=oRz@)7FoENZ>Hi4C%wC
zoZEmjrvqHwsbD=2wXlrjRXoIIvGxjc$mLrj(7xwz$~!nS9eC}aqI`)bvJ0czB4@1s
zX&zdffj7+f^m<&$$bLZa+7k+)6K2FCvb1pO5yS^K$O-%a
zQ5dmEr|J2)6VNLVvgS1#TITYKYXSy26u*(obr82MpRoC_2ob|UR4>3f|$
zK_B==t-?o{B`z>Ux4chZXAH$My64DW$f6H04
zNS`(Nl01&T-`sYv4(dV
z+{^%ZSr^WwQ8w$Xk6pQ!O%iUQ+ZA7tD=+4D`1+OlzGPMQyk%8xm`|0sqKtZX`89C+
z)(mf2w`AJ?sK|84^3QWIW<<;Ek(~s;`Ag+
zg_m`?0$Hxt1JmS(U!c>I`8&J=#q_46@+wS{raz_oMm?PQQj#9{2MU0xc~R+U$qRcy
zv8b%4uLK`dOrn9oKF>VXhlccJt4Ko4#glxrt=Sw)t34tr7t`YolF&fh+L)>wmOAX8
zrU^++`3>o;%9@uLa>a8~bAltwpZAV)r41$m^YZoVyzo?qc_c1=>3oZJ5nrO{NXO*W
z;-{|onR?_HU>i+EoJBu1O|Dx5=|9Plw3v3DYU!5!Zn*quk6gb8NAYz*$ZAr(VMY;<
za}?=|k+{8_?K3!BA?GkgO`6#p4>k@fpF^zDe9$EAEZc87q@ZP?n#WcxLz3H_dTN%u5F9lR@3amM{xHAw`@KWX&H{n_kf0sY
zcCm4JP@%Fljj_v>x6=DC8Rr4fF}@&B?s+da|FZfpmzj26#+Jg^Lv{Xj{IC%EIJjXQOhNM04$=-L$rkn2Mnz+oL*Q@}Hku9$Hp408n(0xktvr58t9W8bu
znnX#HJs9eeJ>bwmJ)pw+;aIA3nVoKNV=BR%Rxwa=*H6T$%%fG{J
zs~p^_ja|k>SKiYXD)F{e6=Lx3nPN1hiiw7biYZT*d#
zGShz?Krw`=)^F|EL-c#>X|;wZo;W?XE~qusZq
z{CQmoVdDZNH>ejBw8OiOWlOo)@6W|j((me;#+4IdeO=g?Osq|z5Yy%jGIn|Q-j-D3
z^UV=ZODC@2LTD#-GNCH$cqecgDM`1!psI$fKE`mOZ-N52`m`@;QOt-6X3!vk)s_B4
zwy?M`IXCwr;r9J|eq9klS;V=ut%HoY;TXQNvo!nH@(K-2%~++k#LoC1?PL^eY*|%%
zc>P5o#f9smv7o5a5n18etGD;cE(x3-va&9FqRH;*ysh`x6m(c2{@0BPGK>oG97yF7`W*@0AERU}
zzULde4=Wk8g{#ge22>fm_VaNGkOwjf+Kl|-8)YPmC<%{vZ
z?T_E74;yIe1d-ja$NGf4|L+kgJQ4m34?(552xI{jV$Gir5D{Z_vWry(_4V9p|4>!g
z$@d#$_JgamfdLVXn;C=`91s<;Kd(p*1m@O7Se?H0^m|%=k&lEh*OimCfJS;TLXr4!
z@Nh?5KcyMKlP*5yzK1;6I^%%#>9XKF%ZD`s^$9K_hZGt
zFf^mzbba;If)*z{1iWS5pHTV?Gc-I&!IyIhE1TfgRtE%K}+PP8bQ)ha{JW
zsdy}e{(MH?IoaO&16M2M*fYceH)d#G>R7rZXTA5HMT&>w(83iX`Pzk^ld*WBx~ajX
zRCy>r3G0DT%h;9R=4mfgz^R8yby<{|CYg^@h{A}!&U8P4OkRieQ8l(;5Clil;PR!zLaMquuL(Z(@l_p4J7^NZ
zriz{fhpisd9ByuoiPHEUrf|8qxa0sJqpqgkTj0_hg4#pgIT$s?cAjBCSQOW1X1;Q^
z{lHHBixDg&*geD!Lz%*FVt0&*%wsOIh2H(`P1K6AhtJH$kkAv=V|_Z1Ky|=|W`aV4
zoYZz5L(1Ti9gpD!LuSx0f$<=@u>bAr1uDRpUv`FVGItwQRo1a~j$GuZKEK2ZGgLnS
z1DJ~pG`@ey39ECeG|kvDMr7avfj}Fbvhsp1^woyTOY27)NVc|%B^mGgNtib?^n`Ak
z>E>}(Uv~UDsf*!;Zgk(EALbZ4`yPowr*$!=*qt^16I#EodGMk&Pw~lub{n?LWf%1g#sW`ybv!Jls&4O3NvvS6>Z^5iAcGm6~
z{ky4LBK6Uc%?%}7>rZZ`9B|9dqA0ptQV
zOkzMph_U;5@mbD4QGF03bv&2qi|r`_BkD2h=;x(|2C@2*EfuiFH{>$y)nX*|9a`2z
zi^P6buU6m}jv=iMSRK8&700KeJ-X}7
z0vkGt!!}3(CA50~%`Z@*)2HQkjOZ>-_dGapaf!k&BLnc-oi>L>&EGB{(XZkFN~5}(
z_Mgq^Ei(dK9pgfI++3p4HQ~xARn>M=6a`k^h;#^AJu{iAZ&@w{aG(_-6rw3$o6$@H
zNlVKKkm>rf!hd@acu3{PykE7!i`2iv$<^k6UWV-D>5J$Zquv-36%nCGtqF3yjWP57
z5>OO1u`!=LU{yt&i
z=@5{WC(8!D6&*Z0v<1SxWh~Qj+TB5x@mfxH-UuTV=$}95c--#7V&czUd>9xo_ypRIRcf2{9s;&6KQXeeM%g8SB0J$t%8u
z#UX8(m7EY*7Yna%mBKkU6Sn_j4Cy^EtwllJn4N}qyp4?og@uTl*ImSP4(xFCzoim+(-{db|r`GV}!0T82e>6n`#5zLzy7ivh(bW#aalV^EmXwPoT|>
zB=2PC?B{jcf^rQ5AYUw=8mzR3WQ>Xj%$NQkeW$Cx9
ztk?#=&WDhbbHqBLzxgG9QQEW{tVdcR8Z2DdzRMQo)1rPCg9C|DjCJoei?x0f4w;eo
z(Ln>N%iZk&?6T>DQJJ{uzKZ1C7`b%X=J4xF9~l<#xS~J8FUY^y=aQ+9Dd^QBsugmh
zJZ$1*WGoLTFk!Ah3KzXyK#xki2)70H0?j$qe2e_C@cvk37zeeYoS_t>~(EoTW`cCGWdZ{A;^N9KG)ha!Cqx}vT)MwG1ON12(?#nFVu%J5)*zMEFC
zqriGkgp-&Gmwp@9DcnfPPT`YA4hZh5sjz0Wb?IG@*6pE^HV@i6rs(5+UX_ovb%9wn
zG*>S>QZYti$JUnEz4AqvyD(1%n0%|kf5%isZROAA7#rA6!U~{O=9vo&QO1(<%D{16
zd{=$}jRyh)hAcn&9CU*el_+AmzgH5&y8;`>o`BeT9an1)2QBiHcutz281tX$Ft(F1
zThTfa9hec$h7oNjgRKe#JK;}HQr|v?khxE1oCbvD2&t8pZVvaEPu8ex^m8h4>2&6(
zb4VOt*f8(QntyX8Fb&lO9c3|IISNsiaN`$SxoWCcMW~++wZlC>t_Rd|u_c@KYXKOa7S?Fg$QzS4Kv5)wb
zT-1vg61?`XpdO10vd?~_UG><}g&otBWXp4(?b}1@-+i*HOEa&Z3J&JxpGvnqyXtby
zox|~wM!$Kf@3vtq=ID^=;*)AmB2p|DQ2*Fyb^PCjc!9zFi9c=xfK}D-;&hd)XIA)!
zoK?I3b0t@oekDmt#n>-RFZAQ|33woVP!{pPECvfb{)}?LV^_VDMD5k+Kdr@yi#<$+
zS5!J;PzXYQX;g&`c~htm8f}WCS4R!evTF_4iuCn+FfuY4VE{!SD?T7HUH5x}W_c^k
zjFadK7p5fe>yNTnW|cZwho21Gg$}f{%Gih@vRgmV_&eX|i&pPHoDTK7SPLIvawNv2
zvn?foD@Tsl_rrz8!IEghGn-)Rz2R}!h`_@i4q2<^RJu~%kW!$Ez1rN-gSEIa$uUab
z?**Pde$Bb~9r;FQv@+?cxY+Q*M>*n~pQE3jKJ~HFR{fRfng|e$M0$Aq`|E>>%7lan
zWN(lyG4a!9L&Kiog9DyhXJn`jg$5Ne@U7}iodo!MF#4K~X%|ah?t{3-zdK0Vz_3eu
zwznvWT?kN}Us;JMn*AgJb6fF~I&4u+dvo*Iq=p${ZRl&{dGc=;%NNn~T4Jj2N`@r4$bldUW&?bn+YePugcl12&}Cq{0QMxywFqD8_a4
z21>iMi2O42gP3GrPFgi)4eG!905+J4#T=#K7{(TBS0vu?n&sj0ksPbHlDJ;7)WTSe
za`7xT|8>|VF0sN*PVpR6s;Vldq7M+cuI}z{3pcPbcR=%5?s>zBD*UQhb2o%)xa5&f
z)<-@6ZCj%CrsqQ0hJv%$RS}ki<^)n3{U;z!5Xq>1?J>7RLr
zl+hSe%2`6*u#qLP(oC%?{}=&BaZVOYscnd(C$nb}7uJC9BR{hcV_pp>4D#wD0oITQ
zO1lT)_Z-vP*i1KDkYB)SPTqVoP8_&cLC>*grGUiF>lE{s1UQ
z<_ads9gwXMwq_ah&&hcQIC{Yt-{%{=ybd<@MtfQkot&IOEV)EJPfsGfa@BTXZIyw*
z{uAbWSb^EFIRtmTPJ-@NOJ2x@qDdJIhLV-Nz^@;fd!6(AR17tg0&RZ$FArhZPMV7-
zu7!baV02PTNlyWKFMJATwhd1^kk50Q{Yrm5Z%}cqNK$=0-HZXzFu!BBge0NP)co00
z6UNLW($9(HjnP<9jo(;38~vnGd_VHtc`(|1o{2M`z0JLNxRy({H6dS*L#`^RPf{z(
zN6;sQ{$f>ZmaHXA#jX@c00qAwMJ7UQbxkaC2iol0o6t02ZMw&$4vD`qOF0;lWlS%F
zo)X?2FcL#3$$-_bUo#t>Dy#Ep`iRg{0h0P7aO{audmN}C1y8cpduennzWzV!5X8yo
zg5O;`IqFeVgzgjS4Gs-;aep~H??_Lh)UAlh22JVqF?5i=svX&_G_mGQf13OtRg7(7d7KKZknIGN9P&
z>bEKKZ?qfyf1JkH?-T(Rx)b*E|GRk}6Ip@5!~d{1ZFs;N^!K})vMF*r?7znxbtTv=
z?|L}K(|0)CLCmor&g}S**@dncMq6t
zj5Bfdfj>ONrdry0;nM+=n?#EW$8}cZ84AQjI>ZG;+dM}7o2&X+>uY9^ElEUGGbGO>
z@Sw`cVO&dDDEiN=lTi;6qFw~#ct1d__V7C8^U_spkBKhgPu`^bVw3P_tcS;LxXOvT
z?x{hzvXFC5F7)jk*JRoC$XQutVxhvg=V_9e4@CdgT>WwcH~p#6OS}qm%YC^sq9+VT
z<1aGXP1kxcso3N3>Kb_p%3@}U!YQ%5UK*xUZS7hGASCWaX>&Mz0<`pCq#L)6M`dj=
zU}kEAva>)sNR=iZ*keiFbPzX%_}~RqQCT#=07`+Tw77VD$Zj|F4f;1CsrNIL_`6L1
zkexv+;n81F1Z;-8#hOTh`fxcpc|#-Gu#v2a*O^@rY8&A+KI#PAmn~VVaAe+EjYG3LChG9AsgEENjIvdb$$ew%D;(E$hx{W*g`!+n{v;r%oecz
zGYM945!H`<_83*$dIX_@QlHeZFH!-WJOGk_lm&s3;*gO6wJtz2_~$J0zPebi_5|>R
z{m=Rr0Vj=jDJdx^t4_ReE{ACKhS&d-AUQXO2^V^E;xEKA85vzfU-XV2RW3K{EllD0
zKC(Q6i;siY(KfFF)#sD9U0rNSf*n2hmY@;C$$4%^Zi;8p?KF0)ACG@|UMr$#OG~S9
z`sTObl^cecgDKK;_SGxzgAkI!&;H&z(f=GUzpt;8SINI?&+Weuj;`NZZk`*&#np!L
zzv>W(sU!Fxgz$eyr2QrF5(B8B!V&)Oba)=`5`o7*$}$!cN&VYCpX+5NXus@uIS30M
ze`W>`o(L8y{&dDR-RHZ#8zlo&X0=T-1a^_X6{h0zRqBpZToDBkL(UG=_b12VV5*Q2
zJ`n&3f5=)NW%@^ZQC^*BZRoor{_9+)_8GD2j=;p_+dI8P}T1Rdegg@vz{{}=(bG*#f-rG?I+nCYu
z4@=F=E+k&kKX=5YkmTK;T(wz_xx8F8o3!`3@=tQNbyY$?FoDoJ#5%G|ENkQBOg(Z2
zeHkdJEV>ugF9XVmY~6O|scr<9mquC_Pj4yovL>p
zeBeWfhbLkE)&ili8*5{tZOT7?qPvnP8Txti={vkGdXvV1ffDHMFDir}Cf@+!^APhV
zjL)5zqrU$Wyu_c)fy?rkQ
zi@xM+iHi0Ha;0zF0^TPCRi1=-u}NTGFXu%(hZe=pu`M%8jWs5eAs-t397OR%v0OX*
z7s#e6mG`I@H-<+l8}D1W{J8kz5A&UEFyF4Cc(70uey=WhqJ~s^@O0#YrnETSI^Q%G
z6#h91x@O4LBP)01TmY5cq@QeSN7EIRZS|Wb-(Ir9aA6g?%2mCngLw4+GKSlOYG25?_P2qwIXemv*h@aTfNQnD
zj{Qf?7=ymW!Fk_JTr3G1N9}MICXo`ObWIZL!%tFVyr0|%>G40ijImLd)DZR2ci899
zJdzp9>FrYUFAE9A9rgQaB@7lP|6Kgg7+bJIxm6ca7!g%a+~jDHQ9OsiUJ&bF>12U7
zkLgoNY{VcjFL8SD9*8ju`b$lA#dT7kb5SWOLHh%&cY(PQR*QRqDW<%#DjxYW)QA8R
zfNN4&XljR8ACx#~Ln%j5No_{-A%>fbQ6Wi@b|mt|bgKc(obdCOtza;<=a708oq70t
zV1K3-rPM%%D&Vt+F%>PH59rQZ7Qt<-AjBK#PunMpw^E6lq3$MkQo}7zLJL?{3t{PKAOn==jU5LZR-ERvI3mp26FPz8n|(Zq
z1PMo>_-oL;Cv27)7Z0KW;g#vqsCe}8w32^zOhBY(7
zE53AA6Wx
zHiB&@86}dI+oRxCX)%2r1w`s8a}L4S*mSkMAyVqR22{D-ar4|+hNHVR9%}^t!l<82
zIZ8Z!Scx3@D}NXS$o3`2nu0sSa&*7Fpaui0a|doao|UuC)nwwMNWMR9W4Js^<$cp3
zY*gOilAKdTi4HaPCAw`lV(XSYeXo|S5!$SXpg+_K!-TFdG$bu42=il$$9&CGLA18vKB@R|fRg@n-s#unbaTC#I+%<7}l4IfPB;Y%Yes
zgqYU3SZth?)Q0aHOF~lFubvmV0vXa2a{FE`Q_pV=l^`?ffRxbBt*rS7%7};_8xb84<4rkU^g9PyvL)iE{1(vQz%VmpsVmH8L3R6b&0mBEM8$cY
zXK*S!@>3d_=<}?#ch7O+LFOLtE?87Swd(j8i|EvDdZ+=i$r{Pv9ujTiE%gS;&3JB+
zVOE;PO&k^H0Wi^i_;bmThMYKdhG)EOMnlipYi5JBm+4Bk6iASSL}H{eq4TX2UgmXc
zDMh>
zQ@J9Z2;6`lRAo%{FvOl`NFd3s1+9K)h(D$v?pKUxgCBa>9VO;D;qAA4ga(q<6O^VW
z3{!Drs@86r*_gi`(6smvheE42ein#{*cO8c%_2KaC*|lBVWV1XNSk86;Hf6pW9LWM
zIs5y63#+4b07vP{(!sfeOK+kN|H4!YOc-_j{9{W}T8R>iL3=W_8Koi%(ZzL3dM6OC
zpn32{`74g`T-d|@hf<1<-N(~tK+%F|3A}#7FL#m;b%Y;>tiW1-Lkn&kdWq@^ODpkf
zn(Rv%_L-u3DF+U%=_H1t7>rSvIOr0*Pw4&Smj{Uxcuv;3O+RVH+q`BjXmAZNtdWK;
zzzRa%#pIV4k`$9d^Y?K=wZ6r;Bygw-6I$*e&d~{ulK4IE@$9XX$;-7O1As2(YY)J+
z2a@A~>ptN;F-*{uu-~z045XkK<~GCiqi!EAWyv&vS?R#;7$~l!_|A)DHOq
z&+xo!Ak0bS1n!2s73opJZ4Wu=o7;8shho#>Jgnb;jjq@+q@{Pz*mx>TDysd})tRN_
zCMaKqrZiei0+w9i0K(>_>0k0)&EY(EdDpc0LYX<>y&HDnZYWa1JXEle6g@;L|C}{$
zHbTBfepncHx}m>OWZisX_uImZcRcRXE@HZ0@10i`aM?nr3v$LKb0JgG$F*Mg95Qcd
zFTkYJt&mDSAgD+Fmjin>^vjZnGX@oQ
zt3k0^u9&>Eml;stu_)5Q6~ow)Sq*KiSQx(;JMiBXE)nr|qydp_X&ahiedH$!Zl%&v&3_8Wh
z9TT14Nw0GQ!aN=;{JoX7)3jMZyI7U;S7Ni1GhswOepN82;fF6!7=ZlTNoz6dmS`PO
zOiUT8LUd!tyu$!D~t3=nn}5*()AZG*G*39KAT-
z7mMtjCf8Za39&h=o=yh1w@Mb)LsJS3*;nPs8T%|EmzNf(vEt-Z+$q6dH2`fDE6lMk
zXMLBU*74iFhzqOlPY`FvEGP}*z8mL_G>zwNb=#F_V(2xdf9K14q#Z$A#zi>&aS5qH
zLddCWL2Lx17cb@?IuS8@jJZZpS2rDlxhIc7hm*nyw5NqLSFxMR++g$kWtP21YyOC;
zZ5rZ1>rO#Gyl499=8nvuwZHq1kPEaCMt61*q?gaZulyak_cf!&x?7j))l3VrVS&Mi
zVm)JLZ!U-km!{S=<`C42pkbKchEQH)od1Jhr?w6-IHyLB
zc&W@^&yMdOgK1E7A!OSu=i(EN8;!n7ZF4d@Xz%xsoVe%h>ZJ>0<=`+D=z9xi^48aO
z_iuLFc0k@ze3$-Fn9HNRS66+Z4)5N=75@>h=>LuLTDyfGV^{t7pPs%tAgb?qTe`cu
zyStmEyJP82my(d~E-4X-B?SaTVnJ$YDd`sJ4k-x%--XZj_x=l9&b@QyoHOT{dFEN;
zH!(Nsou0??D?RFMGk2>JruqKf&je2k2Gfx}-|=#bX%_wL1
z1A-`7e;aE2-Uk~`o0Lec`wbp?mVUe(V&STN^X+*X+vQZ-^>&Op^_vKewkCux328UO
zKV}dX1SRW#MZZ=m0+Cmt^M~uZ)AwF+Z#5z-He+UQ2u~Va
z%Y}TWVx`nqw05S=`Z3H<{sqBv?~iS6EmAP1y_d-piJzZ;!{xeIbiX|~EI--}hBz2B
zrGBoh*!ohE4NVZWt
z2*J(1xrtWs2fmocIBJ(?BIdmg8NrMX@iT(+`oRqDJ=+Qe(4a5-T*pX1EI$kBK`G>7t
z7s7YC_xr9~16Up&Kmk<6vqMqu$3ESk3vuqhK(kjjbfYYYh9MZMZ{Oz?zQAaiv!dNp
zP`_>?yjo@)fqJtIL4uiFs~5=NWG@#DA}mvLYa8xHbZZbKxfVW
z|E0)N!24!c4!@K31>Cr{`tl71eefhcuPAW0{rEF{XZ!M?@iVk%Ny-O8gI@2xCTxZ6
z>i6W1Z#mYF*HhZR{Eb5bQdUR2D-@rd^TX4fjq%fqP8kR-L#ePcfM{t43N{`gNge;?
zXvC$_M;4Dgbk{}#U!bQ`Q>Hf7iFw``xqhdok@x%nIy@KDG1TayJcNXJn^7r4lHl0B
z64PU}4+j!V!gq>v6fWfE(O?Yd>B6p=p~%K;fNhW5z5M?DyL?1DOIdGc_B-E
zTo+`gCi+-K?p&|nrOLJ{xLsn4pSDrxUA9Bqqic$+CK9}EUz607Iz&U$BD{#S2KAL4
zB)YW{0vr@uKW$Yp&r&Axd*;EmGpY6$#A(NPCCr4Pm?DRTC}Wb9oQR9|s-2!wek6JZ
z-q1;rK3tLSBT+_!k2WIU=baj;7-
zv`{IzG>glMBlGgTE+()HhSp;76MzO2BRwOXS!3ie-3i=T*@SooyzyTuFw3%M5+xG?
z(s-|M>9OA!fg7rcmf&_L4fN&A+(^KlD-2zksn%a2G}3BBOSb8g0|qllPm_q%rU$g5
z6=gx`I)&pGDt+GauG%r-ZNqWZ8p{rCifL&0O!
z8$;RBl{JfqXgz;gqeUMIZ{CC_SPqJej?X=s{$)k&8LA1zQ-1z$II|iPth9
zKj?9EBq?NYy*QL$1HjPh5`j*?YE8U=THD+Qg(6_tm1$7S{BAXh@mE3y7TBhr?j;W+
zhBXY!AU?u#dwJgfMm(X%5SXE@CB=1S*S+I%`wN7u}exxAx
z6N~ANPp7*qW|5SKb-CZVf{!@v%}KP65)S`^#`^wAV&71?3cHyy`xA0Sb+7g2$DwR5
zy9C(@BZQ$;YB@6p49W59^$eMawq4Xkla=0HMIz<7?@uVmlj(=C`bC*lkPuWR>V<}_
zt#>*ZV#$}S3b=2!@TFJF(+U_xf-hRNtx4X+r5`nl*3-l-#SpLRiKa2II}W>&@BaBV
zn~R0z5J-rX>BFy&W&W0CGNWdJnZ1OC1FN+vIBTxiwowElcleKe9dNMZ5;5^R6!Lp7
z3YCp3s(L>`o?uP}q(8!1
zAU}Uu*K0;4GmP~;XLvUpnOVb1=x;DaYiQX$*|FqXs?evp7Ub>
zVy=cwi2$}*9H!1M3&hW*EY@2mIBnWbD9dXxtZ7ZrV{LAzzZ;pRlDL*t1PxC?_}$Xp
z1R4+d}KI6g;XOvsToYG2uJnm4q--5cawHYG2M$9(#
ze&{IN0<<6XFF(YtNI@^YC_cK*4*b~3quX{Vn7)a^q
zeAvL+*&+shFg!Ly%H+=6QkL-bw~}*I#=3eFitHhQlUFm`%U|`X`MZ`*SHOp6uMq5)
zQyey9&{d&VE}A~^Y!tG<0p5pc@(hSYPcv_dsJ8i{gm`)tGwQhAhcf^d&RkE*(;B#(
z;X+kSaMCQbwmlTun?lwPF{N)w>Bnbe8XF!_kRdUuEiU85yY3^j9d#aNliynu&A&kZ
z{?DOy{0~_4Yhul+2NGUG(^mxpcV=>P=bBmm#z>3rPsciH6ix9J;%@1H9{IVvcQN^%
z{9$z%g<3{st9bi`cn`0J7sO3%uuw=94lp;G`*A3cj!~x=$KZIDjrZxmKGV9
zlhy`SW#zJ@j!V_Q9}#W;I%oXb60QA4ti6UqcSZ5+<3tI2>8q%uo=p(N2u5|ff}Tx#
zp|Ud{NlZ>=);x3#+sNJ$WQIgSWfMZ_59G{P>rTvuxdS8S@z
zoE7{$g_bY^M@<+cf4ZkHi^fbHvcg~U3br&Cvv)^ir2;XC2C6(tPND>=##o{2_EH+y
z1#xvTLbX2?+WvfvSrhkuGKXBhr`CQB_Bx+9048ln^reB==R{E|wd4_D_kZ9PNamIg
z;T?&o|D7()Oo=;wcWSuvk9N$Ualx6ZX>leaT15)UF|#Py+mpKy>MqVd%7vXQ*$Nu;fQl%vPwA-We{XoSnX;@J;z5Usfp`sZPbJw_KgXhQ>59(2Oou
zVxz1sjh${UAAbxa&=LREg2)+hiNh0!bjouzC{(0Uh8$g7b_u0Q@uo_#KFH)K2$H;Z
zjO`g@|9#3JlvYR7L~LxG{^l_Zlj~15RQ8D9KJ7F-(hz-+<$m3!Iu-*(CL+fPoxWBR
zPj`_G__xqV`J$M|A-clp*T>`oyqDBt_me4=W8DfFFext&*O#Zev^4ps4*pd}8m`a=
zGNjg%o01zjFQ2rpf0omcm?WLt75>a#Zl}N{H4Yq#nQ9k84yD(=1DyB3Np0A=H{B!@yL@5j-0e|Hiueh)lSPnWtJpAND
zoXaOL87q!&^9RR3{xM357pERkCr_S5&U`YwS*&>6KqoaaeFhM_8vXFfWKC;(WW=rbGu#~0#-w;K)wuo7_fJN%
zb3(S6ow~e>wZ7TB2qz(B!Dw(^DyPv4&_sa?{D2az
z<~RsX@wDJVS(Dr7uD9qF_N!tU2d0_nBjR_W1$diLGVyl
zFoeg31YEpC%UVtR(lCo4l8qty_6}X^bTP#o&XCkKc__QoshHLuU#-Hx68^~auS^lZCR7bZf
zdaLq>{K6PIdgaYVI&w%rAQ91&=j6;xLKb`$tN;imK
ziBr(GGs@z1)j-F-GFnU@0)Ob*&dP9vnT43X(74Fr5TCTU`v;zMF6->9j>vMX^Rft9m@>+?@D$yx5$7)12(sU
zc^ysdiKf@jDH6N9sJ{RQPhV7tPXZtn8sz0ITK^HuI|u*ba;hE=k<(au&S3rZ`Wm>e
zwBq9M>wYJk@c0DQ&P0)igfhe53!}=dkRy-Baf^slr;Q!@b8oB*XRour*qWH6SEY6E
z%$TD%)wh>8d6QpSm`=|9ky|lg0)7tBvBFOjXcT94CS&27V=O42OP|tQG(U;E`S-UT
z0IQlM%6Bf`??
zUiuQVO2X*7kPSSo2r*E|fu_(BQ1uRb(^X}_%1TMQi$+WJqoSpVs#}N#ZHOE-wdsj{ryu8a)>icxwTS~^
z&)q6fzev4x#VX2QnJi_SJyd2#;z@JDS1DiL0Kb_wMj+SzJc!4X;$7v5yYk%F<9!!5
zgVL^Y=Z0DhMj%5M{PhuAe`O`l^h0EGBKoFVuF527^p-@nYBeNv=Lvm(geKh3
zTC}NLHOSNgUf;!3aaQWoq*g;)@A=SrTq&BfX-`>!2s{2QX*~O}=yeRwZIKnB%}iye
zUzP2p*yg-3N#~-XKH4Mki7-KWUgw4zm($8QF6D{KK%>?sgg4G$b4KN`B1I}{QnCf(
z&B4`OPvET^8U3d&JZO8YO6`Xo)}zW
zUI#1*-yijM?Xv_$)S?j;u$aKtUP1Mgf1+?+{?8|>im!X6k4xRg&Eq$jyS-cJs1qrz&z+c*M$OKN_loZg(N!$vO)7N(I$*Jf^2OApXZ@OdWgu0HP_^CW!y{PHcD^CW)=Ox_puPyQwqImTk)
zf2#m-_lOxQ=TS8f66TN2@XGj>eJQ2#gG2Ua5i{`L@1MG4iR`ZM3SC4jL$dWTXFw-VbbLu&5J%jKW
zeAgBc_e*rf{fRRTj9$$hB;Y0g$PCGJI4Z+r=xf649lV_jOioRH=hF}f#HeuMc?n}~
zKQ3cT4qopVy2Oid4Mhw+(v;>7U$CQpw)@_GGn|{ahr?;DcMd>7=ns%S343o#!(lPBL%xq?7zgCLmxjjEWss
zQ%-k`kU9KzOQo&8SEe$1g?LUwnSXZ9f|s6B5$|$mGE-RD;x*Ipn5SJh!hxWtm7ct{
zCqcE!w&BXx@arY5GQh5_dqx3|hysvh?~```ydR%UL-Unvuoj&6_n5$yduI1wJ6*#(
zl|P@c&M?LAk;Dj2+90YUwp$x%wPWI#I4$(6BgEKG2e_1MGkgCrTWRvac-+
zHe>Y&nY=-nuKc4g$cd`C73?(5CtCGOF#u0yEJfBdLU^)UU)gyMUgE8`;7qVr2zqD^
zJL>Rw)Q3JQ#sF~!ZXrbR*43#lQN+Ek-l!b)5jz{&Uh+c({u)GH+le&o_g{+x^|0m6
zzfVd(kYPrur|&r-wv8I8XkJB4mmjIbpNE4zIEk0>L7*Wm$PPBG#3bPx>N?Rk7o75X
ziG2LsvFFpWdH4FiJ!mHkktE8vbe<7ZXAD-8vWzx6M90J5sGz|*0&f-8S~=slcv&*5
z7^OY*n9UV(Po+|jTKY7G#QS)StARCt|6VCh%Icw~R0i=i6|BY{r?-An?H%#w4
z)rdV^u6t>UEo7@=Fl!lH_tE6Q^<46!`=vTQpzgB7-_z(2HLFPNKcq$|`Xz5vXug}m
zEqa*{C$tIWnH|PKC%P5ZIPp>jq;I$5ih7wCDa}~^!N^|JDp)Opry&bE5?T}A3JBdF
zGB>KcapSfvbhFPAEV{)a<6&LvrXB7dU`Z$nuTSUbA6=HB|&odOa+T#+AuWX1CKoSq$v1=VvT}>%ZO(jZ6~(bD_391
zfD3NRnb`Nos=S((=+*cPJ-8$#Hp2c~4K2Lh7k2+QpUZ2ebeEqF&Z5AJU
z8$n3eN8t#Bf*&bmgtGrU`#4p@w7#^7F2dXfXx>
z^WEhU;c8O8awPt3Uw@;E5feR*!9*SKZ||@5&L;Zb9uvX}WZAt)DiU2s(we^2(wq+R
zfpLZ0i~$^7;e3n(scL6hU2BU(3>wG~4>Cwgljf_5qjIh5
z10w5kOjL@bUnwk@^baC4bT(k>Ql~%ua`G20-vd3#JBsoK905c|OMzE|FfGYfl7R!B8)HcbsGK#x2k@ei4+K9~^sXXJ6Y
zd3?(6=o~N^`QC!At3PG8xc56n6)8~m-&d8CXuyRE-NK^iBNmzH#@BRQ*p2k=>r@Nz
z2^(5v(TmpqpajDw=5h*&Tu)Cje{p|FYh8SkBP>(goQ6_0eCLR09rJQ-D=+D0BTGd2
z(I@cbRm|MD^YBINrVT;nKAe{^&sK#UTi{&6(OY}G9P@;x+W^J3{H;V6R96A1^GX~X
z=(!fX-d7A>Ep4bRhw9(sNnt6(R-eY-<0tYtQIgwO9k}+Di8#_m00z~{Bs~V&Z~p`q
zclLUo$~ftdNO<*Wkna$bXv+Z?SWK%8B|{4+k5b+$9xl;Q$7rOhsj=^N*;HHtz=C}^
z)q5wV`L~Gw!5rQCF>U5myoQv3W8ow0FJE|LKqv^Skdm}@1L&(zaQ+Erbomoj<0>Ip
zbI5-6xIzbrl+0aYBQ=U`QyjHjrJ8{1T|D>cS4(+EZ`6?>7c5I92R&r7SY@4$nW?)a
zOto76v>bKu6d5Jlb13(NgTFD7`rip%39|+bIZHK$I$9z6UJ={
zH@;hXBWgn0(?5&D)k|}l=QbKq`hlmham&Wq7sGM`zNc>fR>4d^u3vrI?=_nz87Xv3
zIPt?N4>sd(KZToBWaJUsV(qlK_dQi#sAJf6fcDyj87*2YX4
zs-|Nno4oCONhAHfO=x4=8h
zhwh(wD0-R^B|!?qUjUn%Zr8q5sjOiAIuMMGLjmck$|0%blm2EAYiBxedo|m+0g6XH
z^tSebUFYAYtbPiuF#FKQD-%3HFhhQK!76X*iQS|{9Uh9Bg805Lixi?r&&_Sfh-d7+
zLwY3kFL^GV{FT$$?ce*#PKcSDS2V0H49jLOgZsF!_p0n=&ds|WV0?%mU06&Pb(D6<
z+fAj`(>w+X@S4V7f`pZ@nb%Oh)?e%0o2Z&84{{l&u-XD07copg20ZQVzaFyz2aeTx+Rxk*wt4RUpkx~V
zEw5&|KXeC*sDHk&Ka`h!ZW0xU`LvY#O@#D0IsWgd3mc`5kQ$h6x6+tWv#5y?w{r|x
zTfPyD1GBQQe*6}WK{C-NT}_D5RKe}nqxqNkF#1QUAPcMjL}{|9N_Y&OJ%0_jHw~Sp
zCB0Rq`@TXGbAr=_dSNkceMa}tIXGmX?MPa1+}nozA+3_gcR|qB_w+oxZPqyPsG46i
z%o%02z=u~z2o=YUsbJ|J+Evt7JUh1((JypC$ZC9Yi}b6S-}4&!`D$;%GFrXeIvS;Vhs>Kh*3~*xp6rWIHmIXG@qw?g
zhM$L0(l*kDygd_Dtpl^SD2Z`MW{~RNwxralUm5cI%~dj&#eUR6(qgj@MYMb0khDk$
z*FUaC_<28YV9e~(&`QwfQyxMm%Nj%$@5$#?`#ZGge>KODd0P3@XdmRSRJ_30&D~Xa
zAS8?)reuh4R1%Q%YB`|i`rH@VoZP`0W@1Vqf0kH-3aMDHs6hI4915eDv7N^1pjGv2
zyymVwe&kbQpBfBi0oGXo_~3LPDR`KEKXsNY(Ih-1vatNQ_LDT>Q~PXJ$#Y@MrU^CcOVC1f#X
zV7)z)kWjE07k4}LN7oIvbS9qy0h~o-iZnNe#UNI$$*f4ZT*xm|RyJVIcMNadmM^ha
zUw(>yB2nAS6`HL?>Kj>oHSdoOIis%5;I{$_U_xi%?~=zgb$QuuJB*ZSY}}3`t9K>y
zDE|8Vcr)SaB>#8Y3#gL=eY*L<(A-Hh;iM%y*H6_d^>H1~BJ%uHko8PVVT4w51ax3Y
z=Ba3H+lW(<&!5gRM5C)F-JC5gO12CJcOvE>x3&!j+B9G)?P<#&CURnTg~8(qeU6_s
zW}5nnZjXHyJI!TI`sw2Ui^LE5PhsTEP;3y^Fl>Wmn4nG{Y1^z@2XWR&*)fHEw)!jW20}bbTJ!D9#C>IoFC~2Bu(5(eYMBsxC
zDtwBs5V$%?T0s=nB#DKvX&T3$tb`HFdwCJ9DT|lSAF{shie~YaCfS;})gcR4*A&5A
zkB^HWs9_a^!e7ayV?c(c>4)QKl85>c))hcqA-xbeIiz~HfC%DRq+l%xmtrVNE`UHA
z@6Bcw#E&BCD@LA&dhEPm*p=1-
zbZ%3a{Q@3z6)CJH?gWeeH(&?%bXRK3@~hzAQQfk-cl>XxW@SOqBokr2NK`)Rs75l0
zNyK;dEGduP^AN7NR>3~&T`Np8%Occ!ng7C*M;h03yzsD}((pz*{f)=_v3
ztpb2-pwz0pmfS)Oa*fo~qGtG#l9owooA8z7bjA)qFSM1gtj%i3G@BQH<67RQn{#s|
z#si)w;^h>#Iy>sQdXxSNm<_9(lWRL&!en`&>z3yXIOmZ(OaPH5}8jUJ_z4_XA*v247&ttZ+u)!mCL+Lk-5*}44ylG2&B-(nbOju=f@-XIQo5-Kk}qLb2ybTuLfhEHX}bPnGpT$
zZu-6rJQBbGQa&yBYN27$6qBk=q2UL2KttUOAh=uKK{heKvc7z-=jza?Y#wW=lx}QZpcjXu`g^KBW#UztrMXO8zF6
zB^hn!J1zv(`$g#|aAb0%J_ObN!_X47OBAB>a2%4yGEFXx^LocEzW!63Ov3tRwG#};
zhC>jOz{k6W>Ta-V4YRF3M3gq5)%UR`q-UiS^)tN}fY=miZ3-2OZIfev7qhVmM0?7&
z549&@0}&+qWz+g>!*`$~+C?^R$M&pokuxoA=;&p}jS=ZLjn~?M7pZ7Yq!ZiQ3~PON
zR2K5#h{0YXRs9-eW_)?PWV*A~M)hke5`lZ}Wkxd|i){}2|kMttP
znyjp71i2Uuzw*v{!LQUoi23cnYw5_2X(CwFW=Xai0Z_55h9UBCwK#Bw(xO-PO(zpM
z`!2V0jY`BZ^bt}VN;c$=hwInWV-6rm(A+kUEE_;pGu{YfdF5Cg$!~A=GrZJFC~ywP
zZHa=lsxBfW0^eSnwU=R$qFo8OiWrk!9o)_7Oln@-B~C-m@@K0fpI+;I|{gQSd>uk3dKZXhJuLz)Ls^|U6H$&pz?gz?7H*U
zG(m*|Rv@-5Y!KmjqXyn?-`39ELSf#?rP!7hZVj&5jO$@9?(^1bW8DuVakbdw1n$-u
z!Rrrya~Ftdofm%6>JGsh&8tNBJpSq#6kl2>Sf^gUpJr4o5$EOm8b8M*XE(BHLenbq
z#JzEU$i5Uydu*Q1uu@E6`9WEP%~<(nzmxxmFD;!Efd>M^_TveoH~y-{(FiE2;WXsso<<*7Z)2m
zAAQCP#ueuyLQJC0cHWeY2usgzCqF|>2wTv`TkIJ)E3q-u!8Z~jyqXgTbC_Zif7al}
z-dzQUgrrDlkM?q7U|mh8CtICK2GL;X
zN0n)Gmf>^TeGEm$u&23t@Tm1Jf|K%hD+^9i=P+Ti!c=cs>F57gQN(w5ynh#}B9i#O
z%=)E*N1fLbH^h1CK^SoXhKg*=LugBr@Ws=K2xb&sg3<0!?~g~=8NHQ>n7|(fK3fW;
z)NeycXlIg`UI2poZ^E^!h*UauFFfn!mvrY}1TRpE0F0pOq5lF@YtvZ9lyl&4Llx#<
zt|s~~IQ8Ywf;AnYu|_#A@X8eMd^z!Wp;@op>!9qydOrE0hMG_i!zw{NU`fC8_51Mf
zQ6^H=aoEqF|MrCQW%wr@65`&H4=(*opJ*2P0$xyW_m}sUnF$5MaQsxm
zAhFlPqbW)Wy>}zk{BnEwIy5HykVwN2QPy|>VJ_Q?*9Zq9Vk8MG0@is6kj@jZ;f!gg
zDPmwPGf}HnP=RP7LZBILW8N=aku9P;luMm7o@gHXoEK0-BqzchWQE5_EM%EI?fC!C
zR4$VKhOLh8