diff --git a/windows/client-management/mdm/policy-csp-admx-smartcard.md b/windows/client-management/mdm/policy-csp-admx-smartcard.md
index 859415fe2f..eee03d598e 100644
--- a/windows/client-management/mdm/policy-csp-admx-smartcard.md
+++ b/windows/client-management/mdm/policy-csp-admx-smartcard.md
@@ -1,880 +1,1024 @@
---
-title: Policy CSP - ADMX_Smartcard
-description: Learn about Policy CSP - ADMX_Smartcard.
+title: ADMX_Smartcard Policy CSP
+description: Learn more about the ADMX_Smartcard Area in Policy CSP
+author: vinaypamnani-msft
+manager: aaroncz
ms.author: vinpa
+ms.date: 01/04/2023
ms.localizationpriority: medium
-ms.topic: article
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 09/23/2020
-ms.reviewer:
-manager: aaroncz
+ms.topic: reference
---
+
+
+
# Policy CSP - ADMX_Smartcard
+
> [!TIP]
-> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md).
+> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy).
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
+
+
-
-## ADMX_Smartcard policies
+
+## AllowCertificatesWithNoEKU
-
- -
- ADMX_Smartcard/AllowCertificatesWithNoEKU
-
- -
- ADMX_Smartcard/AllowIntegratedUnblock
-
- -
- ADMX_Smartcard/AllowSignatureOnlyKeys
-
- -
- ADMX_Smartcard/AllowTimeInvalidCertificates
-
- -
- ADMX_Smartcard/CertPropEnabledString
-
- -
- ADMX_Smartcard/CertPropRootCleanupString
-
- -
- ADMX_Smartcard/CertPropRootEnabledString
-
- -
- ADMX_Smartcard/DisallowPlaintextPin
-
- -
- ADMX_Smartcard/EnumerateECCCerts
-
- -
- ADMX_Smartcard/FilterDuplicateCerts
-
- -
- ADMX_Smartcard/ForceReadingAllCertificates
-
- -
- ADMX_Smartcard/IntegratedUnblockPromptString
-
- -
- ADMX_Smartcard/ReverseSubject
-
- -
- ADMX_Smartcard/SCPnPEnabled
-
- -
- ADMX_Smartcard/SCPnPNotification
-
- -
- ADMX_Smartcard/X509HintsNeeded
-
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Smartcard/AllowCertificatesWithNoEKU
+```
+
-
+
+
+This policy setting lets you allow certificates without an Extended Key Usage (EKU) set to be used for logon.
-
-**ADMX_Smartcard/AllowCertificatesWithNoEKU**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-This policy setting lets you allow certificates without an Extended Key Usage (EKU) set to be used for signing in.
-
-In versions of Windows, prior to Windows Vista, smart card certificates that are used for a sign-in require an enhanced key usage (EKU) extension with a smart card logon object identifier. This policy setting can be used to modify that restriction.
-
-If you enable this policy setting, certificates with the following attributes can also be used to sign in on with a smart card:
+In versions of Windows prior to Windows Vista, smart card certificates that are used for logon require an enhanced key usage (EKU) extension with a smart card logon object identifier. This policy setting can be used to modify that restriction.
+If you enable this policy setting, certificates with the following attributes can also be used to log on with a smart card:
- Certificates with no EKU
- Certificates with an All Purpose EKU
- Certificates with a Client Authentication EKU
-If you disable or don't configure this policy setting, only certificates that contain the smart card logon object identifier can be used to sign in with a smart card.
+If you disable or do not configure this policy setting, only certificates that contain the smart card logon object identifier can be used to log on with a smart card.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Allow certificates with no extended key usage certificate attribute*
-- GP name: *AllowCertificatesWithNoEKU*
-- GP path: *Windows Components\Smart Card*
-- GP ADMX file name: *Smartcard.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX_Smartcard/AllowIntegratedUnblock**
+**ADMX mapping**:
-
+| Name | Value |
+|:--|:--|
+| Name | AllowCertificatesWithNoEKU |
+| Friendly Name | Allow certificates with no extended key usage certificate attribute |
+| Location | Computer Configuration |
+| Path | Windows Components > Smart Card |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider |
+| Registry Value Name | AllowCertificatesWithNoEKU |
+| ADMX File Name | Smartcard.admx |
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+
-
-
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+## AllowIntegratedUnblock
-> [!div class = "checklist"]
-> * Device
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Smartcard/AllowIntegratedUnblock
+```
+
-
-
+
+
This policy setting lets you determine whether the integrated unblock feature will be available in the logon User Interface (UI).
-In order to use the integrated unblock feature, your smart card must support this feature. Check with your hardware manufacturer to see if your smart card supports this feature.
+In order to use the integrated unblock feature your smart card must support this feature. Please check with your hardware manufacturer to see if your smart card supports this feature.
If you enable this policy setting, the integrated unblock feature will be available.
-If you disable or don't configure this policy setting then the integrated unblock feature won't be available.
+If you disable or do not configure this policy setting then the integrated unblock feature will not be available.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Allow Integrated Unblock screen to be displayed at the time of logon*
-- GP name: *AllowIntegratedUnblock*
-- GP path: *Windows Components\Smart Card*
-- GP ADMX file name: *Smartcard.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX_Smartcard/AllowSignatureOnlyKeys**
+**ADMX mapping**:
-
+| Name | Value |
+|:--|:--|
+| Name | AllowIntegratedUnblock |
+| Friendly Name | Allow Integrated Unblock screen to be displayed at the time of logon |
+| Location | Computer Configuration |
+| Path | Windows Components > Smart Card |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider |
+| Registry Value Name | AllowIntegratedUnblock |
+| ADMX File Name | Smartcard.admx |
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+
-
-
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+## AllowSignatureOnlyKeys
-> [!div class = "checklist"]
-> * Device
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Smartcard/AllowSignatureOnlyKeys
+```
+
-
-
-This policy setting lets you allow signature key-based certificates to be enumerated and available for a sign in.
+
+
+This policy setting lets you allow signature key-based certificates to be enumerated and available for logon.
-If you enable this policy setting, then any certificates available on the smart card with a signature only key will be listed on the sign-in screen.
+If you enable this policy setting then any certificates available on the smart card with a signature only key will be listed on the logon screen.
-If you disable or don't configure this policy setting, any available smart card signature key-based certificates won't be listed on the sign-in screen.
+If you disable or do not configure this policy setting, any available smart card signature key-based certificates will not be listed on the logon screen.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Allow signature keys valid for Logon*
-- GP name: *AllowSignatureOnlyKeys*
-- GP path: *Windows Components\Smart Card*
-- GP ADMX file name: *Smartcard.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX_Smartcard/AllowTimeInvalidCertificates**
+**ADMX mapping**:
-
+| Name | Value |
+|:--|:--|
+| Name | AllowSignatureOnlyKeys |
+| Friendly Name | Allow signature keys valid for Logon |
+| Location | Computer Configuration |
+| Path | Windows Components > Smart Card |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider |
+| Registry Value Name | AllowSignatureOnlyKeys |
+| ADMX File Name | Smartcard.admx |
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+
-
-
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+## AllowTimeInvalidCertificates
-> [!div class = "checklist"]
-> * Device
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Smartcard/AllowTimeInvalidCertificates
+```
+
-
-
-This policy setting permits those certificates to be displayed for a sign-in, which are either expired or not yet valid.
+
+
+This policy setting permits those certificates to be displayed for logon that are either expired or not yet valid.
-Under previous versions of Microsoft Windows, certificates were required to contain a valid time and not be expired. The certificate must still be accepted by the domain controller in order to be used. This setting only controls displaying of the certificate on the client machine.
+Under previous versions of Microsoft Windows, certificates were required to contain a valid time and not be expired. The certificate must still be accepted by the domain controller in order to be used. This setting only controls the displaying of the certificate on the client machine.
-If you enable this policy setting, certificates will be listed on the sign-in screen regardless of whether they have an invalid time or their time validity has expired.
+If you enable this policy setting certificates will be listed on the logon screen regardless of whether they have an invalid time or their time validity has expired.
-If you disable or don't configure this policy setting, certificates that are expired or not yet valid won't be listed on the sign-in screen.
+If you disable or do not configure this policy setting, certificates which are expired or not yet valid will not be listed on the logon screen.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Allow time invalid certificates*
-- GP name: *AllowTimeInvalidCertificates*
-- GP path: *Windows Components\Smart Card*
-- GP ADMX file name: *Smartcard.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX_Smartcard/CertPropEnabledString**
+**ADMX mapping**:
-
+| Name | Value |
+|:--|:--|
+| Name | AllowTimeInvalidCertificates |
+| Friendly Name | Allow time invalid certificates |
+| Location | Computer Configuration |
+| Path | Windows Components > Smart Card |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider |
+| Registry Value Name | AllowTimeInvalidCertificates |
+| ADMX File Name | Smartcard.admx |
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+
-
-
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+## CertPropEnabledString
-> [!div class = "checklist"]
-> * Device
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Smartcard/CertPropEnabledString
+```
+
-
-
+
+
This policy setting allows you to manage the certificate propagation that occurs when a smart card is inserted.
-If you enable or don't configure this policy setting then certificate propagation will occur when you insert your smart card.
+If you enable or do not configure this policy setting then certificate propagation will occur when you insert your smart card.
-If you disable this policy setting, certificate propagation won't occur and the certificates won't be made available to applications such as Outlook.
+If you disable this policy setting, certificate propagation will not occur and the certificates will not be made available to applications such as Outlook.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Turn on certificate propagation from smart card*
-- GP name: *CertPropEnabledString*
-- GP path: *Windows Components\Smart Card*
-- GP ADMX file name: *Smartcard.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX_Smartcard/CertPropRootCleanupString**
+**ADMX mapping**:
-
+| Name | Value |
+|:--|:--|
+| Name | CertPropEnabledString |
+| Friendly Name | Turn on certificate propagation from smart card |
+| Location | Computer Configuration |
+| Path | Windows Components > Smart Card |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\CertProp |
+| Registry Value Name | CertPropEnabled |
+| ADMX File Name | Smartcard.admx |
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+
-
-
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+## CertPropRootCleanupString
-> [!div class = "checklist"]
-> * Device
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Smartcard/CertPropRootCleanupString
+```
+
-
-
-This policy setting allows you to manage the cleanup behavior of root certificates.
+
+
+This policy setting allows you to manage the clean up behavior of root certificates. If you enable this policy setting then root certificate cleanup will occur according to the option selected. If you disable or do not configure this setting then root certificate clean up will occur on log off.
+
-If you enable this policy setting, then root certificate cleanup will occur according to the option selected.
+
+
+
-If you disable or don't configure this setting then root certificate cleanup will occur on a sign out.
+
+**Description framework properties**:
-
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-ADMX Info:
-- GP Friendly name: *Configure root certificate clean up*
-- GP name: *CertPropRootCleanupString*
-- GP path: *Windows Components\Smart Card*
-- GP ADMX file name: *Smartcard.admx*
+**ADMX mapping**:
-
-
-
+| Name | Value |
+|:--|:--|
+| Name | CertPropRootCleanupString |
+| Friendly Name | Configure root certificate clean up |
+| Location | Computer Configuration |
+| Path | Windows Components > Smart Card |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\CertProp |
+| ADMX File Name | Smartcard.admx |
+
-
-**ADMX_Smartcard/CertPropRootEnabledString**
+
+
+
-
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+## CertPropRootEnabledString
-
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Smartcard/CertPropRootEnabledString
+```
+
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
+
+
This policy setting allows you to manage the root certificate propagation that occurs when a smart card is inserted.
-If you enable or don't configure this policy setting then root certificate propagation will occur when you insert your smart card.
+If you enable or do not configure this policy setting then root certificate propagation will occur when you insert your smart card.
-> [!NOTE]
-> For this policy setting to work this policy setting must also be enabled: "Turn on certificate propagation from smart card".
+**Note**: For this policy setting to work the following policy setting must also be enabled: Turn on certificate propagation from smart card.
-If you disable this policy setting, then root certificates won't be propagated from the smart card.
+If you disable this policy setting then root certificates will not be propagated from the smart card.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Turn on root certificate propagation from smart card*
-- GP name: *CertPropRootEnabledString*
-- GP path: *Windows Components\Smart Card*
-- GP ADMX file name: *Smartcard.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX_Smartcard/DisallowPlaintextPin**
+**ADMX mapping**:
-
+| Name | Value |
+|:--|:--|
+| Name | CertPropRootEnabledString |
+| Friendly Name | Turn on root certificate propagation from smart card |
+| Location | Computer Configuration |
+| Path | Windows Components > Smart Card |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\CertProp |
+| Registry Value Name | EnableRootCertificatePropagation |
+| ADMX File Name | Smartcard.admx |
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+
-
-
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+## DisallowPlaintextPin
-> [!div class = "checklist"]
-> * Device
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Smartcard/DisallowPlaintextPin
+```
+
-
-
+
+
This policy setting prevents plaintext PINs from being returned by Credential Manager.
-If you enable this policy setting, Credential Manager doesn't return a plaintext PIN.
+If you enable this policy setting, Credential Manager does not return a plaintext PIN.
-If you disable or don't configure this policy setting, plaintext PINs can be returned by Credential Manager.
+If you disable or do not configure this policy setting, plaintext PINs can be returned by Credential Manager.
-> [!NOTE]
-> Enabling this policy setting could prevent certain smart cards from working on Windows. Please consult your smart card manufacturer to find out whether you will be affected by this policy setting.
+Note: Enabling this policy setting could prevent certain smart cards from working on Windows. Please consult your smart card manufacturer to find out whether you will be affected by this policy setting.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Prevent plaintext PINs from being returned by Credential Manager*
-- GP name: *DisallowPlaintextPin*
-- GP path: *Windows Components\Smart Card*
-- GP ADMX file name: *Smartcard.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX_Smartcard/EnumerateECCCerts**
+**ADMX mapping**:
-
+| Name | Value |
+|:--|:--|
+| Name | DisallowPlaintextPin |
+| Friendly Name | Prevent plaintext PINs from being returned by Credential Manager |
+| Location | Computer Configuration |
+| Path | Windows Components > Smart Card |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider |
+| Registry Value Name | DisallowPlaintextPin |
+| ADMX File Name | Smartcard.admx |
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+
-
-
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+## EnumerateECCCerts
-> [!div class = "checklist"]
-> * Device
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Smartcard/EnumerateECCCerts
+```
+
-
-
-This policy setting allows you to control whether elliptic curve cryptography (ECC) certificates on a smart card can be used to sign-in to a domain.
+
+
+This policy setting allows you to control whether elliptic curve cryptography (ECC) certificates on a smart card can be used to log on to a domain.
-If you enable this policy setting, ECC certificates on a smart card can be used to sign in to a domain.
+If you enable this policy setting, ECC certificates on a smart card can be used to log on to a domain.
-If you disable or don't configure this policy setting, ECC certificates on a smart card can't be used to sign in to a domain.
+If you disable or do not configure this policy setting, ECC certificates on a smart card cannot be used to log on to a domain.
-> [!NOTE]
-> This policy setting only affects a user's ability to log on to a domain. ECC certificates on a smart card that are used for other applications, such as document signing, are not affected by this policy setting.
-> If you use an ECDSA key to log on, you must also have an associated ECDH key to permit logons when you are not connected to the network.
+Note: This policy setting only affects a user's ability to log on to a domain. ECC certificates on a smart card that are used for other applications, such as document signing, are not affected by this policy setting.
+Note: If you use an ECDSA key to log on, you must also have an associated ECDH key to permit logons when you are not connected to the network.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Allow ECC certificates to be used for logon and authentication*
-- GP name: *EnumerateECCCerts*
-- GP path: *Windows Components\Smart Card*
-- GP ADMX file name: *Smartcard.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX_Smartcard/FilterDuplicateCerts**
+**ADMX mapping**:
-
+| Name | Value |
+|:--|:--|
+| Name | EnumerateECCCerts |
+| Friendly Name | Allow ECC certificates to be used for logon and authentication |
+| Location | Computer Configuration |
+| Path | Windows Components > Smart Card |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider |
+| Registry Value Name | EnumerateECCCerts |
+| ADMX File Name | Smartcard.admx |
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+
-
-
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+## FilterDuplicateCerts
-> [!div class = "checklist"]
-> * Device
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Smartcard/FilterDuplicateCerts
+```
+
-
-
-This policy setting lets you configure if all your valid logon certificates are displayed.
+
+
+This policy settings lets you configure if all your valid logon certificates are displayed.
-During the certificate renewal period, a user can have multiple valid logon certificates issued from the same certificate template. This scenario can cause confusion as to which certificate to select for a sign in. The common case for this behavior is when a certificate is renewed and the old one hasn't yet expired. Two certificates are determined to be the same if they're issued from the same template with the same major version and they're for the same user (determined by their UPN).
+During the certificate renewal period, a user can have multiple valid logon certificates issued from the same certificate template. This can cause confusion as to which certificate to select for logon. The common case for this behavior is when a certificate is renewed and the old one has not yet expired. Two certificates are determined to be the same if they are issued from the same template with the same major version and they are for the same user (determined by their UPN).
-If there are two or more of the "same" certificate on a smart card and this policy is enabled, then the certificate that is used for a sign in on Windows 2000, Windows XP, and Windows 2003 Server will be shown, otherwise the certificate with the expiration time furthest in the future will be shown.
+If there are two or more of the "same" certificate on a smart card and this policy is enabled then the certificate that is used for logon on Windows 2000, Windows XP, and Windows 2003 Server will be shown, otherwise the the certificate with the expiration time furthest in the future will be shown.
-> [!NOTE]
-> This setting will be applied after this policy: "Allow time invalid certificates"
+**Note**: This setting will be applied after the following policy: "Allow time invalid certificates"
-If you enable or don't configure this policy setting, filtering will take place.
+If you enable or do not configure this policy setting, filtering will take place.
If you disable this policy setting, no filtering will take place.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Filter duplicate logon certificates*
-- GP name: *FilterDuplicateCerts*
-- GP path: *Windows Components\Smart Card*
-- GP ADMX file name: *Smartcard.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX_Smartcard/ForceReadingAllCertificates**
+**ADMX mapping**:
-
+| Name | Value |
+|:--|:--|
+| Name | FilterDuplicateCerts |
+| Friendly Name | Filter duplicate logon certificates |
+| Location | Computer Configuration |
+| Path | Windows Components > Smart Card |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider |
+| Registry Value Name | FilterDuplicateCerts |
+| ADMX File Name | Smartcard.admx |
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+
-
-
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+## ForceReadingAllCertificates
-> [!div class = "checklist"]
-> * Device
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Smartcard/ForceReadingAllCertificates
+```
+
-
-
-This policy setting allows you to manage the reading of all certificates from the smart card for a sign-in.
+
+
+This policy setting allows you to manage the reading of all certificates from the smart card for logon.
-During a sign-in, Windows will by default only read the default certificate from the smart card unless it supports retrieval of all certificates in a single call. This setting forces Windows to read all the certificates from the card. This setting can introduce a significant performance decrease in certain situations. Contact your smart card vendor to determine if your smart card and associated CSP supports the required behavior.
+During logon Windows will by default only read the default certificate from the smart card unless it supports retrieval of all certificates in a single call. This setting forces Windows to read all the certificates from the card. This can introduce a significant performance decrease in certain situations. Please contact your smart card vendor to determine if your smart card and associated CSP supports the required behavior.
If you enable this setting, then Windows will attempt to read all certificates from the smart card regardless of the feature set of the CSP.
-If you disable or don't configure this setting, Windows will only attempt to read the default certificate from those cards that don't support retrieval of all certificates in a single call. Certificates other than the default won't be available for a sign in.
+If you disable or do not configure this setting, Windows will only attempt to read the default certificate from those cards that do not support retrieval of all certificates in a single call. Certificates other than the default will not be available for logon.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Force the reading of all certificates from the smart card*
-- GP name: *ForceReadingAllCertificates*
-- GP path: *Windows Components\Smart Card*
-- GP ADMX file name: *Smartcard.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX_Smartcard/IntegratedUnblockPromptString**
+**ADMX mapping**:
-
+| Name | Value |
+|:--|:--|
+| Name | ForceReadingAllCertificates |
+| Friendly Name | Force the reading of all certificates from the smart card |
+| Location | Computer Configuration |
+| Path | Windows Components > Smart Card |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider |
+| Registry Value Name | ForceReadingAllCertificates |
+| ADMX File Name | Smartcard.admx |
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+
-
-
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+## IntegratedUnblockPromptString
-> [!div class = "checklist"]
-> * Device
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Smartcard/IntegratedUnblockPromptString
+```
+
-
-
+
+
This policy setting allows you to manage the displayed message when a smart card is blocked.
If you enable this policy setting, the specified message will be displayed to the user when the smart card is blocked.
-> [!NOTE]
-> The following policy setting must be enabled: "Allow Integrated Unblock screen to be displayed at the time of logon".
+**Note**: The following policy setting must be enabled - Allow Integrated Unblock screen to be displayed at the time of logon.
-If you disable or don't configure this policy setting, the default message will be displayed to the user when the smart card is blocked, if the integrated unblock feature is enabled.
+If you disable or do not configure this policy setting, the default message will be displayed to the user when the smart card is blocked, if the integrated unblock feature is enabled.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Display string when smart card is blocked*
-- GP name: *IntegratedUnblockPromptString*
-- GP path: *Windows Components\Smart Card*
-- GP ADMX file name: *Smartcard.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX_Smartcard/ReverseSubject**
+**ADMX mapping**:
-
+| Name | Value |
+|:--|:--|
+| Name | IntegratedUnblockPromptString |
+| Friendly Name | Display string when smart card is blocked |
+| Location | Computer Configuration |
+| Path | Windows Components > Smart Card |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider |
+| ADMX File Name | Smartcard.admx |
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+
-
-
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+## ReverseSubject
-> [!div class = "checklist"]
-> * Device
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Smartcard/ReverseSubject
+```
+
-
-
-This policy setting lets you reverse the subject name from how it's stored in the certificate when displaying it during a sign in.
+
+
+This policy setting lets you reverse the subject name from how it is stored in the certificate when displaying it during logon.
-By default the User Principal Name (UPN) is displayed in addition to the common name to help users distinguish one certificate from another. For example, if the certificate subject was CN=User1, OU=Users, DN=example, DN=com and had an UPN of user1@example.com then "User1" will be displayed along with "user1@example.com." If the UPN isn't present, then the entire subject name will be displayed. This setting controls the appearance of that subject name and might need to be adjusted per organization.
+By default the user principal name (UPN) is displayed in addition to the common name to help users distinguish one certificate from another. For example, if the certificate subject was CN=User1, OU=Users, DN=example, DN=com and had an UPN of user1@example.com then "User1" will be displayed along with "user1@example.com." If the UPN is not present then the entire subject name will be displayed. This setting controls the appearance of that subject name and might need to be adjusted per organization.
-If you enable this policy setting or don't configure this setting, then the subject name will be reversed.
+If you enable this policy setting or do not configure this setting, then the subject name will be reversed.
-If you disable, the subject name will be displayed as it appears in the certificate.
+If you disable , the subject name will be displayed as it appears in the certificate.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Reverse the subject name stored in a certificate when displaying*
-- GP name: *ReverseSubject*
-- GP path: *Windows Components\Smart Card*
-- GP ADMX file name: *Smartcard.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX_Smartcard/SCPnPEnabled**
+**ADMX mapping**:
-
+| Name | Value |
+|:--|:--|
+| Name | ReverseSubject |
+| Friendly Name | Reverse the subject name stored in a certificate when displaying |
+| Location | Computer Configuration |
+| Path | Windows Components > Smart Card |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider |
+| Registry Value Name | ReverseSubject |
+| ADMX File Name | Smartcard.admx |
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+
-
-
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+## SCPnPEnabled
-> [!div class = "checklist"]
-> * Device
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Smartcard/SCPnPEnabled
+```
+
-
-
+
+
This policy setting allows you to control whether Smart Card Plug and Play is enabled.
-If you enable or don't configure this policy setting, Smart Card Plug and Play will be enabled and the system will attempt to install a Smart Card device driver when a card is inserted in a Smart Card Reader for the first time.
+If you enable or do not configure this policy setting, Smart Card Plug and Play will be enabled and the system will attempt to install a Smart Card device driver when a card is inserted in a Smart Card Reader for the first time.
-If you disable this policy setting, Smart Card Plug and Play will be disabled and a device driver won't be installed when a card is inserted in a Smart Card Reader.
+If you disable this policy setting, Smart Card Plug and Play will be disabled and a device driver will not be installed when a card is inserted in a Smart Card Reader.
-> [!NOTE]
-> This policy setting is applied only for smart cards that have passed the Windows Hardware Quality Labs (WHQL) testing process.
+Note: This policy setting is applied only for smart cards that have passed the Windows Hardware Quality Labs (WHQL) testing process.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Turn on Smart Card Plug and Play service*
-- GP name: *SCPnPEnabled*
-- GP path: *Windows Components\Smart Card*
-- GP ADMX file name: *Smartcard.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX_Smartcard/SCPnPNotification**
+**ADMX mapping**:
-
+| Name | Value |
+|:--|:--|
+| Name | SCPnPEnabled |
+| Friendly Name | Turn on Smart Card Plug and Play service |
+| Location | Computer Configuration |
+| Path | Windows Components > Smart Card |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\ScPnP |
+| Registry Value Name | EnableScPnP |
+| ADMX File Name | Smartcard.admx |
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+
-
-
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+## SCPnPNotification
-> [!div class = "checklist"]
-> * Device
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Smartcard/SCPnPNotification
+```
+
-
-
+
+
This policy setting allows you to control whether a confirmation message is displayed when a smart card device driver is installed.
-If you enable or don't configure this policy setting, a confirmation message will be displayed when a smart card device driver is installed.
+If you enable or do not configure this policy setting, a confirmation message will be displayed when a smart card device driver is installed.
-If you disable this policy setting, a confirmation message won't be displayed when a smart card device driver is installed.
+If you disable this policy setting, a confirmation message will not be displayed when a smart card device driver is installed.
-> [!NOTE]
-> This policy setting is applied only for smart cards that have passed the Windows Hardware Quality Labs (WHQL) testing process.
+Note: This policy setting is applied only for smart cards that have passed the Windows Hardware Quality Labs (WHQL) testing process.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Notify user of successful smart card driver installation*
-- GP name: *SCPnPNotification*
-- GP path: *Windows Components\Smart Card*
-- GP ADMX file name: *Smartcard.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX_Smartcard/X509HintsNeeded**
+**ADMX mapping**:
-
+| Name | Value |
+|:--|:--|
+| Name | SCPnPNotification |
+| Friendly Name | Notify user of successful smart card driver installation |
+| Location | Computer Configuration |
+| Path | Windows Components > Smart Card |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\ScPnP |
+| Registry Value Name | ScPnPNotification |
+| ADMX File Name | Smartcard.admx |
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+
-
-
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+## X509HintsNeeded
-> [!div class = "checklist"]
-> * Device
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Smartcard/X509HintsNeeded
+```
+
-
-
-This policy setting lets you determine whether an optional field will be displayed during a sign-in and elevation that allows users to enter their user name or user name and domain, thereby associating a certificate with the users.
+
+
+This policy setting lets you determine whether an optional field will be displayed during logon and elevation that allows a user to enter his or her user name or user name and domain, thereby associating a certificate with that user.
-If you enable this policy setting, then an optional field that allows a user to enter their user name or user name and domain will be displayed.
+If you enable this policy setting then an optional field that allows a user to enter their user name or user name and domain will be displayed.
-If you disable or don't configure this policy setting, an optional field that allows users to enter their user name or user name and domain won't be displayed.
+If you disable or do not configure this policy setting, an optional field that allows users to enter their user name or user name and domain will not be displayed.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Allow user name hint*
-- GP name: *X509HintsNeeded*
-- GP path: *Windows Components\Smart Card*
-- GP ADMX file name: *Smartcard.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+**ADMX mapping**:
+| Name | Value |
+|:--|:--|
+| Name | X509HintsNeeded |
+| Friendly Name | Allow user name hint |
+| Location | Computer Configuration |
+| Path | Windows Components > Smart Card |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider |
+| Registry Value Name | X509HintsNeeded |
+| ADMX File Name | Smartcard.admx |
+
-
+
+
+
-## Related topics
+
-[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)
+
+
+
+
+
+
+## Related articles
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csp-admx-snmp.md b/windows/client-management/mdm/policy-csp-admx-snmp.md
index 7d3c267de8..55d1ca2653 100644
--- a/windows/client-management/mdm/policy-csp-admx-snmp.md
+++ b/windows/client-management/mdm/policy-csp-admx-snmp.md
@@ -1,72 +1,49 @@
---
-title: Policy CSP - ADMX_Snmp
-description: Learn about Policy CSP - ADMX_Snmp.
+title: ADMX_Snmp Policy CSP
+description: Learn more about the ADMX_Snmp Area in Policy CSP
+author: vinaypamnani-msft
+manager: aaroncz
ms.author: vinpa
+ms.date: 01/04/2023
ms.localizationpriority: medium
-ms.topic: article
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 09/24/2020
-ms.reviewer:
-manager: aaroncz
+ms.topic: reference
---
+
+
+
# Policy CSP - ADMX_Snmp
+
> [!TIP]
-> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md).
+> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy).
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
+
+
-
-## ADMX_Snmp policies
+
+## SNMP_Communities
-
- -
- ADMX_Snmp/SNMP_Communities
-
- -
- ADMX_Snmp/SNMP_PermittedManagers
-
- -
- ADMX_Snmp/SNMP_Traps_Public
-
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Snmp/SNMP_Communities
+```
+
-
-
-
-**ADMX_Snmp/SNMP_Communities**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
+
+
This policy setting configures a list of the communities defined to the Simple Network Management Protocol (SNMP) service.
SNMP is a protocol designed to give a user the capability to remotely manage a computer network, by polling and setting terminal values and monitoring network events.
@@ -75,57 +52,69 @@ A valid community is a community recognized by the SNMP service, while a communi
If you enable this policy setting, the SNMP agent only accepts requests from management systems within the communities it recognizes, and only SNMP Read operation is allowed for the community.
-If you disable or don't configure this policy setting, the SNMP service takes the Valid Communities configured on the local computer instead.
+If you disable or do not configure this policy setting, the SNMP service takes the Valid Communities configured on the local computer instead.
Best practice: For security purposes, it is recommended to restrict the HKLM\SOFTWARE\Policies\SNMP\Parameters\ValidCommunities key to allow only the local admin group full control.
-> [!NOTE]
-> - It is good practice to use a cryptic community name.
-> - This policy setting has no effect if the SNMP agent isn't installed on the client computer.
+Note: It is good practice to use a cryptic community name.
+
+Note: This policy setting has no effect if the SNMP agent is not installed on the client computer.
Also, see the other two SNMP settings: "Specify permitted managers" and "Specify trap configuration".
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Specify communities*
-- GP name: *SNMP_Communities*
-- GP path: *Network\SNMP*
-- GP ADMX file name: *Snmp.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX_Snmp/SNMP_PermittedManagers**
+**ADMX mapping**:
-
+| Name | Value |
+|:--|:--|
+| Name | SNMP_Communities |
+| Friendly Name | Specify communities |
+| Location | Computer Configuration |
+| Path | Network > SNMP |
+| Registry Key Name | Software\Policies\SNMP\Parameters |
+| ADMX File Name | Snmp.admx |
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+
-
-
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+## SNMP_PermittedManagers
-> [!div class = "checklist"]
-> * Device
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Snmp/SNMP_PermittedManagers
+```
+
-
-
+
+
This policy setting determines the permitted list of hosts that can submit a query to the Simple Network Management (SNMP) agent running on the client computer.
Simple Network Management Protocol is a protocol designed to give a user the capability to remotely manage a computer network by polling and setting terminal values and monitoring network events.
@@ -134,56 +123,67 @@ The manager is located on the host computer on the network. The manager's role i
If you enable this policy setting, the SNMP agent only accepts requests from the list of permitted managers that you configure using this setting.
-If you disable or don't configure this policy setting, SNMP service takes the permitted managers configured on the local computer instead.
+If you disable or do not configure this policy setting, SNMP service takes the permitted managers configured on the local computer instead.
Best practice: For security purposes, it is recommended to restrict the HKLM\SOFTWARE\Policies\SNMP\Parameters\PermittedManagers key to allow only the local admin group full control.
-> [!NOTE]
-> This policy setting has no effect if the SNMP agent isn't installed on the client computer.
+Note: This policy setting has no effect if the SNMP agent is not installed on the client computer.
Also, see the other two SNMP policy settings: "Specify trap configuration" and "Specify Community Name".
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Specify permitted managers*
-- GP name: *SNMP_PermittedManagers*
-- GP path: *Network\SNMP*
-- GP ADMX file name: *Snmp.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX_Snmp/SNMP_Traps_Public**
+**ADMX mapping**:
-
+| Name | Value |
+|:--|:--|
+| Name | SNMP_PermittedManagers |
+| Friendly Name | Specify permitted managers |
+| Location | Computer Configuration |
+| Path | Network > SNMP |
+| Registry Key Name | Software\Policies\SNMP\Parameters |
+| ADMX File Name | Snmp.admx |
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+
-
-
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+## SNMP_Traps_Public
-> [!div class = "checklist"]
-> * Device
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Snmp/SNMP_Traps_Public
+```
+
-
-
+
+
This policy setting allows trap configuration for the Simple Network Management Protocol (SNMP) agent.
Simple Network Management Protocol is a protocol designed to give a user the capability to remotely manage a computer network by polling and setting terminal values and monitoring network events.
@@ -192,31 +192,54 @@ This policy setting allows you to configure the name of the hosts that receive t
If you enable this policy setting, the SNMP service sends trap messages to the hosts within the "public" community.
-If you disable or don't configure this policy setting, the SNMP service takes the trap configuration configured on the local computer instead.
+If you disable or do not configure this policy setting, the SNMP service takes the trap configuration configured on the local computer instead.
-> [!NOTE]
-> This setting has no effect if the SNMP agent isn't installed on the client computer.
+Note: This setting has no effect if the SNMP agent is not installed on the client computer.
Also, see the other two SNMP settings: "Specify permitted managers" and "Specify Community Name".
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Specify traps for public community*
-- GP name: *SNMP_Traps_Public*
-- GP path: *Network\SNMP*
-- GP ADMX file name: *Snmp.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+**ADMX mapping**:
+| Name | Value |
+|:--|:--|
+| Name | SNMP_Traps_Public |
+| Friendly Name | Specify traps for public community |
+| Location | Computer Configuration |
+| Path | Network > SNMP |
+| Registry Key Name | Software\Policies\SNMP\Parameters |
+| ADMX File Name | Snmp.admx |
+
-
+
+
+
-## Related topics
+
-[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)
+
+
+
+
+
+
+## Related articles
+
+[Policy configuration service provider](policy-configuration-service-provider.md)