Freshness - light review of legacy content

2025-05-12 21:37:22 +00:00 · 2023-11-06 12:11:52 -05:00 · 2023-11-06 12:11:52 -05:00 · e4d02b2871
commit e4d02b2871
parent c20d38cfdb
14 changed files with 518 additions and 698 deletions
--- a/education/index.yml
+++ b/education/index.yml
@ -8,7 +8,7 @@ metadata:
  title: Microsoft 365 Education Documentation
  description: Learn about product documentation and resources available for school IT administrators, teachers, students, and education app developers.
  ms.topic: hub-page
-  ms.date: 08/10/2022
+  ms.date: 11/06/2023
 productDirectory:
  title: For IT admins
--- a/education/windows/autopilot-reset.md
+++ b/education/windows/autopilot-reset.md
@ -15,7 +15,7 @@ ms.collection:
 IT admins or technical teachers can use Autopilot Reset to quickly remove personal files, apps, and settings, and reset Windows 10 devices from the lock screen anytime and apply original settings and management enrollment (Microsoft Entra ID and device management) so the devices are ready to use. With Autopilot Reset, devices are returned to a fully configured or known IT-approved state.
-To enable Autopilot Reset you must:
+To enable Autopilot Reset, you must:
 1. [Enable the policy for the feature](#enable-autopilot-reset)
 2. [Trigger a reset for each device](#trigger-autopilot-reset)
@ -62,14 +62,13 @@ Autopilot Reset is a two-step process: trigger it and then authenticate. Once yo
 **To trigger Autopilot Reset**
-1. From the Windows device lock screen, enter the keystroke: **CTRL + Windows key + R**. 
+1. From the Windows device lock screen, enter the keystroke: <kbd>CTRL</kbd> + <kbd>WIN</kbd> + <kbd>R</kbd>.
   ![Enter CTRL+Windows key+R on the Windows lockscreen.](images/autopilot-reset-lockscreen.png)
-   This keystroke will open up a custom sign-in screen for Autopilot Reset. The screen serves two purposes:
+   This keystroke opens up a custom sign-in screen for Autopilot Reset. The screen serves two purposes:
   1. Confirm/verify that the end user has the right to trigger Autopilot Reset
   2. Notify the user in case a provisioning package, created using Windows Configuration Designer or Set up School PCs, will be used as part of the process.
      ![Custom login screen for Autopilot Reset.](images/autopilot-reset-customlogin.png)
@ -83,32 +82,23 @@ Autopilot Reset is a two-step process: trigger it and then authenticate. Once yo
   After reset, the device:
-   - Sets the region, language, and keyboard.
+   - Sets the region, language, and keyboard
-
+   - Connects to Wi-Fi
-   - Connects to Wi-Fi.
+   - If you provided a provisioning package when Autopilot Reset is triggered, the system applies this new provisioning package. Otherwise, the system reapplies the original provisioning package on the device
   - If you provided a provisioning package when Autopilot Reset is triggered, the system will apply this new provisioning package. Otherwise, the system will reapply the original provisioning package on the device. 
   - Is returned to a known good managed state, connected to Microsoft Entra ID and MDM.
     ![Notification that provisioning is complete.](images/autopilot-reset-provisioningcomplete.png)
     Once provisioning is complete, the device is again ready for use.
 <span id="winre"/>
 ## Troubleshoot Autopilot Reset
-Autopilot Reset will fail when the [Windows Recovery Environment (WinRE)](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference) isn't enabled on the device. You'll see `Error code: ERROR_NOT_SUPPORTED (0x80070032)`.
+Autopilot Reset fails when the [Windows Recovery Environment (WinRE)](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference) isn't enabled on the device. The error code is: `ERROR_NOT_SUPPORTED (0x80070032)`.
 To make sure WinRE is enabled, use the [REAgentC.exe tool](/windows-hardware/manufacture/desktop/reagentc-command-line-options) to run the following command:
-```console
+```cmd
-reagentc /enable
+reagentc.exe /enable
 ```
 If Autopilot Reset fails after enabling WinRE, or if you're unable to enable WinRE, kindly contact [Microsoft Support](https://support.microsoft.com) for assistance.
 ## Related articles
 [Set up Windows devices for education](set-up-windows-10.md)
--- a/windows/configuration/set-up-shared-or-guest-pc.md
+++ b/windows/configuration/set-up-shared-or-guest-pc.md
@ -1,7 +1,7 @@
 ---
 title: Set up a shared or guest Windows device
 description: Description of how to configured Shared PC mode, which is a Windows feature that optimizes devices for shared use scenarios.
-ms.date: 10/15/2022
+ms.date: 11/06/2023
 ms.prod: windows-client
 ms.technology: itpro-configure
 ms.topic: reference
--- a/windows/configuration/shared-pc-technical.md
+++ b/windows/configuration/shared-pc-technical.md
@ -1,7 +1,7 @@
 ---
 title: Shared PC technical reference
 description: List of policies and settings applied by the Shared PC options.
-ms.date: 10/15/2022
+ms.date: 11/06/2023
 ms.prod: windows-client
 ms.technology: itpro-configure
 ms.topic: reference
--- a/windows/security/identity-protection/access-control/access-control.md
+++ b/windows/security/identity-protection/access-control/access-control.md
@ -1,5 +1,5 @@
 ---
-ms.date: 11/22/2022
+ms.date: 11/06/2023
 title: Access Control Overview
 description: Description of the access controls in Windows, which is the process of authorizing users, groups, and computers to access objects on the network or computer.
 ms.topic: overview
--- a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
@ -1,5 +1,5 @@
 ---
-ms.date: 09/24/2021
+ms.date: 11/06/2023
 title: Smart Card and Remote Desktop Services 
 description: This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in.
 ms.topic: conceptual
@ -13,9 +13,8 @@ Smart card redirection logic and **WinSCard** API are combined to support multip
 Smart card support is required to enable many Remote Desktop Services scenarios. These include:
-   Using Fast User Switching or Remote Desktop Services. A user is not able to establish a redirected smart card-based remote desktop connection. That is, the connect attempt is not successful in Fast User Switching or from a Remote Desktop Services session.
+- Using Fast User Switching or Remote Desktop Services. A user is not able to establish a redirected smart card-based remote desktop connection. That is, the connect attempt is not successful in Fast User Switching or from a Remote Desktop Services session
-
+- Enabling Encrypting File System (EFS) to locate the user's smart card reader from the Local Security Authority (LSA) process in Fast User Switching or in a Remote Desktop Services session. If EFS is not able to locate the smart card reader or certificate, EFS cannot decrypt user files
 -   Enabling Encrypting File System (EFS) to locate the user's smart card reader from the Local Security Authority (LSA) process in Fast User Switching or in a Remote Desktop Services session. If EFS is not able to locate the smart card reader or certificate, EFS cannot decrypt user files.
 ## Remote Desktop Services redirection
@ -23,23 +22,16 @@ In a Remote Desktop scenario, a user is using a remote server for running servic
 ![Smart card service redirects to smart card reader.](images/sc-image101.png)
-**Remote Desktop redirection**
+### Remote Desktop redirection
 Notes about the redirection model:
-1.  This scenario is a remote sign-in session on a computer with Remote Desktop Services. In the remote session (labeled as "Client session"), the user runs **net use /smartcard**.
+1. This scenario is a remote sign-in session on a computer with Remote Desktop Services. In the remote session (labeled as "Client session"), the user runs `net use /smartcard`
-
+1. Arrows represent the flow of the PIN after the user types the PIN at the command prompt until it reaches the user's smart card in a smart card reader that is connected to the Remote Desktop Connection (RDC) client computer
-2.  Arrows represent the flow of the PIN after the user types the PIN at the command prompt until it reaches the user's smart card in a smart card reader that is connected to the Remote Desktop Connection (RDC) client computer.
+1. The authentication is performed by the LSA in session 0
-
+1. The CryptoAPI processing is performed in the LSA (`lsass.exe`). This is possible because RDP redirector (`rdpdr.sys`) allows per-session, rather than per-process, context
-3.  The authentication is performed by the LSA in session 0.
+1. The ScHelper library is a CryptoAPI wrapper that is specific to the Kerberos protocol
-
+1. The redirection decision is made on a per smart card context basis, based on the session of the thread that performs the `SCardEstablishContext` call
 4.  The CryptoAPI processing is performed in the LSA (Lsass.exe). This is possible because RDP redirector (rdpdr.sys) allows per-session, rather than per-process, context.
 5.  The WinScard and SCRedir components, which were separate modules in operating systems earlier than Windows Vista, are now included in one module. The ScHelper library is a CryptoAPI wrapper that is specific to the Kerberos protocol.
 6.  The redirection decision is made on a per smart card context basis, based on the session of the thread that performs the SCardEstablishContext call.
 7.  Changes to WinSCard.dll implementation were made in Windows Vista to improve smart card redirection.
 ## RD Session Host server single sign-in experience
@ -57,13 +49,17 @@ In addition, Group Policy settings that are specific to Remote Desktop Services
 To enable smart card sign-in to a Remote Desktop Session Host (RD Session Host) server, the Key Distribution Center (KDC) certificate must be present on the RDC client computer. If the computer is not in the same domain or workgroup, the following command can be used to deploy the certificate:
-**certutil -dspublish NTAuthCA** "*DSCDPContainer*"
+```cmd
 certutil.exe -dspublish NTAuthCA "DSCDPContainer"
 ```
-The *DSCDPContainer* Common Name (CN) is usually the name of the certification authority.
+The `DSCDPContainer` Common Name (CN) is usually the name of the certification authority.
 Example:
-**certutil -dspublish NTAuthCA** &lt;*CertFile*&gt; **"CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=engineering,DC=contoso,DC=com"**
+```cmd
 certutil -dspublish NTAuthCA <CertFile> "CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=engineering,DC=contoso,DC=com"
 ```
 For information about this option for the command-line tool, see [-dsPublish](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732443(v=ws.11)#BKMK_dsPublish).
@ -71,15 +67,19 @@ For information about this option for the command-line tool, see [-dsPublish](/p
 To enable remote access to resources in an enterprise, the root certificate for the domain must be provisioned on the smart card. From a computer that is joined to a domain, run the following command at the command line:
-**certutil -scroots update**
+```cmd
 certutil.exe -scroots update
 ```
 For information about this option for the command-line tool, see [-SCRoots](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732443(v=ws.11)#BKMK_SCRoots).
 For Remote Desktop Services across domains, the KDC certificate of the RD Session Host server must also be present in the client computer's NTAUTH store. To add the store, run the following command at the command line:
-**certutil -addstore -enterprise NTAUTH** &lt;*CertFile*&gt;
+```cmd
 certutil -addstore -enterprise NTAUTH <CertFile>
 ```
-Where &lt;*CertFile*&gt; is the root certificate of the KDC certificate issuer.
+Where *CertFile* is the root certificate of the KDC certificate issuer.
 For information about this option for the command-line tool, see [-addstore](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732443(v=ws.11)#BKMK_addstore).
--- a/windows/security/identity-protection/smart-cards/smart-card-architecture.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
@ -3,7 +3,7 @@ title: Smart Card Architecture
 description: This topic for the IT professional describes the system architecture that supports smart cards in the Windows operating system.
 ms.reviewer: ardenw
 ms.topic: reference-architecture
-ms.date: 09/24/2021
+ms.date: 11/06/2023
 ---
 # Smart Card Architecture
@ -17,19 +17,14 @@ In a networking context, authentication is the act of proving identity to a netw
 For smart cards, Windows supports a provider architecture that meets the secure authentication requirements and is extensible so that you can include custom credential providers. This topic includes information about:
 - [Credential provider architecture](#credential-provider-architecture)
 - [Smart card subsystem architecture](#smart-card-subsystem-architecture)
 <!-- This link probably won't stay current. If it seems useful, it could be un-commented.
 For more information, see [Windows Authentication Architecture](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn751044(v=ws.11)). This topic in the Windows Authentication Technical Overview explains the basic architectural scheme for Windows authentication for past and current versions of Windows.
 -->
 ## Credential provider architecture
 The following table lists the components that are included in the interactive sign-in architecture of the Windows Server and Windows operating systems.
-| **Component**               | **Description**   |
+| Component | Description |
-|------------------------------------------------|-----|
+|--|--|
 | Winlogon | Provides an interactive sign-in infrastructure. |
 | Logon UI | Provides interactive UI rendering. |
 | Credential providers (password and smart card) | Describes credential information and serializing credentials. |
@ -42,8 +37,6 @@ After receiving the SAS, the UI then generates the sign-in tile from the informa
 ![Credential provider architecture.](images/sc-image201.gif)
 **Figure 1**&nbsp;&nbsp;**Credential provider architecture**
 Typically, a user who signs in to a computer by using a local account or a domain account must enter a user name and password. These credentials are used to verify the user's identity. For smart card sign-in, a user's credentials are contained on the smart card's security chip. A smart card reader lets the computer interact with the security chip on the smart card. When users sign in with a smart card, they enter a personal identification number (PIN) instead of a user name and password.
 Credential providers are in-process COM objects that run on the local system and are used to collect credentials. The Logon UI provides interactive UI rendering, Winlogon provides interactive sign-in infrastructure, and credential providers work with both of these components to help gather and process credentials.
@ -52,7 +45,8 @@ Winlogon instructs the Logon UI to display credential provider tiles after it re
 Combined with supporting hardware, credential providers can extend the Windows operating system to enable users to sign in by using biometrics (for example, fingerprint, retinal, or voice recognition), password, PIN, smart card certificate, or any custom authentication package. Enterprises and IT professionals can develop and deploy custom authentication mechanisms for all domain users, and they may explicitly require users to use this custom sign-in mechanism.
-> **Note**&nbsp;&nbsp;Credential providers are not enforcement mechanisms. They are used to gather and serialize credentials. The LSA and authentication packages enforce security.
+> [!NOTE]
 > Credential providers are not enforcement mechanisms. They are used to gather and serialize credentials. The LSA and authentication packages enforce security.
 Credential providers can be designed to support single sign-in (SSO). In this process, they authenticate users to a secure network access point (by using RADIUS and other technologies) for signing in to the computer. Credential providers are also designed to support application-specific credential gathering, and they can be used for authentication to network resources, joining computers to a domain, or to provide administrator consent for User Account Control (UAC).
@ -60,13 +54,14 @@ Multiple credential providers can coexist on a computer.
 Credential providers must be registered on a computer running Windows, and they are responsible for:
-   Describing the credential information that is required for authentication.
+- Describing the credential information that is required for authentication
 - Handling communication and logic with external authentication authorities
 - Packaging credentials for interactive and network sign-in
-   Handling communication and logic with external authentication authorities.
+> [!NOTE]
-
+> The Credential Provider API does not render the UI. It describes what needs to be rendered.\
-   Packaging credentials for interactive and network sign-in.
+> Only the password credential provider is available in safe mode.\
-
+> The smart card credential provider is available in safe mode during networking.
 > **Note**&nbsp;&nbsp;The Credential Provider API does not render the UI. It describes what needs to be rendered. <br>Only the password credential provider is available in safe mode.<br>The smart card credential provider is available in safe mode during networking.
 ## Smart card subsystem architecture
@ -74,19 +69,16 @@ Vendors provide smart cards and smart card readers, and in many cases the vendor
 ### Base CSP and smart card minidriver architecture
-Figure 2 illustrates the relationship between the CryptoAPI, CSPs, the Smart Card Base Cryptographic Service Provider (Base CSP), and smart card minidrivers.
+The following graphic shows the relationship between the CryptoAPI, CSPs, the Smart Card Base Cryptographic Service Provider (Base CSP), and smart card minidrivers.
 ![Base CSP and smart card minidriver architecture.](images/sc-image203.gif)
 **Figure 2**&nbsp;&nbsp;**Base CSP and smart card minidriver architecture**
 ### Caching with Base CSP and smart card KSP
 Smart card architecture uses caching mechanisms to assist in streamlining operations and to improve a user's access to a PIN.
-   [Data caching](#data-caching): The data cache provides for a single process to minimize smart card I/O operations.
+- [Data caching](#data-caching): The data cache provides for a single process to minimize smart card I/O operations
-
+- [PIN caching](#pin-caching): The PIN cache helps the user from having to reenter a PIN each time the smart card is unauthenticated
 -   [PIN caching](#pin-caching): The PIN cache helps the user from having to reenter a PIN each time the smart card is unauthenticated.
 #### Data caching
@ -94,13 +86,10 @@ Each CSP implements the current smart card data cache separately. The Base CSP i
 The existing global cache works as follows:
-1.  The application requests a cryptographic operation. For example, a user certificate is to be read from the smart card.
+1. The application requests a cryptographic operation. For example, a user certificate is to be read from the smart card
-
+1. The CSP checks its cache for the item
-2.  The CSP checks its cache for the item.
+1. If the item is not found in the cache, or if the item is cached but is not up-to-date, the item is read from the smart card
-
+1. After any item has been read from the smart card, it is added to the cache. Any existing out-of-date copy of that item is replaced
 3.  If the item is not found in the cache, or if the item is cached but is not up-to-date, the item is read from the smart card.
 4.  After any item has been read from the smart card, it is added to the cache. Any existing out-of-date copy of that item is replaced.
 Three types of objects or data are cached by the CSP: pins (for more information, see [PIN caching](#pin-caching)), certificates, and files. If any of the cached data changes, the corresponding object is read from the smart card in successive operations. For example, if a file is written to the smart card, the CSP cache becomes out-of-date for the files, and other processes read the smart card at least once to refresh their CSP cache.
@ -114,19 +103,13 @@ To mitigate this, the smart card enters an exclusive state when an application a
 The following example illustrates how this works. In this scenario, there are two applications: Outlook and Internet Explorer. The applications use smart cards for different purposes.
-1.  The user starts Outlook and tries to send a signed e-mail. The private key is on the smart card.
+1. The user starts Outlook and tries to send a signed e-mail. The private key is on the smart card
-
+1. Outlook prompts the user for the smart card PIN. The user enters the correct PIN
-2.  Outlook prompts the user for the smart card PIN. The user enters the correct PIN.
+1. E-mail data is sent to the smart card for the signature operation. The Outlook client formats the response and sends the e-mail
-
+1. The user opens Internet Explorer and tries to access a protected site that requires Transport Layer Security (TLS) authentication for the client
-3.  E-mail data is sent to the smart card for the signature operation. The Outlook client formats the response and sends the e-mail.
+1. Internet Explorer prompts the user for the smart card PIN. The user enters the correct PIN
-
+1. The TLS-related private key operation occurs on the smart card, and the user is authenticated and signed in
-4.  The user opens Internet Explorer and tries to access a protected site that requires Transport Layer Security (TLS) authentication for the client.
+1. The user returns to Outlook to send another signed e-mail. This time, the user is not prompted for a PIN because the PIN is cached from the previous operation. Similarly, if the user uses Internet Explorer again for another operation, Internet Explorer will not prompt the user for a PIN
 5.  Internet Explorer prompts the user for the smart card PIN. The user enters the correct PIN.
 6.  The TLS-related private key operation occurs on the smart card, and the user is authenticated and signed in.
 7.  The user returns to Outlook to send another signed e-mail. This time, the user is not prompted for a PIN because the PIN is cached from the previous operation. Similarly, if the user uses Internet Explorer again for another operation, Internet Explorer will not prompt the user for a PIN.
 The Base CSP internally maintains a per-process cache of the PIN. The PIN is encrypted and stored in memory. The functions that are used to secure the PIN are RtlEncryptMemory, RtlDecryptMemory, and RtlSecureZeroMemory, which will empty buffers that contained the PIN.
@ -135,25 +118,15 @@ The Base CSP internally maintains a per-process cache of the PIN. The PIN is enc
 The following sections in this topic describe how Windows leverages the smart card architecture to select the correct smart card reader software, provider, and credentials for a successful smart card sign-in:
 - [Container specification levels](#container-specification-levels)
 - [Container operations](#container-operations)
 - [Context flags](#context-flags)
 - [Create a new container in silent context](#create-a-new-container-in-silent-context)
 - [Smart card selection behavior](#smart-card-selection-behavior)
 - [Make a smart card reader match](#make-a-smart-card-reader-match)
 - [Make a smart card match](#make-a-smart-card-match)
 - [Open an existing default container (no reader specified)](#open-an-existing-default-container-no-reader-specified)
 - [Open an existing GUID-named container (no reader specified)](#open-an-existing-guid-named-container-no-reader-specified)
 - [Create a new container (no reader specified)](#create-a-new-container-no-reader-specified)
 - [Delete a container](#delete-a-container)
 #### Container specification levels
@ -162,13 +135,15 @@ In response to a CryptAcquireContext call in CryptoAPI, the Base CSP tries to ma
 Similarly, in response to a NCryptOpenKey call in CNG, the smart card KSP tries to match the container the same way, and it takes the same container format, as shown in the following table.
-> **Note**&nbsp;&nbsp;Before opening a key by using the smart card KSP, a call to NCryptOpenStorageProvider (MS\_SMART\_CARD\_KEY\_STORAGE\_PROVIDER) must be made.
+> **Note**&nbsp;&nbsp;
 > [!NOTE]
 > Before opening a key by using the smart card KSP, a call to NCryptOpenStorageProvider (`MS\_SMART\_CARD\_KEY\_STORAGE\_PROVIDER`) must be made.
 | **Type** | **Name** | **Format** |
 |----------|----------|------------|
-| I | Reader Name and Container Name | \\\\.\\&lt;Reader Name&gt;\\&lt;Container Name&gt; |
+| I | Reader Name and Container Name | `\\\\.\\<Reader Name>\\<Container Name>` |
-| II | Reader Name and Container Name (NULL) | \\\\.\\&lt;Reader Name&gt; |
+| II | Reader Name and Container Name (NULL) | `\\\\.\\<Reader Name>` |
-| III | Container Name Only | &lt;Container Name&gt; |
+| III | Container Name Only | `<Container Name>` |
 | IV | Default Container (NULL) Only | NULL |
 The Base CSP and smart card KSP cache smart card handle information about the calling process and about the smart cards the process has accessed. When searching for a smart card container, the Base CSP or smart card KSP first checks its cache for the process. If the cached handle is invalid or no match is found, the SCardUIDlg API is called to get the card handle.
@ -178,10 +153,8 @@ The Base CSP and smart card KSP cache smart card handle information about the ca
 The following three container operations can be requested by using CryptAcquireContext:
 1. Create a new container. (The CNG equivalent of CryptAcquireContext with dwFlags set to CRYPT\_NEWKEYSET is NCryptCreatePersistedKey.)
-
+1. Open an existing container. (The CNG equivalent of CryptAcquireContext to open the container is NCryptOpenKey.)
-2.  Open an existing container. (The CNG equivalent of CryptAcquireContext to open the container is NCryptOpenKey.)
+1. Delete a container. (The CNG equivalent of CryptAcquireContext with dwFlags set to CRYPT\_DELETEKEYSET is NCryptDeleteKey.)
 3.  Delete a container. (The CNG equivalent of CryptAcquireContext with dwFlags set to CRYPT\_DELETEKEYSET is NCryptDeleteKey.)
 The heuristics that are used to associate a cryptographic handle with a particular smart card and reader are based on the container operation requested and the level of container specification used.
@ -211,23 +184,17 @@ In addition to container operations and container specifications, you must consi
 Applications can call the Base CSP with CRYPT\_DEFAULT\_CONTAINER\_OPTIONAL, set the PIN in silent context, and then create a new container in silent context. This operation occurs as follows:
 1. Call CryptAcquireContext by passing the smart card reader name in as a type II container specification level, and specifying the CRYPT\_DEFAULT\_CONTAINER\_OPTIONAL flag.
-
+1. Call CryptSetProvParam by specifying PP\_KEYEXCHANGE\_PIN or PP\_SIGNATURE\_PIN and a null-terminated ASCII PIN.
-2.  Call CryptSetProvParam by specifying PP\_KEYEXCHANGE\_PIN or PP\_SIGNATURE\_PIN and a null-terminated ASCII PIN.
+1. Release the context acquired in Step 1.
-
+1. Call CryptAcquireContext with CRYPT\_NEWKEYSET, and specify the type I container specification level.
-3.  Release the context acquired in Step 1.
+1. Call CryptGenKey to create the key.
 4.  Call CryptAcquireContext with CRYPT\_NEWKEYSET, and specify the type I container specification level.
 5.  Call CryptGenKey to create the key.
 #### Smart card selection behavior
-In some of the following scenarios, the user can be prompted to insert a smart card. If the user context is silent, this operation fails and no UI is displayed. Otherwise, in response to the UI, the user can insert a smart card or click **Cancel**. If the user cancels the operation, the operation fails. The flow chart in Figure 3 shows the selection steps performed by the Windows operating system.
+In some of the following scenarios, the user can be prompted to insert a smart card. If the user context is silent, this operation fails and no UI is displayed. Otherwise, in response to the UI, the user can insert a smart card or click **Cancel**. If the user cancels the operation, the operation fails. The flow chart shows the selection steps performed by the Windows operating system.
 ![Smart card selection process.](images/sc-image205.png)
 **Figure 3**&nbsp;&nbsp;**Smart card selection behavior**
 In general, smart card selection behavior is handled by the SCardUIDlgSelectCard API. The Base CSP interacts with this API by calling it directly. The Base CSP also sends callback functions that have the purpose of filtering and matching candidate smart cards. Callers of CryptAcquireContext provide smart card matching information. Internally, the Base CSP uses a combination of smart card serial numbers, reader names, and container names to find specific smart cards.
 Each call to SCardUI \* may result in additional information read from a candidate smart card. The Base CSP smart card selection callbacks cache this information.
@ -237,14 +204,10 @@ Each call to SCardUI \* may result in additional information read from a candida
 For type I and type II container specification levels, the smart card selection process is less complex because only the smart card in the named reader can be considered a match. The process for matching a smart card with a smart card reader is:
 1. Find the requested smart card reader. If it cannot be found, the process fails. (This requires a cache search by reader name.)
-
+1. If no smart card is in the reader, the user is prompted to insert a smart card. (This is only in non-silent mode; if the call is made in silent mode, it will fail.)
-2.  If no smart card is in the reader, the user is prompted to insert a smart card. (This is only in non-silent mode; if the call is made in silent mode, it will fail.)
+1. For container specification level II only, the name of the default container on the chosen smart card is determined.
-
+1. To open an existing container or delete an existing container, find the specified container. If the specified container cannot be found on this smart card, the user is prompted to insert a smart card.
-3.  For container specification level II only, the name of the default container on the chosen smart card is determined.
+1. If the system attempts to create a new container, if the specified container already exists on this smart card, the process fails.
 4.  To open an existing container or delete an existing container, find the specified container. If the specified container cannot be found on this smart card, the user is prompted to insert a smart card.
 5.  If the system attempts to create a new container, if the specified container already exists on this smart card, the process fails.
 #### Make a smart card match
@ -255,8 +218,7 @@ For container specification levels III and IV, a broader method is used to match
 > **Note**&nbsp;&nbsp;This operation requires that you use the smart card with the Base CSP.
 1. For each smart card that has been accessed by the Base CSP and the handle and container information are cached, the Base CSP looks for a valid default container. An operation is attempted on the cached SCARDHANDLE to verify its validity. If the smart card handle is not valid, the Base CSP continues to search for a new smart card.
-
+1. If a matching smart card is not found in the Base CSP cache, the Base CSP calls to the smart card subsystem. SCardUIDlgSelectCard() is used with an appropriate callback filter to find a matching smart card with a valid default container.
 2.  If a matching smart card is not found in the Base CSP cache, the Base CSP calls to the smart card subsystem. SCardUIDlgSelectCard() is used with an appropriate callback filter to find a matching smart card with a valid default container.
 #### Open an existing GUID-named container (no reader specified)
@ -264,7 +226,7 @@ For container specification levels III and IV, a broader method is used to match
 1. For each smart card that is already registered with the Base CSP, search for the requested container. Attempt an operation on the cached SCARDHANDLE to verify its validity. If the smart card handle is not valid, the smart card's serial number is passed to the SCardUI \* API to continue searching for this specific smart card (rather than only a general match for the container name).
-2.  If a matching smart card is not found in the Base CSP cache, a call is made to the smart card subsystem. SCardUIDlgSelectCard() is used with an appropriate callback filter to find a matching smart card with the requested container. Or, if a smart card serial number resulted from the search in Step 1, the callback filter attempts to match the serial number, not the container name.
+1. If a matching smart card is not found in the Base CSP cache, a call is made to the smart card subsystem. SCardUIDlgSelectCard() is used with an appropriate callback filter to find a matching smart card with the requested container. Or, if a smart card serial number resulted from the search in Step 1, the callback filter attempts to match the serial number, not the container name.
 #### Create a new container (no reader specified)
@ -275,40 +237,30 @@ If the PIN is not cached, no CRYPT\_SILENT is allowed for the container creation
 For other operations, the caller may be able to acquire a "verify" context against the default container (CRYPT\_DEFAULT\_CONTAINER\_OPTIONAL) and then make a call with CryptSetProvParam to cache the user PIN for subsequent operations.
 1. For each smart card already known by the CSP, refresh the stored SCARDHANDLE and make the following checks:
-
+    1. If the smart card has been removed, continue the search
-    1.  If the smart card has been removed, continue the search.
+    1. If the smart card is present, but it already has the named container, continue the search
-
+    1. If the smart card is available, but a call to CardQueryFreeSpace indicates that the smart card has insufficient storage for an additional key container, continue the search
-    2.  If the smart card is present, but it already has the named container, continue the search.
+    1. Otherwise, use the first available smart card that meets the above criteria for the container creation
-
+1. If a matching smart card is not found in the CSP cache, make a call to the smart card subsystem. The callback that is used to filter enumerated smart cards verifies that a candidate smart card does not already have the named container, and that CardQueryFreeSpace indicates the smart card has sufficient space for an additional container. If no suitable smart card is found, the user is prompted to insert a smart card
    3.  If the smart card is available, but a call to CardQueryFreeSpace indicates that the smart card has insufficient storage for an additional key container, continue the search.
    4.  Otherwise, use the first available smart card that meets the above criteria for the container creation.
 2.  If a matching smart card is not found in the CSP cache, make a call to the smart card subsystem. The callback that is used to filter enumerated smart cards verifies that a candidate smart card does not already have the named container, and that CardQueryFreeSpace indicates the smart card has sufficient space for an additional container. If no suitable smart card is found, the user is prompted to insert a smart card.
 #### Delete a container
-1.  If the specified container name is NULL, the default container is deleted. Deleting the default container causes a new default container to be selected arbitrarily. For this reason, this operation is not recommended.
+1. If the specified container name is NULL, the default container is deleted. Deleting the default container causes a new default container to be selected arbitrarily. For this reason, this operation is not recommended
-
+1. For each smart card already known by the CSP, refresh the stored SCARDHANDLE and make the following checks:
-2.  For each smart card already known by the CSP, refresh the stored SCARDHANDLE and make the following checks:
+    1.  If the smart card does not have the named container, continue the search
-
+    1.  If the smart card has the named container, but the smart card handle is no longer valid, store the serial number of the matching smart card and pass it to SCardUI
-    1.  If the smart card does not have the named container, continue the search.
+1. If a matching smart card is not found in the CSP cache, make a call to the smart card subsystem. The callback that is used to filter enumerated smart cards should verify that a candidate smart card has the named container. If a serial number was povided as a result of the previous cache search, the callback should filter enumerated smart cards on serial number rather than on container matches. If the context is non-silent and no suitable smart card is found, display UI that prompts the user to insert a smart card.
    2.  If the smart card has the named container, but the smart card handle is no longer valid, store the serial number of the matching smart card and pass it to SCardUI \*.
 3.  If a matching smart card is not found in the CSP cache, make a call to the smart card subsystem. The callback that is used to filter enumerated smart cards should verify that a candidate smart card has the named container. If a serial number was provided as a result of the previous cache search, the callback should filter enumerated smart cards on serial number rather than on container matches. If the context is non-silent and no suitable smart card is found, display UI that prompts the user to insert a smart card.
 ### Base CSP and KSP-based architecture in Windows
-Figure 4 shows the Cryptography architecture that is used by the Windows operating system.
+The following diagram shows the Cryptography architecture that is used by the Windows operating system.
 ![Cryptography architecture.](images/sc-image206.gif)
 **Figure 4**&nbsp;&nbsp;**Cryptography architecture**
 ### Base CSP and smart card KSP properties in Windows
-> **Note**&nbsp;&nbsp;The API definitions are located in WinCrypt.h and WinSCard.h.
+> [!NOTE]
 > The API definitions are located in WinCrypt.h and WinSCard.h.
 | **Property**          | **Description**  |
 |-----------------------|------------------|
--- a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
@ -3,7 +3,7 @@ title: Certificate Requirements and Enumeration
 description: This topic for the IT professional and smart card developers describes how certificates are managed and used for smart card sign-in.
 ms.reviewer: ardenw
 ms.topic: concept-article
-ms.date: 09/24/2021
+ms.date: 11/06/2023
 ---
 # Certificate Requirements and Enumeration
@ -12,64 +12,38 @@ This topic for the IT professional and smart card developers describes how certi
 When a smart card is inserted, the following steps are performed.
-> **Note**&nbsp;&nbsp;Unless otherwise mentioned, all operations are performed silently (CRYPT\_SILENT is passed to CryptAcquireContext).
+> [!NOTE]
 > Unless otherwise mentioned, all operations are performed silently (CRYPT\_SILENT is passed to CryptAcquireContext).
 1. The smart card resource manager database searches for the smart card's cryptographic service provider (CSP).
-
+1. A qualified container name is constructed by using the smart card reader name, and it is passed to the CSP. The format is *\\\\.\\&lt;Reader name>\\
-2.  A qualified container name is constructed by using the smart card reader name, and it is passed to the CSP. The format is *\\\\.\\&lt;Reader name&gt;*\\
+1. CryptAcquireContext is called to retrieve a context to the default container. If a failure occurs, the smart card will be unusable for smart card sign-in.
-
+1. The name of the container is retrieved by using the PP\_CONTAINER parameter with CryptGetProvParam.
-3.  CryptAcquireContext is called to retrieve a context to the default container. If a failure occurs, the smart card will be unusable for smart card sign-in.
+1. Using the context acquired in Step 3, the CSP is queried for the PP\_USER\_CERTSTORE parameter (added in Windows Vista). For more information, see [Smart Card Architecture](smart-card-architecture.md). If the operation is successful, the name of a certificate store is returned, and the program flow skips to Step 8.
-
+1. If the operation in Step 5 fails, the default container context from Step 3 is queried for the AT\_KEYEXCHANGE key.
-4.  The name of the container is retrieved by using the PP\_CONTAINER parameter with CryptGetProvParam.
+1. The certificate is then queried from the key context by using KP\_CERTIFICATE. The certificate is added to an in-memory certificate store.
-
+1. For each certificate in the certificate store from Step 5 or Step 7, the following checks are performed:
 5.  Using the context acquired in Step 3, the CSP is queried for the PP\_USER\_CERTSTORE parameter (added in Windows Vista). For more information, see [Smart Card Architecture](smart-card-architecture.md). If the operation is successful, the name of a certificate store is returned, and the program flow skips to Step 8.
 6.  If the operation in Step 5 fails, the default container context from Step 3 is queried for the AT\_KEYEXCHANGE key.
 7.  The certificate is then queried from the key context by using KP\_CERTIFICATE. The certificate is added to an in-memory certificate store.
 8.  For each certificate in the certificate store from Step 5 or Step 7, the following checks are performed:
    1. The certificate must be valid, based on the computer system clock (not expired or valid with a future date).
-
+    1. The certificate must not be in the AT\_SIGNATURE part of a container.
-    2.  The certificate must not be in the AT\_SIGNATURE part of a container.
+    1. The certificate must have a valid user principal name (UPN).
-
+    1. The certificate must have the digital signature key usage.
-    3.  The certificate must have a valid user principal name (UPN).
+    1. The certificate must have the smart card logon EKU.
    4.  The certificate must have the digital signature key usage.
    5.  The certificate must have the smart card logon EKU.
    Any certificate that meets these requirements is displayed to the user with the certificate's UPN (or e-mail address or subject, depending on the presence of the certificate extensions).
-    > **Note**&nbsp;&nbsp;These requirements are the same as those in Windows Server 2003, but they are performed before the user enters the PIN. You can override many of them by using Group Policy settings.
+    > [!NOTE]
    > These requirements are the same as those in Windows Server 2003, but they are performed before the user enters the PIN. You can override many of them by using Group Policy settings.
-9.  The process then chooses a certificate, and the PIN is entered.
+1. The process then chooses a certificate, and the PIN is entered.
-
+1. LogonUI.exe packages the information and sends it to Lsass.exe to process the sign-in attempt.
-10.  LogonUI.exe packages the information and sends it to Lsass.exe to process the sign-in attempt.
+1. If successful, LogonUI.exe closes. This causes the context acquired in Step 3 to be released.
 11.  If successful, LogonUI.exe closes. This causes the context acquired in Step 3 to be released.
 ## About Certificate support for compatibility
 Although versions of Windows earlier than Windows Vista include support for smart cards, the types of certificates that smart cards can contain are limited. The limitations are:
 -   Each certificate must have a user principal name (UPN) and the smart card sign-in object identifier (also known as OID) in the extended key usage (EKU) attribute field. There is a Group Policy setting, Allow ECC certificates to be used for logon and authentication, to make the EKU optional.
 -   Each certificate must be stored in the AT\_KEYEXCHANGE portion of the default CryptoAPI container, and non-default CryptoAPI containers are not supported.
 The following table lists the certificate support in older Windows operating system versions.
 | **Operating system**                  | **Certificate support**     |
 |---------------------------------------|----------------------------------------------------------------------------------------------------------|
 | Windows Server 2008 R2 and Windows 7  | Support for smart card sign-in with ECC-based certificates. ECC smart card sign-in is enabled through Group Policy.<br><br>ECDH\_P256<br>ECDH<br>Curve P-256 from FIPS 186-2<br><br>ECDSA\_P256<br>ECDSA<br>Curve P-256 from FIPS 186-2<br><br>ECDH\_P384<br>ECDH<br>Curve P-384 from FIPS 186-2<br><br>ECDH\_P521<br>ECDH<br>Curve P-521 from FIPS 186-2<br><br>ECDSA\_P256<br>ECDH<br>Curve P-256 from FIPS 186-2<br><br>ECDSA\_P384<br>ECDSA<br>Curve P-384 from FIPS 186-2<br><br>ECDSA\_P521<br>ECDSA<br>Curve P-384 from FIPS 186-2 |
 | Windows Server 2008 and Windows Vista | Valid certificates are enumerated and displayed from all smart cards and presented to the user.<br>Keys are no longer restricted to the default container, and certificates in different containers can be chosen.<br>Elliptic curve cryptography (ECC)-based certificates are not supported for smart card sign-in                 |
 ## Smart card sign-in flow in Windows
 Most issues during authentication occur because of session behavior changes. When changes occur, the Local Security Authority (LSA) does not reacquire the session context; it relies instead on the Cryptographic Service Provider to handle the session change.
-Client certificates that do not contain a UPN in the **subjectAltName** (SAN) field of the certificate can be enabled for sign-in, which supports a wider variety of certificates and supports multiple sign-in certificates on the same card.
+Client certificates that do not contain a UPN in the `subjectAltName`` (SAN) field of the certificate can be enabled for sign-in, which supports a wider variety of certificates and supports multiple sign-in certificates on the same card.
 Support for multiple certificates on the same card is enabled by default. New certificate types must be enabled through Group Policy.
@ -79,51 +53,39 @@ The following diagram illustrates how smart card sign-in works in the supported
 ![Smart card sign-in flow.](images/sc-image402.png)
-**Smart card sign-in flow**
+### Smart card sign-in flow
 Following are the steps that are performed during a smart card sign-in:
 1. Winlogon requests the sign-in UI credential information.
-
+1. Asynchronously, smart card resource manager starts, and the smart card credential provider does the following:
 2. Asynchronously, smart card resource manager starts, and the smart card credential provider does the following:
    1.  Gets credential information (a list of known credentials, or if no credentials exist, the smart card reader information that Windows detected).
    1.  Gets a list of smart card readers (by using the WinSCard API) and the list of smart cards inserted in each of them.
    1.  Enumerates each card to verify that a sign-in certificate that is controlled by Group Policy is present. If the certificate is present, the smart card credential provider copies it into a temporary, secure cache on the computer or terminal.
-   2.  Gets a list of smart card readers (by using the WinSCard API) and the list of smart cards inserted in each of them.
+    > [!NOTE]
    > Smartcard cache entries are created for certificates with a subject name or with a subject key identifier. If the certificate has a subject name, it is stored with an index that is based on the subject name and certificate issuer. If another certificate with the same subject name and certificate issuer is used, it will replace the existing cached entry. A change in this behavior after Windows Vista, allows for the condition when the certificate does not have a subject name, the cache is created with an index that is based on the subject key identifier and certificate issuer. If another certificate has the same the subject key identifier and certificate issuer, the cache entry is replaced. When certificates have neither a subject name nor subject key identifier, a cached entry is not created.
-   3.  Enumerates each card to verify that a sign-in certificate that is controlled by Group Policy is present. If the certificate is present, the smart card credential provider copies it into a temporary, secure cache on the computer or terminal.
+    1. Notifies the sign-in UI that it has new credentials.
-   > **Note**&nbsp;&nbsp;Smartcard cache entries are created for certificates with a subject name or with a subject key identifier. If the certificate has a subject name, it is stored with an index that is based on the subject name and certificate issuer. If another certificate with the same subject name and certificate issuer is used, it will replace the existing cached entry. A change in this behavior after Windows Vista, allows for the condition when the certificate does not have a subject name, the cache is created with an index that is based on the subject key identifier and certificate issuer. If another certificate has the same the subject key identifier and certificate issuer, the cache entry is replaced. When certificates have neither a subject name nor subject key identifier, a cached entry is not created.
+1. The sign-in UI requests the new credentials from the smart card credential provider. As a response, the smart card credential provider provides each sign-in certificate to the sign-in UI, and corresponding sign-in tiles are displayed. The user selects a smart card-based sign-in certificate tile, and Windows displays a PIN dialog box.
-
+1. The user enters the PIN, and then presses ENTER. The smart card credential provider encrypts the PIN.
-   4. Notifies the sign-in UI that it has new credentials.
+1. The credential provider that resides in the LogonUI system collects the PIN. As part of packaging credentials in the smart card credential provider, the data is packaged in a KERB\_CERTIFICATE\_LOGON structure. The main contents of the KERB\_CERTIFICATE\_LOGON structure are the smart card PIN, CSP data (such as reader name and container name), user name, and domain name. User name is required if the sign-in domain is not in the same forest because it enables a certificate to be mapped to multiple user accounts.
-
+1. The credential provider wraps the data (such as the encrypted PIN, container name, reader name, and card key specification) and sends it back to LogonUI.
-3. The sign-in UI requests the new credentials from the smart card credential provider. As a response, the smart card credential provider provides each sign-in certificate to the sign-in UI, and corresponding sign-in tiles are displayed. The user selects a smart card-based sign-in certificate tile, and Windows displays a PIN dialog box.
+1. Winlogon presents the data from LogonUI to the LSA with the user information in LSALogonUser.
-
+1. LSA calls the Kerberos authentication package (Kerberos SSP) to create a Kerberos authentication service request (KRB\_AS\_REQ), which containing a preauthenticator (as specified in RFC 4556: [Public Key Cryptography for Initial Authentication in Kerberos (PKINIT)](http://www.ietf.org/rfc/rfc4556.txt)).
 4. The user enters the PIN, and then presses ENTER. The smart card credential provider encrypts the PIN.
 5. The credential provider that resides in the LogonUI system collects the PIN. As part of packaging credentials in the smart card credential provider, the data is packaged in a KERB\_CERTIFICATE\_LOGON structure. The main contents of the KERB\_CERTIFICATE\_LOGON structure are the smart card PIN, CSP data (such as reader name and container name), user name, and domain name. User name is required if the sign-in domain is not in the same forest because it enables a certificate to be mapped to multiple user accounts.
 6. The credential provider wraps the data (such as the encrypted PIN, container name, reader name, and card key specification) and sends it back to LogonUI.
 7. Winlogon presents the data from LogonUI to the LSA with the user information in LSALogonUser.
 8. LSA calls the Kerberos authentication package (Kerberos SSP) to create a Kerberos authentication service request (KRB\_AS\_REQ), which containing a preauthenticator (as specified in RFC 4556: [Public Key Cryptography for Initial Authentication in Kerberos (PKINIT)](http://www.ietf.org/rfc/rfc4556.txt)).
    If the authentication is performed by using a certificate that uses a digital signature, the preauthentication data consists of the user's public certificate and the certificate that is digitally signed with the corresponding private key.<br>If the authentication is performed by using a certificate that uses key encipherment, the preauthentication data consists of the user's public certificate and the certificate that is encrypted with the corresponding private key.
-9. To sign the request digitally (as per RFC 4556), a call is made to the corresponding CSP for a private key operation. Because the private key in this case is stored in a smart card, the smart card subsystem is called, and the necessary operation is completed. The result is sent back to the Kerberos security support provider (SSP).
+1. To sign the request digitally (as per RFC 4556), a call is made to the corresponding CSP for a private key operation. Because the private key in this case is stored in a smart card, the smart card subsystem is called, and the necessary operation is completed. The result is sent back to the Kerberos security support provider (SSP).
 1. The Kerberos SSP sends an authentication request for a ticket-granting-ticket (TGT) (per RFC 4556) to the Key Distribution Center (KDC) service that runs on a domain controller.
 1. The KDC finds the user's account object in Active Directory Domain Services (AD DS), as detailed in [Client certificate requirements and mappings](#client-certificate-requirements-and-mappings), and uses the user's certificate to verify the signature.
 1. The KDC validates the user's certificate (time, path, and revocation status) to ensure that the certificate is from a trusted source. The KDC uses CryptoAPI to build a certification path from the user's certificate to a root certification authority (CA) certificate that resides in the root store on the domain controller. The KDC then uses CryptoAPI to verify the digital signature on the signed authenticator that was included in the preauthentication data fields. The domain controller verifies the signature and uses the public key from the user's certificate to prove that the request originated from the owner of the private key that corresponds to the public key. The KDC also verifies that the issuer is trusted and appears in the NTAUTH certificate store.
 1. The KDC service retrieves user account information from AD DS. The KDC constructs a TGT, which is based on the user account information that it retrieves from AD DS. The TGT's authorization data fields include the user's security identifier (SID), the SIDs for universal and global domain groups to which the user belongs, and (in a multidomain environment) the SIDs for any universal groups of which the user is a member.
 1. The domain controller returns the TGT to the client as part of the KRB\_AS\_REP response.
-10. The Kerberos SSP sends an authentication request for a ticket-granting-ticket (TGT) (per RFC 4556) to the Key Distribution Center (KDC) service that runs on a domain controller.
+    > [!NOTE]
-
+    > The KRB\_AS\_REP packet consists of:
 11. The KDC finds the user's account object in Active Directory Domain Services (AD DS), as detailed in [Client certificate requirements and mappings](#client-certificate-requirements-and-mappings), and uses the user's certificate to verify the signature.
 12. The KDC validates the user's certificate (time, path, and revocation status) to ensure that the certificate is from a trusted source. The KDC uses CryptoAPI to build a certification path from the user's certificate to a root certification authority (CA) certificate that resides in the root store on the domain controller. The KDC then uses CryptoAPI to verify the digital signature on the signed authenticator that was included in the preauthentication data fields. The domain controller verifies the signature and uses the public key from the user's certificate to prove that the request originated from the owner of the private key that corresponds to the public key. The KDC also verifies that the issuer is trusted and appears in the NTAUTH certificate store.
 13. The KDC service retrieves user account information from AD DS. The KDC constructs a TGT, which is based on the user account information that it retrieves from AD DS. The TGT's authorization data fields include the user's security identifier (SID), the SIDs for universal and global domain groups to which the user belongs, and (in a multidomain environment) the SIDs for any universal groups of which the user is a member.
 14. The domain controller returns the TGT to the client as part of the KRB\_AS\_REP response.
    > **Note**&nbsp;&nbsp;The KRB\_AS\_REP packet consists of:
    >- Privilege attribute certificate (PAC)
    >- User's SID
    >- SIDs of any groups of which the user is a member
@ -132,21 +94,16 @@ Following are the steps that are performed during a smart card sign-in:
    TGT is encrypted with the master key of the KDC, and the session key is encrypted with a temporary key. This temporary key is derived based on RFC 4556. Using CryptoAPI, the temporary key is decrypted. As part of the decryption process, if the private key is on a smart card, a call is made to the smart card subsystem by using the specified CSP to extract the certificate corresponding to the user's public key. (Programmatic calls for the certificate include CryptAcquireContext, CryptSetProvParam with the PIN, CryptgetUserKey, and CryptGetKeyParam.) After the temporary key is obtained, the Kerberos SSP decrypts the session key.
-15. The client validates the reply from the KDC (time, path, and revocation status). It first verifies the KDC's signature by the construction of a certification path from the KDC's certificate to a trusted root CA, and then it uses the KDC's public key to verify the reply signature.
+1. The client validates the reply from the KDC (time, path, and revocation status). It first verifies the KDC's signature by the construction of a certification path from the KDC's certificate to a trusted root CA, and then it uses the KDC's public key to verify the reply signature.
 1. Now that a TGT has been obtained, the client obtains a service ticket, which is used to sign in to the local computer.
 1. With success, LSA stores the tickets and returns a success message to LSALogonUser. After this success message is issued, user profile for the device is selected and set, Group Policy refresh is instantiated, and other actions are performed.
 1. After the user profile is loaded, the Certification Propagation Service (CertPropSvc) detects this event, reads the certificates from the smart card (including the root certificates), and then populates them into the user's certificate store (MYSTORE)
 1. CSP to smart card resource manager communication happens on the LRPC Channel.
 1. On successful authentication, certificates are propagated to the user's store asynchronously by the Certificate Propagation Service (CertPropSvc).
 1. When the card is removed, certificates in the temporary secure cache store are removed. The Certificates are no longer available for sign-in, but they remain in the user's certificate store.
-16. Now that a TGT has been obtained, the client obtains a service ticket, which is used to sign in to the local computer.
+> [!NOTE]
-
+> A SID is created for each user or group at the time a user account or a group account is created within the local security accounts database or within AD DS. The SID never changes, even if the user or group account is renamed.
 17. With success, LSA stores the tickets and returns a success message to LSALogonUser. After this success message is issued, user profile for the device is selected and set, Group Policy refresh is instantiated, and other actions are performed.
 18. After the user profile is loaded, the Certification Propagation Service (CertPropSvc) detects this event, reads the certificates from the smart card (including the root certificates), and then populates them into the user's certificate store (MYSTORE).
 19. CSP to smart card resource manager communication happens on the LRPC Channel.
 20. On successful authentication, certificates are propagated to the user's store asynchronously by the Certificate Propagation Service (CertPropSvc).
 21. When the card is removed, certificates in the temporary secure cache store are removed. The Certificates are no longer available for sign-in, but they remain in the user's certificate store.
 > **Note**&nbsp;&nbsp;A SID is created for each user or group at the time a user account or a group account is created within the local security accounts database or within AD DS. The SID never changes, even if the user or group account is renamed.
 For more information about the Kerberos protocol, see [Microsoft Kerberos](/windows/win32/secauthn/microsoft-kerberos).
@ -157,9 +114,7 @@ By default, the KDC verifies that the client's certificate contains the smart ca
 Active Directory Certificate Services provides three kinds of certificate templates:
 - Domain controller
 - Domain controller authentication
 - Kerberos authentication
 Depending on the configuration of the domain controller, one of these types of certificates is sent as a part of the AS\_REP packet.
@ -172,57 +127,54 @@ Certificate requirements are listed by versions of the Windows operating system.
 The smart card certificate has specific format requirements when it is used with Windows XP and earlier operating systems. You can enable any certificate to be visible for the smart card credential provider.
-
+| Component | Requirements |
-|            **Component**             |                                                                **Requirements for Windows 8.1, Windows 8, Windows 7, Windows Vista, Windows 10, and Windows 11**                                                                 |                                                                                                **Requirements for Windows XP**                                                                                                 |
+|--|--|
-|--------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| CRL distribution point location | Not required |
-|   CRL distribution point location    |                                                                                               Not required                                                                                               |             The location must be specified, online, and available, for example:<br>\[1\]CRL Distribution Point<br>Distribution Point Name:<br>Full Name:<br>URL=`<http://server1.contoso.com/CertEnroll/caname.crl>`             |
+| Key usage | Digital signature |
-|              Key usage               |                                                                                            Digital signature                                                                                             |                                                                                                       Digital signature                                                                                                        |
+| Basic constraints | Not required |
-|          Basic constraints           |                                                                                               Not required                                                                                               |                                                                              \[Subject Type=End Entity, Path Length Constraint=None\] (Optional)                                                                               |
+| extended key usage (EKU) | The smart card sign-in object identifier is not required.<br><br>**Note** If an EKU is present, it must contain the smart card sign-in EKU. Certificates with no EKU can be used for sign-in. |
-|       extended key usage (EKU)       | The smart card sign-in object identifier is not required.<br><br>**Note**&nbsp;&nbsp;If an EKU is present, it must contain the smart card sign-in EKU. Certificates with no EKU can be used for sign-in. |      -   Client Authentication (1.3.6.1.5.5.7.3.2)<br>The client authentication object identifier is required only if a certificate is used for SSL authentication.<br><br>- Smart Card Sign-in (1.3.6.1.4.1.311.20.2.2)       |
+| Subject alternative name | E-mail ID is not required for smart card sign-in. |
-|       Subject alternative name       |                                                                            E-mail ID is not required for smart card sign-in.                                                                             |           Other Name: Principal Name=(UPN), for example:<br>UPN=user1@contoso.com<br>The UPN OtherName object identifier is 1.3.6.1.4.1.311.20.2.3.<br>The UPN OtherName value must be an ASN1-encoded UTF8 string.            |
+| Subject | Not required |
-|               Subject                |                                                                                               Not required                                                                                               |                                                         Distinguished name of user. This field is a mandatory extension, but the population of this field is optional.                                                         |
+| Key exchange (AT\_KEYEXCHANGE field) | Not required for smart card sign-in certificates if a Group Policy setting is enabled. (By default, Group Policy settings are not enabled.) |
-| Key exchange (AT\_KEYEXCHANGE field) |                               Not required for smart card sign-in certificates if a Group Policy setting is enabled. (By default, Group Policy settings are not enabled.)                                |                                                                                                          Not required                                                                                                          |
+| CRL | Not required |
-|                 CRL                  |                                                                                               Not required                                                                                               |                                                                                                          Not required                                                                                                          |
+| UPN | Not required |
-|                 UPN                  |                                                                                               Not required                                                                                               |                                                                                                          Not required                                                                                                          |
+| Notes | You can enable any certificate to be visible for the smart card credential provider. |
 |                Notes                 |                                                           You can enable any certificate to be visible for the smart card credential provider.                                                           | There are two predefined types of private keys. These keys are Signature Only (AT\_SIGNATURE) and Key Exchange (AT\_KEYEXCHANGE). Smart card sign-in certificates must have a Key Exchange (AT\_KEYEXCHANGE) private key type. |
 ### Client certificate mappings
 Certificate mapping is based on the UPN that is contained in the subjectAltName (SAN) field of the certificate. Client certificates that do not contain information in the SAN field are also supported.
-SSL/TLS can map certificates that do not have SAN, and the mapping is done by using the AltSecID attributes on client accounts. The X509 AltSecID, which is used by SSL/TLS client authentication is of the form "X509: &lt;I&gt;"*&lt;Issuer Name&gt;*"&lt;S&gt;"*&lt;Subject Name&gt;*. The *&lt;Issuer Name&gt;* and *&lt;Subject Name&gt;* are taken from the client certificate, with '\\r' and '\\n' replaced with ','.
+SSL/TLS can map certificates that do not have SAN, and the mapping is done by using the AltSecID attributes on client accounts. The X509 AltSecID, which is used by SSL/TLS client authentication is of the form "X509: `<Issuer Name>` `<Subject Name`. The `<Issuer Name>` and `<Subject Name>` are taken from the client certificate, with '\\r' and '\\n' replaced with ','.
-**Certificate revocation list distribution points**
+#### Certificate revocation list distribution points
 ![Certificate revocation list distribution points.](images/sc-image403.png)
-**UPN in Subject Alternative Name field**
+####  UPN in Subject Alternative Name field
 ![UPN in Subject Alternative Name field.](images/sc-image404.png)
-**Subject and Issuer fields**
+#### Subject and Issuer fields
 ![Subject and Issuer fields.](images/sc-image405.png)
 This account mapping is supported by the KDC in addition to six other mapping methods. The following figure demonstrates a flow of user account mapping logic that is used by the KDC.
-**High-level flow of certificate processing for sign-in**
+#### High-level flow of certificate processing for sign-in
 ![High-level flow of certificate processing for sign-in.](images/sc-image406.png)
 The certificate object is parsed to look for content to perform user account mapping.
-   When a user name is provided with the certificate, the user name is used to locate the account object. This operation is the fastest, because string matching occurs.
+- When a user name is provided with the certificate, the user name is used to locate the account object. This operation is the fastest, because string matching occurs
-
+- When only the certificate object is provided, a series of operations are performed to locate the user name to map the user name to an account object
-   When only the certificate object is provided, a series of operations are performed to locate the user name to map the user name to an account object.
+- When no domain information is available for authentication, the local domain is used by default. If any other domain is to be used for lookup, a domain name hint should be provided to perform the mapping and binding
 -   When no domain information is available for authentication, the local domain is used by default. If any other domain is to be used for lookup, a domain name hint should be provided to perform the mapping and binding.
 Mapping based on generic attributes is not possible because there is no generic API to retrieve attributes from a certificate. Currently, the first method that locates an account successfully stops the search. But a configuration error occurs if two methods map the same certificate to different user accounts when the client does not supply the client name through the mapping hints.
 The following figure illustrates the process of mapping user accounts for sign-in in the directory by viewing various entries in the certificate.
-**Certificate processing logic**
+#### Certificate processing logic
 ![Certificate processing logic.](images/sc-image407.png)
@ -232,21 +184,17 @@ NT\_AUTH policy is best described in the CERT\_CHAIN\_POLICY\_NT\_AUTH parameter
 A single user certificate can be mapped to multiple accounts. For example, a user might be able to sign in to a user account and also to sign in as a domain administrator. The mapping is done by using the constructed AltSecID based on attributes from client accounts. For information about how this mapping is evaluated, see [Client certificate requirements and mappings](#client-certificate-requirements-and-mappings).
-> **Note**&nbsp;&nbsp;Because each account has a different user name, we recommend that you enable the **Allow user name hint** Group Policy setting (**X509HintsNeeded** registry key) to provide the optional fields that allow users to enter their user names and domain information to sign in.
+> [!NOTE]
 > Because each account has a different user name, we recommend that you enable the **Allow user name hint** Group Policy setting (**X509HintsNeeded** registry key) to provide the optional fields that allow users to enter their user names and domain information to sign in.
 Based on the information that is available in the certificate, the sign-in conditions are:
 1. If no UPN is present in the certificate:
-
+    1. Sign-in can occur in the local forest or in another forest if a single user with one certificate needs to sign in to different accounts
-    1.  Sign-in can occur in the local forest or in another forest if a single user with one certificate needs to sign in to different accounts.
+    1. A hint must be supplied if mapping is not unique (for example, if multiple users are mapped to the same certificate)
-
+1. If a UPN is present in the certificate:
-    2.  A hint must be supplied if mapping is not unique (for example, if multiple users are mapped to the same certificate).
+    1. The certificate cannot be mapped to multiple users in the same forest
-
+    1. The certificate can be mapped to multiple users in different forests. For a user to sign in to other forests, an X509 hint must be supplied to the user
 2.  If a UPN is present in the certificate:
    1.  The certificate cannot be mapped to multiple users in the same forest.
    2.  The certificate can be mapped to multiple users in different forests. For a user to sign in to other forests, an X509 hint must be supplied to the user.
 ## Smart card sign-in for multiple users into a single account
@ -258,9 +206,10 @@ For example, if Certificate1 has CN=CNName1, Certificate2 has CN=User1, and Cert
 ## Smart card sign-in across forests
-For account mapping to work across forests, particularly in cases where there is not enough information available on the certificate, the user might enter a hint in the form of a user name, such as *domain\\user*, or a fully qualified UPN such as <em>user@contoso.com</em>.
+For account mapping to work across forests, particularly in cases where there is not enough information available on the certificate, the user might enter a hint in the form of a user name, such as *domain\\user*, or a fully qualified UPN such as `user@contoso.com`.
-> **Note**&nbsp;&nbsp;For the hint field to appear during smart card sign-in, the **Allow user name hint** Group Policy setting (**X509HintsNeeded** registry key) must be enabled on the client.
+> [!NOTE]
 > For the hint field to appear during smart card sign-in, the **Allow user name hint** Group Policy setting (**X509HintsNeeded** registry key) must be enabled on the client.
 ## OCSP support for PKINIT
@ -274,40 +223,29 @@ Windows client computers attempt to request the OCSP responses and use them in t
 For sign-in to work in a smart card-based domain, the smart card certificate must meet the following conditions:
- The KDC root certificate on the smart card must have an HTTP CRL distribution point listed in its certificate.
+- The KDC root certificate on the smart card must have an HTTP CRL distribution point listed in its certificate
-
+- The smart card sign-in certificate must have the HTTP CRL distribution point listed in its certificate
- The smart card sign-in certificate must have the HTTP CRL distribution point listed in its certificate.
+- The CRL distribution point must have a valid CRL published and a delta CRL, if applicable, even if the CRL distribution point is empty
 - The CRL distribution point must have a valid CRL published and a delta CRL, if applicable, even if the CRL distribution point is empty.
 - The smart card certificate must contain one of the following:
-
+  - A subject field that contains the DNS domain name in the distinguished name. If it does not, resolution to an appropriate domain fails, so Remote Desktop Services and the domain sign-in with the smart card fail
-  - A subject field that contains the DNS domain name in the distinguished name. If it does not, resolution to an appropriate domain fails, so Remote Desktop Services and the domain sign-in with the smart card fail.
+  - A UPN where the domain name resolves to the actual domain. For example, if the domain name is `Engineering.Corp.Contoso`, the UPN is `username@engineering.corp.contoso.com`. If any part of the domain name is omitted, the Kerberos client cannot find the appropriate domain
  - A UPN where the domain name resolves to the actual domain. For example, if the domain name is Engineering.Corp.Contoso, the UPN is username@engineering.corp.contoso.com. If any part of the domain name is omitted, the Kerberos client cannot find the appropriate domain.
 Although the HTTP CRL distribution points are on by default in Windows Server 2008, subsequent versions of the Windows Server operating system do not include HTTP CRL distribution points. To allow smart card sign-in to a domain in these versions, do the following:
-1.  Enable HTTP CRL distribution points on the CA.
+1. Enable HTTP CRL distribution points on the CA
-
+1. Restart the CA
-2.  Restart the CA.
+1. Reissue the KDC certificate
-
+1. Issue or reissue the smart card sign-in certificate
-3.  Reissue the KDC certificate.
+1. Propagate the updated root certificate to the smart card that you want to use for the domain sign-in
 4.  Issue or reissue the smart card sign-in certificate.
 5.  Propagate the updated root certificate to the smart card that you want to use for the domain sign-in.
 The workaround is to enable the **Allow user name hint** Group Policy setting (**X509HintsNeeded** registry key), which allows the user to supply a hint in the credentials user interface for domain sign-in.
-If the client computer is not joined to the domain or if it is joined to a different domain, the client computer can resolve the server domain only by looking at the distinguished name on the certificate, not the UPN. For this scenario to work, the certificate requires a full subject, including DC=*&lt;DomainControllerName&gt;*, for domain name resolution.
+If the client computer is not joined to the domain or if it is joined to a different domain, the client computer can resolve the server domain only by looking at the distinguished name on the certificate, not the UPN. For this scenario to work, the certificate requires a full subject, including `DC=<DomainControllerName>`, for domain name resolution.
 To deploy root certificates on a smart card for the currently joined domain, you can use the following command:
-**certutil -scroots update**
+```cmd
 certutil.exe -scroots update
 ```
 For more information about this option for the command-line tool, see [-SCRoots](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732443(v=ws.11)#BKMK_SCRoots).
 ## See also
 [How Smart Card Sign-in Works in Windows](smart-card-how-smart-card-sign-in-works-in-windows.md)
--- a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
@ -6,7 +6,7 @@ ms.collection:
  - highpri
  - tier2
 ms.topic: troubleshooting
-ms.date: 09/24/2021
+ms.date: 11/06/2023
 ---
 # Smart Card Troubleshooting
@ -16,15 +16,10 @@ This article explains tools and services that smart card developers can use to h
 Debugging and tracing smart card issues requires a variety of tools and approaches. The following sections provide guidance about tools and approaches you can use.
 - [Certutil](#certutil)
 - [Debugging and tracing using Windows software trace preprocessor (WPP)](#debugging-and-tracing-using-wpp)
 - [Kerberos protocol, Key Distribution Center (KDC), and NTLM debugging and tracing](#kerberos-protocol-kdc-and-ntlm-debugging-and-tracing)
 - [Smart Card service](#smart-card-service)
 - [Smart card readers](#smart-card-readers)
 - [CryptoAPI 2.0 Diagnostics](#cryptoapi-20-diagnostics)
 ## Certutil
@ -44,7 +39,7 @@ Each certificate is enclosed in a container. When you delete a certificate on th
 To find the container value, type `certutil -scinfo`.
-To delete a container, type **certutil -delkey -csp "Microsoft Base Smart Card Crypto Provider"** "&lt;*ContainerValue*&gt;".
+To delete a container, type `certutil -delkey -csp "Microsoft Base Smart Card Crypto Provider" "<ContainerValue>"`.
 ## Debugging and tracing using WPP
@ -54,9 +49,10 @@ WPP simplifies tracing the operation of the trace provider. It provides a mechan
 Using WPP, use one of the following commands to enable tracing:
- **tracelog.exe -kd -rt -start** &lt;*FriendlyName*&gt; **-guid \#**&lt;*GUID*&gt; **-f .\\**&lt;*LogFileName*&gt;**.etl -flags** &lt;*flags*&gt; **-ft 1**
+```cmd
-
+tracelog.exe -kd -rt -start <FriendlyName> -guid \<GUID> -f .\\<LogFileName*>.etl -flags <flags> -ft 1
- **logman start** &lt;*FriendlyName*&gt; **-ets -p {**&lt;*GUID*&gt;**} -**&lt;*Flags*&gt; **-ft 1 -rt -o .\\**&lt;*LogFileName*&gt;<em>**.etl -mode 0x00080000</em>**
+logman start <FriendlyName> -ets -p {<GUID>} -<Flags> -ft 1 -rt -o .\\<LogFileName><em>.etl -mode 0x00080000</em>
 ```
 You can use the parameters in the following table.
@ -72,77 +68,91 @@ You can use the parameters in the following table.
 | `scfilter`          | eed7f3c9-62ba-400e-a001-658869df9a91 | 0xffff    |
 | `wudfusbccid`       | a3c09ba3-2f62-4be5-a50f-8278a646ac9d | 0xffff    |
-Examples
+### Examples
 To enable tracing for the SCardSvr service:
-   **tracelog.exe -kd -rt -start scardsvr -guid \#13038e47-ffec-425d-bc69-5707708075fe -f .\\scardsvr.etl -flags 0xffff -ft 1**
+```cmd
 tracelog.exe -kd -rt -start scardsvr -guid \#13038e47-ffec-425d-bc69-5707708075fe -f .\\scardsvr.etl -flags 0xffff -ft 1
 logman start scardsvr -ets -p {13038e47-ffec-425d-bc69-5707708075fe} 0xffff -ft 1 -rt -o .\\scardsvr.etl -mode 0x00080000
 ```
-   **logman start scardsvr -ets -p {13038e47-ffec-425d-bc69-5707708075fe} 0xffff -ft 1 -rt -o .\\scardsvr.etl -mode 0x00080000**
+To enable tracing for `scfilter.sys`:
-To enable tracing for scfilter.sys:
+```cmd
-
+tracelog.exe -kd -rt -start scfilter -guid \#eed7f3c9-62ba-400e-a001-658869df9a91 -f .\\scfilter.etl -flags 0xffff -ft 1
- - **tracelog.exe -kd -rt -start scfilter -guid \#eed7f3c9-62ba-400e-a001-658869df9a91 -f .\\scfilter.etl -flags 0xffff -ft 1**
+```
 ### Stop the trace
 Using WPP, use one of the following commands to stop the tracing:
-   **tracelog.exe -stop** &lt;*FriendlyName*&gt;
+```cmd
-
+tracelog.exe -stop <*FriendlyName*>
-   **logman -stop** &lt;*FriendlyName*&gt; **-ets**
+logman -stop <*FriendlyName*> -ets
 ```
 #### Examples
 To stop a trace:
-   **tracelog.exe -stop scardsvr**
+```cmd
-
+tracelog.exe -stop scardsvr
-   **logman -stop scardsvr -ets**
+logman -stop scardsvr -ets
 ```
 ## Kerberos protocol, KDC, and NTLM debugging and tracing
 <!-- It's difficult to find any Kerberos content any more. If they reinstate some content that's more relevant and detailed than what's below, link to it instead. -->
 You can use these resources to troubleshoot these protocols and the KDC:
-   [Kerberos and LDAP Troubleshooting Tips](/previous-versions/tn-archive/bb463167(v=technet.10)).
+- [Kerberos and LDAP Troubleshooting Tips](/previous-versions/tn-archive/bb463167(v=technet.10))
 - [Windows Driver Kit (WDK) and Debugging Tools for Windows (WinDbg)](https://developer.microsoft.com/en-us/windows/hardware/windows-driver-kit). You can use the trace log tool in this SDK to debug Kerberos authentication failures.
-   [Windows Driver Kit (WDK) and Debugging Tools for Windows (WinDbg)](https://developer.microsoft.com/en-us/windows/hardware/windows-driver-kit).  You can use the trace log tool in this SDK to debug Kerberos authentication failures.
+To begin tracing, you can use `Tracelog`. Different components use different control GUIDs as explained in these examples. For more information, see [`Tracelog`](/windows-hardware/drivers/devtest/tracelog)
 To begin tracing, you can use `Tracelog`. Different components use different control GUIDs as explained in these examples. For more information, see [`Tracelog`](/windows-hardware/drivers/devtest/tracelog).
 ### NTLM
 To enable tracing for NTLM authentication, run the following command on the command line:
- - **tracelog.exe -kd -rt -start ntlm -guid \#5BBB6C18-AA45-49b1-A15F-085F7ED0AA90 -f .\\ntlm.etl -flags 0x15003 -ft 1**
+```cmd
 tracelog.exe -kd -rt -start ntlm -guid \#5BBB6C18-AA45-49b1-A15F-085F7ED0AA90 -f .\\ntlm.etl -flags 0x15003 -ft 1
 ```
 To stop tracing for NTLM authentication, run this command:
- - **tracelog -stop ntlm**
+```cmd
 tracelog -stop ntlm
 ```
 ### Kerberos authentication
 To enable tracing for Kerberos authentication, run this command:
- - **tracelog.exe -kd -rt -start kerb -guid \#6B510852-3583-4e2d-AFFE-A67F9F223438 -f .\\kerb.etl -flags 0x43 -ft 1**
+```cmd
 tracelog.exe -kd -rt -start kerb -guid \#6B510852-3583-4e2d-AFFE-A67F9F223438 -f .\\kerb.etl -flags 0x43 -ft 1
 ```
 To stop tracing for Kerberos authentication, run this command:
- - **tracelog.exe -stop kerb**
+```cmd
 tracelog.exe -stop kerb
 ```
 ### KDC
 To enable tracing for the KDC, run the following command on the command line:
- - **tracelog.exe -kd -rt -start kdc -guid \#1BBA8B19-7F31-43c0-9643-6E911F79A06B -f .\\kdc.etl -flags 0x803 -ft 1**
+```cmd
 tracelog.exe -kd -rt -start kdc -guid \#1BBA8B19-7F31-43c0-9643-6E911F79A06B -f .\\kdc.etl -flags 0x803 -ft 1
 ```
 To stop tracing for the KDC, run the following command on the command line:
- - **tracelog.exe -stop kdc**
+```cmd
 tracelog.exe -stop kdc
 ```
-To stop tracing from a remote computer, run this command: logman.exe -s *&lt;ComputerName&gt;*.
+To stop tracing from a remote computer, run this command: logman.exe -s *<ComputerName>*.
 > [!NOTE]
 > The default location for logman.exe is %systemroot%system32\\. Use the **-s** option to supply a computer name.
@ -157,15 +167,13 @@ You can also configure tracing by editing the Kerberos registry values shown in
 | Kerberos    | HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Kerberos<br>Value name: LogToFile<br>Value type: DWORD<br>Value data: 00000001<br><br>HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Kerberos\\Parameters<br>Value name: KerbDebugLevel<br>Value type: DWORD<br>Value data: c0000043<br><br>HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Kerberos\\Parameters<br>Value name: LogToFile<br>Value type: DWORD<br>Value data: 00000001 |
 | KDC         | HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Kdc<br>Value name: KdcDebugLevel<br>Value type: DWORD<br>Value data: c0000803                  |
-If you used `Tracelog`, look for the following log file in your current directory: kerb.etl/kdc.etl/ntlm.etl.
+If you used `Tracelog`, look for the following log file in your current directory: `kerb.etl/kdc.etl/ntlm.etl`.
 If you used the registry key settings shown in the previous table, look for the trace log files in the following locations:
 - NTLM: %systemroot%\\tracing\\msv1\_0
-
+- Kerberos: %systemroot%\\tracing\\kerberos
-   Kerberos: %systemroot%\\tracing\\kerberos 
+- KDC: %systemroot%\\tracing\\kdcsvc
 -   KDC: %systemroot%\\tracing\\kdcsvc 
 To decode event trace files, you can use `Tracefmt` (tracefmt.exe). `Tracefmt` is a command-line tool that formats and displays trace messages from an event trace log file (.etl) or a real-time trace session. `Tracefmt` can display the messages in the Command Prompt window or save them in a text file. It is located in the \\tools\\tracing subdirectory of the Windows Driver Kit (WDK). For more information, see [`Tracefmt`](/windows-hardware/drivers/devtest/tracefmt).
@ -173,25 +181,19 @@ To decode event trace files, you can use `Tracefmt` (tracefmt.exe). `Tracefmt` i
 The smart card resource manager service runs in the context of a local service. It's implemented as a shared service of the services host (svchost) process.
-**To check if Smart Card service is running**
+To check if Smart Card service is running:
-1.  Press CTRL+ALT+DEL, and then select **Start Task Manager**.
+1. Press CTRL+ALT+DEL, and then select **Start Task Manager**
 1. In the **Windows Task Manager** dialog box, select the **Services** tab
 1. Select the **Name** column to sort the list alphabetically, and then type **s**
 1. In the **Name** column, look for **SCardSvr**, and then look under the **Status** column to see if the service is running or stopped
-2.  In the **Windows Task Manager** dialog box, select the **Services** tab.
+To restart Smart Card service:
-3.  Select the **Name** column to sort the list alphabetically, and then type **s**.
+1. Run as administrator at the command prompt
-
+1. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then select **Yes**
-4.  In the **Name** column, look for **SCardSvr**, and then look under the **Status** column to see if the service is running or stopped.
+1. At the command prompt, type `net stop SCardSvr`
-
+1. At the command prompt, type `net start SCardSvr`
 **To restart Smart Card service**
 1.  Run as administrator at the command prompt.
 2.  If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then select **Yes**.
 3.  At the command prompt, type `net stop SCardSvr`.
 4.  At the command prompt, type `net start SCardSvr`.
 You can use the following command at the command prompt to check whether the service is running: `sc queryex scardsvr`.
@ -215,15 +217,12 @@ C:\>
 As with any device connected to a computer, Device Manager can be used to view properties and begin the debug process.
-**To check if smart card reader is working**
+To check if smart card reader is working:
-1.  Navigate to **Computer**.
+1. Navigate to **Computer**
-
+1. Right-click **Computer**, and then select **Properties**
-2.  Right-click **Computer**, and then select **Properties**.
+1. Under **Tasks**, select **Device Manager**
-
+1. In Device Manager, expand **Smart card readers**, select the name of the smart card reader you want to check, and then select **Properties**
 3.  Under **Tasks**, select **Device Manager**.
 4.  In Device Manager, expand **Smart card readers**, select the name of the smart card reader you want to check, and then select **Properties**.
 > [!NOTE]
 > If the smart card reader is not listed in Device Manager, in the **Action** menu, select **Scan for hardware changes**.
--- a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
@ -3,7 +3,7 @@ title: Smart Card Group Policy and Registry Settings
 description: Discover the Group Policy, registry key, local security policy, and credential delegation policy settings that are available for configuring smart cards.
 ms.reviewer: ardenw
 ms.topic: reference
-ms.date: 11/02/2021
+ms.date: 11/06/2023
 ---
 # Smart Card Group Policy and Registry Settings
@ -13,65 +13,44 @@ This article for IT professionals and smart card developers describes the Group
 The following sections and tables list the smart card-related Group Policy settings and registry keys that can be set on a per-computer basis. If you use domain Group Policy Objects (GPOs), you can edit and apply Group Policy settings to local or domain computers.
 - [Primary Group Policy settings for smart cards](#primary-group-policy-settings-for-smart-cards)
  - [Allow certificates with no extended key usage certificate attribute](#allow-certificates-with-no-extended-key-usage-certificate-attribute)
  - [Allow ECC certificates to be used for logon and authentication](#allow-ecc-certificates-to-be-used-for-logon-and-authentication)
  - [Allow Integrated Unblock screen to be displayed at the time of logon](#allow-integrated-unblock-screen-to-be-displayed-at-the-time-of-logon)
  - [Allow signature keys valid for Logon](#allow-signature-keys-valid-for-logon)
  - [Allow time invalid certificates](#allow-time-invalid-certificates)
  - [Allow user name hint](#allow-user-name-hint)
  - [Configure root certificate clean up](#configure-root-certificate-clean-up)
  - [Display string when smart card is blocked](#display-string-when-smart-card-is-blocked)
  - [Filter duplicate logon certificates](#filter-duplicate-logon-certificates)
  - [Force the reading of all certificates from the smart card](#force-the-reading-of-all-certificates-from-the-smart-card)
  - [Notify user of successful smart card driver installation](#notify-user-of-successful-smart-card-driver-installation)
  - [Prevent plaintext PINs from being returned by Credential Manager](#prevent-plaintext-pins-from-being-returned-by-credential-manager)
  - [Reverse the subject name stored in a certificate when displaying](#reverse-the-subject-name-stored-in-a-certificate-when-displaying)
  - [Turn on certificate propagation from smart card](#turn-on-certificate-propagation-from-smart-card)
  - [Turn on root certificate propagation from smart card](#turn-on-root-certificate-propagation-from-smart-card)
  - [Turn on Smart Card Plug and Play service](#turn-on-smart-card-plug-and-play-service)
 - [Base CSP and Smart Card KSP registry keys](#base-csp-and-smart-card-ksp-registry-keys)
 - [CRL checking registry keys](#crl-checking-registry-keys)
 - [Additional smart card Group Policy settings and registry keys](#additional-smart-card-group-policy-settings-and-registry-keys)
 ## Primary Group Policy settings for smart cards
-The following smart card Group Policy settings are in Computer Configuration\\Administrative Templates\\Windows Components\\Smart Card.
+The following smart card Group Policy settings are in Computer Configuration\Administrative Templates\Windows Components\Smart Card.
 The registry keys are in the following locations:
- **HKEY\_LOCAL\_MACHINE\\SOFTWARE\Policies\\Microsoft\\Windows\\ScPnP\\EnableScPnP**
+- **HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScPnP\EnableScPnP**
-
+- **HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider**
- **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\SmartCardCredentialProvider**
+- **HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CertProp**
 - **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CertProp**
 > [!NOTE]
-> Smart card reader registry information is in **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Cryptography\\Calais\\Readers**.<br>
+> Smart card reader registry information is in **HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Calais\Readers**.\
-Smart card registry information is in **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Cryptography\\Calais\\SmartCards**.
+> Smart card registry information is in **HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Calais\SmartCards**.
 The following table lists the default values for these GPO settings. Variations are documented under the policy descriptions in this article.
-| **Server type or GPO**    | **Default value** |
+| Server type or GPO | Default value |
-|----------------------------------------------|-------------------|
+|--|--|
 | Default Domain Policy | Not configured |
 | Default Domain Controller Policy | Not configured |
 | Stand-Alone Server Default Settings | Not configured |
@ -91,19 +70,16 @@ You can use this policy setting to allow certificates without an extended key us
 When this policy setting is turned on, certificates with the following attributes can also be used to sign in with a smart card:
 - Certificates with no EKU
 - Certificates with an All Purpose EKU
 - Certificates with a Client Authentication EKU
 When this policy setting isn't turned on, only certificates that contain the smart card logon object identifier can be used to sign in with a smart card.
-| **Item**          | **Description**                 |
+| Item | Description |
-|--------------------------------------|-------------------------------------------------------------------------------------------------------------|
+|--|--|
 | Registry key | AllowCertificatesWithNoEKU |
 | Default values | No changes per operating system versions<br>Disabled and not configured are equivalent |
 | Policy management | Restart requirement: None<br>Sign off requirement: None<br>Policy conflicts: None |
 | Notes and resources                  |              |
 ### Allow ECC certificates to be used for logon and authentication
@ -113,9 +89,9 @@ When this setting is turned on, ECC certificates on a smart card can be used to
 When this setting isn't turned on, ECC certificates on a smart card can't be used to sign in to a domain.
-| **Item**          | **Description**                   |
+| Item | Description |
-|--------------------------------------|-------------------------------|
+|--|--|
-| Registry key      | **EnumerateECCCerts**                |
+| Registry key | `EnumerateECCCerts` |
 | Default values | No changes per operating system versions<br>Disabled and not configured are equivalent |
 | Policy management | Restart requirement: None<br>Sign off requirement: None<br>Policy conflicts: None |
 | Notes and resources | This policy setting only affects a user's ability to sign in to a domain. ECC certificates on a smart card that are used for other applications, such as document signing, aren't affected by this policy setting. <br>If you use an ECDSA key to sign in, you must also have an associated ECDH key to permit sign in when you're not connected to the network. |
@ -128,27 +104,26 @@ When this setting is turned on, the integrated unblock feature is available.
 When this setting isn't turned on, the feature is not available.
-| **Item**          | **Description**    |
+| Item | Description |
-|--------------------------------------|---------------------------------------------------------------------------------------------------------------|
+|--|--|
-| Registry key      | **AllowIntegratedUnblock**              |
+| Registry key | `AllowIntegratedUnblock` |
 | Default values | No changes per operating system versions<br>Disabled and not configured are equivalent |
 | Policy management | Restart requirement: None<br>Sign off requirement: None<br>Policy conflicts: None |
 | Notes and resources | To use the integrated unblock feature, the smart card must support it. Check with the hardware manufacturer to verify that the smart card supports this feature.<br>You can create a custom message that the user sees when the smart card is blocked by configuring the policy setting [Display string when smart card is blocked](#display-string-when-smart-card-is-blocked). |
 ### Allow signature keys valid for Logon
-You can use this policy setting to allow signature key–based certificates to be enumerated and available for sign-in.
+You can use this policy setting to allow signature key-based certificates to be enumerated and available for sign-in.
 When this setting is turned on, any certificates that are available on the smart card with a signature-only key are listed on the sign-in screen.
 When this setting isn't turned on, certificates available on the smart card with a signature-only key aren't listed on the sign-in screen.
-| **Item**          | **Description**                 |
+| Item | Description |
-|--------------------------------------|-------------------------------------------------------------------------------------------------------------|
+|--|--|
-| Registry key      | **AllowSignatureOnlyKeys**|
+| Registry key | **AllowSignatureOnlyKeys** |
 | Default values | No changes per operating system versions<br>Disabled and not configured are equivalent |
 | Policy management | Restart requirement: None<br>Sign off requirement: None<br>Policy conflicts: None |
 | Notes and resources                  |              |
 ### Allow time invalid certificates
@ -161,12 +136,11 @@ When this setting is turned on, certificates are listed on the sign-in screen wh
 When this policy setting isn't turned on, certificates that are expired or not yet valid aren't listed on the sign-in screen.
-| **Item**          | **Description**                 |
+| Item | Description |
-|--------------------------------------|-------------------------------------------------------------------------------------------------------------|
+|--|--|
-| Registry key      | **AllowTimeInvalidCertificates** |
+| Registry key | `AllowTimeInvalidCertificates` |
 | Default values | No changes per operating system versions<br>Disabled and not configured are equivalent |
 | Policy management | Restart requirement: None<br>Sign off requirement: None<br>Policy conflicts: None |
 | Notes and resources                  |              |
 ### Allow user name hint
@ -176,12 +150,11 @@ When this policy setting is turned on, users see an optional field where they ca
 When this policy setting isn't turned on, users don't see this optional field.
-| **Item**          | **Description**                 |
+| Item | Description |
-|--------------------------------------|-------------------------------------------------------------------------------------------------------------|
+|--|--|
-| Registry key      | **X509HintsNeeded**|
+| Registry key | `X509HintsNeeded` |
 | Default values | No changes per operating system versions<br>Disabled and not configured are equivalent |
 | Policy management | Restart requirement: None<br>Sign off requirement: None<br>Policy conflicts: None |
 | Notes and resources                  |              |
 ### Configure root certificate clean-up
@ -190,19 +163,16 @@ You can use this policy setting to manage the cleanup behavior of root certifica
 When this policy setting is turned on, you can set the following cleanup options:
 - **No cleanup**. When the user signs out or removes the smart card, the root certificates used during their session persist on the computer.
 - **Clean up certificates on smart card removal**. When the smart card is removed, the root certificates are removed.
 - **Clean up certificates on log off**. When the user signs out of Windows, the root certificates are removed.
 When this policy setting isn't turned on, root certificates are automatically removed when the user signs out of Windows.
-| **Item**          | **Description**                 |
+| Item | Description |
-|--------------------------------------|-------------------------------------------------------------------------------------------------------------|
+|--|--|
-| Registry key      | **RootCertificateCleanupOption**|
+| Registry key | `RootCertificateCleanupOption` |
 | Default values | No changes per operating system versions<br>Disabled and not configured are equivalent |
 | Policy management | Restart requirement: None<br>Sign off requirement: None<br>Policy conflicts: None |
 | Notes and resources                  |              |
 ### Display string when smart card is blocked
@ -212,12 +182,11 @@ When this policy setting is turned on, you can create and manage the displayed m
 When this policy setting isn't turned on (and the integrated unblock feature is also enabled), the user sees the system's default message when the smart card is blocked.
-| **Item**          | **Description**             |
+| Item | Description |
-|--------------------------------------|-------------------------|
+|--|--|
-| Registry key      | **IntegratedUnblockPromptString**      |
+| Registry key | `IntegratedUnblockPromptString` |
 | Default values | No changes per operating system versions<br>Disabled and not configured are equivalent |
 | Policy management | Restart requirement: None<br>Sign off requirement: None<br>Policy conflicts: This policy setting is only effective when the [Allow Integrated Unblock screen to be displayed at the time of logon](#allow-integrated-unblock-screen-to-be-displayed-at-the-time-of-logon) policy is enabled. |
 | Notes and resources                  |          |
 ### Filter duplicate logon certificates
@ -234,9 +203,9 @@ If this policy setting isn't turned on, all the certificates are displayed to th
 This policy setting is applied to the computer after the [Allow time invalid certificates](#allow-time-invalid-certificates) policy setting is applied.
-| **Item**          | **Description**               |
+| Item | Description |
-|--------------------------------------|--------------------------------------------------------------------------------------------------|
+|--|--|
-| Registry key      | **FilterDuplicateCerts**|
+| Registry key | `FilterDuplicateCerts` |
 | Default values | No changes per operating system versions<br>Disabled and not configured are equivalent |
 | Policy management | Restart requirement: None<br>Sign off requirement: None<br>Policy conflicts: None |
 | Notes and resources | If there are two or more of the same certificates on a smart card and this policy setting is enabled, the certificate that is used to sign in to computers running Windows 2000, Windows XP, or Windows Server 2003 will be displayed. Otherwise, the certificate with the most distant expiration time will be displayed. |
@ -249,9 +218,9 @@ When this policy setting is turned on, Windows attempts to read all certificates
 When this policy isn't turned on, Windows attempts to read only the default certificate from smart cards that don't support retrieval of all certificates in a single call. Certificates other than the default aren't available for sign-in.
-| **Item**          | **Description**                 |
+| Item | Description |
-|--------------------------------------|----------------------------------------------------------------------------|
+|--|--|
-| Registry key      | **ForceReadingAllCertificates** |
+| Registry key | `ForceReadingAllCertificates` |
 | Default values | No changes per operating system versions<br>Disabled and not configured are equivalent |
 | Policy management | Restart requirement: None<br>Sign off requirement: None<br>Policy conflicts: None<br><br>**Important**: Enabling this policy setting can adversely impact performance during the sign-in process in certain situations. |
 | Notes and resources | Contact the smart card vendor to determine if your smart card and associated CSP support the required behavior. |
@ -264,9 +233,9 @@ When this policy setting is turned on, the user sees a confirmation message when
 When this setting isn't turned on, the user doesn't see a smart card device driver installation message.
-| **Item**          | **Description**        |
+|--|--|
-|--------------------------------------|------------------------------------------------|
+| -------------------------------------- | ------------------------------------------------ |
-| Registry key      | **ScPnPNotification** |
+| Registry key | `ScPnPNotification` |
 | Default values | No changes per operating system versions<br>Disabled and not configured are equivalent |
 | Policy management | Restart requirement: None<br>Sign off requirement: None<br>Policy conflicts: None |
 | Notes and resources | This policy setting applies only to smart card drivers that have passed the Windows Hardware Quality Labs (WHQL) testing process. |
@ -282,9 +251,9 @@ When this policy setting is turned on, Credential Manager doesn't return a plain
 When this setting isn't turned on, Credential Manager can return plaintext PINs.
-| **Item**          | **Description**     |
+| Item | Description |
-|--------------------------------------|-----------------------------------------------------------------------------------|
+|--|--|
-| Registry key      | **DisallowPlaintextPin**|
+| Registry key | `DisallowPlaintextPin` |
 | Default values | No changes per operating system versions<br>Disabled and not configured are equivalent |
 | Policy management | Restart requirement: None<br>Sign off requirement: None<br>Policy conflicts: None |
 | Notes and resources | If this policy setting is enabled, some smart cards might not work in computers running Windows. Consult the smart card manufacturer to determine whether this policy setting should be enabled. |
@ -300,13 +269,11 @@ When this policy setting is turned on, the subject name during sign-in appears r
 When this policy setting isn't turned on, the subject name appears the same as it's stored in the certificate.
-
+| Item | Description |
-| **Item**          | **Description**                 |
+|--|--|
-|--------------------------------------|-------------------------------------------------------------------------------------------------------------|
+| Registry key | `ReverseSubject` |
 | Registry key      | **ReverseSubject** |
 | Default values | No changes per operating system versions<br>Disabled and not configured are equivalent |
 | Policy management | Restart requirement: None<br>Sign off requirement: None<br>Policy conflicts: None |
 | Notes and resources                  |              |
 ### Turn on certificate propagation from smart card
@ -318,12 +285,11 @@ When this policy setting is turned on, certificate propagation occurs when the u
 When this policy setting is turned off, certificate propagation doesn't occur, and the certificates aren't available to applications, like Outlook.
-| **Item**          | **Description**    |
+| Item | Description |
-|--------------------------------------|----------------|
+|--|--|
-| Registry key      | **CertPropEnabled**|
+| Registry key | `CertPropEnabled` |
 | Default values | No changes per operating system versions<br>Enabled and not configured are equivalent |
 | Policy management | Restart requirement: None<br>Sign off requirement: None<br>Policy conflicts: This policy setting must be enabled to allow the [Turn on root certificate propagation from smart card](#turn-on-root-certificate-propagation-from-smart-card) setting to work when it is enabled. |
 | Notes and resources                  | |
 ### Turn on root certificate propagation from smart card
@ -336,9 +302,9 @@ When this policy setting is turned on, root certificate propagation occurs when
 When this policy setting isn't turned on, root certificate propagation doesn't occur when the user inserts the smart card.
-| **Item**          | **Description**   |
+| Item | Description |
-|--------------------------------------|---------------------------------------------------------------------------------------------------------|
+|--|--|
-| Registry key      | **EnableRootCertificate Propagation** |
+| Registry key | `EnableRootCertificate Propagation` |
 | Default values | No changes per operating system versions<br>Enabled and not configured are equivalent |
 | Policy management | Restart requirement: None<br>Sign off requirement: None<br>Policy conflicts: For this policy setting to work, the [Turn on certificate propagation from smart card](#turn-on-certificate-propagation-from-smart-card) policy setting must also be enabled. |
 | Notes and resources |  |
@ -354,9 +320,9 @@ When this policy setting is turned on, the system attempts to install a smart ca
 When this policy setting isn't turned on, a device driver isn't installed when a smart card is inserted in a smart card reader.
-| **Item**          | **Description**        |
+| Item | Description |
-|--------------------------------------|------------------------------------------------|
+|--|--|
-| Registry key      | **EnableScPnP** |
+| Registry key | `EnableScPnP` |
 | Default values | No changes per operating system versions<br>Enabled and not configured are equivalent |
 | Policy management | Restart requirement: None<br>Sign off requirement: None<br>Policy conflicts: None |
 | Notes and resources | This policy setting applies only to smart card drivers that have passed the Windows Hardware Quality Labs (WHQL) testing process. |
@ -365,14 +331,14 @@ When this policy setting isn't turned on, a device driver isn't installed when a
 The following registry keys can be configured for the base cryptography service provider (CSP) and the smart card key storage provider (KSP). The following tables list the keys. All keys use the DWORD type.
-The registry keys for the Base CSP are in the registry in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base Smart Card Crypto Provider**.
+The registry keys for the Base CSP are in the registry in `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider`.
-The registry keys for the smart card KSP are in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\ControlSet001\\Control\\Cryptography\\Providers\\Microsoft Smart Card Key Storage Provider**.
+The registry keys for the smart card KSP are in `HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cryptography\Providers\Microsoft Smart Card Key Storage Provider`.
-**Registry keys for the base CSP and smart card KSP**
+### Registry keys for the base CSP and smart card KSP
-| **Registry Key**                   | **Description**                 |
+| Registry Key | Description |
-|------------------------------------|---------------------------------------------------------------------------------|
+|--|--|
 | **AllowPrivateExchangeKeyImport** | A non-zero value allows RSA exchange (for example, encryption) private keys to be imported for use in key archival scenarios.<br>Default value: 00000000 |
 | **AllowPrivateSignatureKeyImport** | A non-zero value allows RSA signature private keys to be imported for use in key archival scenarios.<br>Default value: 00000000 |
 | **DefaultPrivateKeyLenBits** | Defines the default length for private keys, if desired.<br>Default value: 00000400<br>Default key generation parameter: 1024-bit keys |
@ -381,8 +347,8 @@ The registry keys for the smart card KSP are in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\
 **Additional registry keys for the smart card KSP**
-| **Registry Key**               | **Description**             |
+| Registry Key | Description |
-|--------------------------------|-----------------------------------------------------|
+|--|--|
 | **AllowPrivateECDHEKeyImport** | This value allows Ephemeral Elliptic Curve Diffie-Hellman (ECDHE) private keys to be imported for use in key archival scenarios.<br>Default value: 00000000 |
 | **AllowPrivateECDSAKeyImport** | This value allows Elliptic Curve Digital Signature Algorithm (ECDSA) private keys to be imported for use in key archival scenarios.<br>Default value: 00000000 |
@ -390,52 +356,50 @@ The registry keys for the smart card KSP are in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\
 The following table lists the keys and the corresponding values to turn off certificate revocation list (CRL) checking at the Key Distribution Center (KDC) or client. To manage CRL checking, you must configure settings for both the KDC and the client.
-**CRL checking registry keys**
+### CRL checking registry keys
-| **Registry Key**         | **Details**                 |
+| Registry Key | Details |
-|------------|-----------------------------|
+|--|--|
-| **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CCS\\Services\\Kdc\\UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors**| Type = DWORD<br>Value = 1 |
+| `HKEY_LOCAL_MACHINE\SYSTEM\CCS\Services\Kdc\UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors` | Type = DWORD<br>Value = 1 |
-| **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CCS\\Control\\LSA\\Kerberos\\Parameters\\UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors**| Type = DWORD<br>Value = 1 |
+| `HKEY_LOCAL_MACHINE\SYSTEM\CCS\Control\LSA\Kerberos\Parameters\UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors` | Type = DWORD<br>Value = 1 |
 ## Additional smart card Group Policy settings and registry keys
 In a smart card deployment, additional Group Policy settings can be used to enhance ease-of-use or security. Two of these policy settings that can complement a smart card deployment are:
 - Turning off delegation for computers
 - Interactive logon: Do not require CTRL+ALT+DEL (not recommended)
-The following smart card-related Group Policy settings are in Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options.
+The following smart card-related Group Policy settings are in **Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options**.
-**Local security policy settings**
+### Local security policy settings
 | Group Policy setting and registry key | Default | Description |
-|------------------------------------------|------------|---------------|
+|--|--|--|
 | Interactive logon: Require smart card<br><br>**scforceoption** | Disabled | This security policy setting requires users to sign in to a computer by using a smart card.<br><br>**Enabled**  Users can sign in to the computer only by using a smart card.<br>**Disabled**  Users can sign in to the computer by using any method.<br><br>NOTE: the Windows LAPS-managed local account is exempted from this policy when Enabled. For more information see [Windows LAPS integration with smart card policy](/windows-server/identity/laps/laps-concepts#windows-laps-integration-with-smart-card-policy).<br> |
 | Interactive logon: Smart card removal behavior<br><br>**scremoveoption** | This policy setting isn't defined, which means that the system treats it as **No Action**. | This setting determines what happens when the smart card for a signed-in user is removed from the smart card reader. The options are:<br>**No Action**<br>**Lock Workstation**: The workstation is locked when the smart card is removed, so users can leave the area, take their smart card with them, and still maintain a protected session.<br>**Force Logoff**: The user is automatically signed out when the smart card is removed.<br>**Disconnect if a Remote Desktop Services session**: Removal of the smart card disconnects the session without signing out the user. The user can reinsert the smart card and resume the session later, or at another computer that's equipped with a smart card reader, without having to sign in again. If the session is local, this policy setting functions identically to the **Lock Workstation** option.<br><br>**Note**: In earlier versions of Windows Server, Remote Desktop Services was called Terminal Services. |
 From the Local Security Policy Editor (secpol.msc), you can edit and apply system policies to manage credential delegation for local or domain computers.
-The following smart card-related Group Policy settings are in Computer Configuration\\Administrative Templates\\System\\Credentials Delegation.
+The following smart card-related Group Policy settings are in **Computer Configuration\Administrative Templates\System\Credentials Delegation**.
-Registry keys are in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\Credssp\\PolicyDefaults**.
+Registry keys are in `HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\Credssp\PolicyDefaults`.
 > [!NOTE]
 > In the following table, fresh credentials are those that you are prompted for when running an application.
-**Credential delegation policy settings**
+### Credential delegation policy settings
 | Group Policy setting and registry key | Default | Description |
-|----------------------------------------------------------------------------------------------------------------------|----------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+|--|--|--|
 | Allow Delegating Fresh Credentials<br><br>**AllowFreshCredentials** | Not configured | This policy setting applies: <br>When server authentication was achieved through a trusted X509 certificate or Kerberos protocol.<br>To applications that use the CredSSP component (for example, Remote Desktop Services).<br><br>**Enabled**: You can specify the servers where the user's fresh credentials can be delegated. <br>**Not configured**: After proper mutual authentication, delegation of fresh credentials is permitted to Remote Desktop Services running on any computer.<br>**Disabled**: Delegation of fresh credentials to any computer isn't permitted.<br><br>**Note**: This policy setting can be set to one or more service principal names (SPNs). The SPN represents the target server where the user credentials can be delegated. A single wildcard character is permitted when specifying the SPN, for example:<br>Use \*TERMSRV/\*\* for Remote Desktop Session Host (RD Session Host) running on any computer. <br>Use *TERMSRV/host.humanresources.fabrikam.com* for RD Session Host running on the host.humanresources.fabrikam.com computer.<br>Use *TERMSRV/\*.humanresources.fabrikam.com* for RD Session Host running on all computers in .humanresources.fabrikam.com |
 | Allow Delegating Fresh Credentials with NTLM-only Server Authentication<br><br>**AllowFreshCredentialsWhenNTLMOnly** | Not configured | This policy setting applies:<br>When server authentication was achieved by using NTLM.<br>To applications that use the CredSSP component (for example, Remote Desktop).<br><br>**Enabled**: You can specify the servers where the user's fresh credentials can be delegated.<br>**Not configured**: After proper mutual authentication, delegation of fresh credentials is permitted to RD Session Host running on any computer (TERMSRV/\*).<br>**Disabled**: Delegation of fresh credentials isn't permitted to any computer.<br><br>**Note**: This policy setting can be set to one or more SPNs. The SPN represents the target server where the user credentials can be delegated. A single wildcard character (\*) is permitted when specifying the SPN.<br>See the **Allow Delegating Fresh Credentials** policy setting description for examples. |
 | Deny Delegating Fresh Credentials<br><br>**DenyFreshCredentials** | Not configured | This policy setting applies to applications that use the CredSSP component (for example, Remote Desktop).<br><br>**Enabled**: You can specify the servers where the user's fresh credentials can't be delegated.<br>**Disabled** or **Not configured**: A server is not specified.<br><br>**Note**: This policy setting can be set to one or more SPNs. The SPN represents the target server where the user credentials can't be delegated. A single wildcard character (\*) is permitted when specifying the SPN.<br>For examples, see the "Allow delegating fresh credentials" policy setting. |
-If you're using Remote Desktop Services with smart card logon, you can't delegate default and saved credentials. The registry keys in the following table, which are at **HKEY\_LOCAL\_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\Credssp\\PolicyDefaults**, and the corresponding Group Policy settings are ignored.
+If you're using Remote Desktop Services with smart card logon, you can't delegate default and saved credentials. The registry keys in the following table, which are at `HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\Credssp\PolicyDefaults`, and the corresponding Group Policy settings are ignored.
-| **Registry key** | **Corresponding Group Policy setting**                 |
+| Registry Key| **Corresponding Group Policy setting** |
-|-------------------------------------|---------------------------------------------------------------------------|
+|--|--|
 | **AllowDefaultCredentials** | Allow Delegating Default Credentials |
 | **AllowDefaultCredentialsWhenNTLMOnly** | Allow Delegating Default Credentials with NTLM-only Server Authentication |
 | **AllowSavedCredentials** | Allow Delegating Saved Credentials |
--- a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
@ -3,23 +3,18 @@ title: How Smart Card Sign-in Works in Windows
 description: This topic for IT professional provides links to resources about the implementation of smart card technologies in the Windows operating system.
 ms.reviewer: ardenw
 ms.topic: overview
-ms.date: 09/24/2021
+ms.date: 1/06/2023
 ---
 # How Smart Card Sign-in Works in Windows
 This topic for IT professional provides links to resources about the implementation of smart card technologies in the Windows operating system. It includes the following resources about the architecture, certificate management, and services that are related to smart card use:
-   [Smart Card Architecture](smart-card-architecture.md): Learn about enabling communications with smart cards and smart card readers, which can be different according to the vendor that supplies them.
+- [Smart Card Architecture](smart-card-architecture.md): Learn about enabling communications with smart cards and smart card readers, which can be different according to the vendor that supplies them
-
+- [Certificate Requirements and Enumeration](smart-card-certificate-requirements-and-enumeration.md): Learn about requirements for smart card certificates based on the operating system, and about the operations that are performed by the operating system when a smart card is inserted into the computer
-   [Certificate Requirements and Enumeration](smart-card-certificate-requirements-and-enumeration.md): Learn about requirements for smart card certificates based on the operating system, and about the operations that are performed by the operating system when a smart card is inserted into the computer.
+- [Smart Card and Remote Desktop Services](smart-card-and-remote-desktop-services.md): Learn about using smart cards for remote desktop connections
-
+- [Smart Cards for Windows Service](smart-card-smart-cards-for-windows-service.md): Learn about how the Smart Cards for Windows service is implemented
-   [Smart Card and Remote Desktop Services](smart-card-and-remote-desktop-services.md): Learn about using smart cards for remote desktop connections.
+- [Certificate Propagation Service](smart-card-certificate-propagation-service.md): Learn about how the certificate propagation service works when a smart card is inserted into a computer
-
+- [Smart Card Removal Policy Service](smart-card-removal-policy-service.md): Learn about using Group Policy to control what happens when a user removes a smart card
 -   [Smart Cards for Windows Service](smart-card-smart-cards-for-windows-service.md): Learn about how the Smart Cards for Windows service is implemented.
 -   [Certificate Propagation Service](smart-card-certificate-propagation-service.md): Learn about how the certificate propagation service works when a smart card is inserted into a computer.
 -   [Smart Card Removal Policy Service](smart-card-removal-policy-service.md): Learn about using Group Policy to control what happens when a user removes a smart card.
 [!INCLUDE [smart-cards-for-windows-service](../../../../includes/licensing/smart-cards-for-windows-service.md)]
--- a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
@ -3,7 +3,7 @@ title: Smart Cards for Windows Service
 description: This topic for the IT professional and smart card developers describes how the Smart Cards for Windows service manages readers and application interactions.
 ms.reviewer: ardenw
 ms.topic: concept-article
-ms.date: 09/24/2021
+ms.date: 11/06/2023
 ---
 # Smart Cards for Windows Service
@ -69,33 +69,30 @@ The Smart Cards for Windows service runs in the context of a local service, and
  </registryKeys>
 ```
-> **Note**&nbsp;&nbsp;For winscard.dll to be invoked as the proper class installer, the INF file for a smart card reader must specify the following for **Class** and **ClassGUID**:<br>
+> [!NOTE]
-`Class=SmartCardReader`<br>`ClassGuid={50DD5230-BA8A-11D1-BF5D-0000F805F530}`
+> For winscard.dll to be invoked as the proper class installer, the INF file for a smart card reader must specify the following for **Class** and **ClassGUID**:
 >
 > `Class=SmartCardReader`
 > `ClassGuid={50DD5230-BA8A-11D1-BF5D-0000F805F530}`
 By default, the service is configured for manual mode. Creators of smart card reader drivers must configure their INFs so that they start the service automatically and winscard.dll files call a predefined entry point to start the service during installation. The entry point is defined as part of the **SmartCardReader** class, and it is not called directly. If a device advertises itself as part of this class, the entry point is automatically invoked to start the service when the device is inserted. Using this method ensures that the service is enabled when it is needed, but it is also disabled for users who do not use smart cards.
 When the service is started, it performs several functions:
-1.  It registers itself for service notifications.
+1. It registers itself for service notifications
 1. It registers itself for Plug and Play (PnP) notifications related to device removal and additions
 1. It initializes its data cache and a global event that signals that the service has started
-2.  It registers itself for Plug and Play (PnP) notifications related to device removal and additions.
+> [!NOTE]
-
+> For smart card implementations, consider sending all communications in Windows operating systems with smart card readers through the Smart Cards for Windows service. This provides an interface to track, select, and communicate with all drivers that declare themselves members of the smart card reader device group.
 3.  It initializes its data cache and a global event that signals that the service has started.
 > **Note**&nbsp;&nbsp;For smart card implementations, consider sending all communications in Windows operating systems with smart card readers through the Smart Cards for Windows service. This provides an interface to track, select, and communicate with all drivers that declare themselves members of the smart card reader device group.
 The Smart Cards for Windows service categorizes each smart card reader slot as a unique reader, and each slot is also managed separately, regardless of the device's physical characteristics. The Smart Cards for Windows service handles the following high-level actions:
 - Device introduction
 - Reader initialization
 - Notifying clients of new readers
 - Serializing access to readers
 - Smart card access
 - Tunneling of reader-specific commands
 ## See also
--- a/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md
@ -3,7 +3,7 @@ title: Smart Card Tools and Settings
 description: This topic for the IT professional and smart card developer links to information about smart card debugging, settings, and events.
 ms.reviewer: ardenw
 ms.topic: conceptual
-ms.date: 09/24/2021
+ms.date: 11/06/2023
 ---
 # Smart Card Tools and Settings
@ -12,11 +12,9 @@ This topic for the IT professional and smart card developer links to information
 This section of the Smart Card Technical Reference contains information about the following:
-   [Smart Cards Debugging Information](smart-card-debugging-information.md): Learn about tools and services in supported versions of Windows to help identify certificate issues.
+- [Smart Cards Debugging Information](smart-card-debugging-information.md): Learn about tools and services in supported versions of Windows to help identify certificate issues
-
+- [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md): Learn about smart card-related Group Policy settings and registry keys that can be set on a per-computer basis, including how to edit and apply Group Policy settings to local or domain computers
-   [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md): Learn about smart card-related Group Policy settings and registry keys that can be set on a per-computer basis, including how to edit and apply Group Policy settings to local or domain computers.
+- [Smart Card Events](smart-card-events.md): Learn about events that can be used to manage smart cards in an organization, including how to monitor installation, use, and errors
 -   [Smart Card Events](smart-card-events.md): Learn about events that can be used to manage smart cards in an organization, including how to monitor installation, use, and errors.
 ## See also
--- a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
@ -3,7 +3,7 @@ title: Smart Card Technical Reference
 description: Learn about the Windows smart card infrastructure for physical smart cards, and how smart card-related components work in Windows.
 ms.reviewer: ardenw
 ms.topic: reference
-ms.date: 09/24/2021
+ms.date: 11/06/2023
 ---
 # Smart Card Technical Reference
@ -15,7 +15,6 @@ The Smart Card Technical Reference describes the Windows smart card infrastructu
 This document explains how the Windows smart card infrastructure works. To understand this information, you should have basic knowledge of public key infrastructure (PKI) and smart card concepts. This document is intended for:
 - Enterprise IT developers, managers, and staff who are planning to deploy or are using smart cards in their organization.
 - Smart card vendors who write smart card minidrivers or credential providers.
 ## What are smart cards?
@ -24,11 +23,9 @@ Smart cards are tamper-resistant portable storage devices that can enhance the s
 Smart cards provide:
-   Tamper-resistant storage for protecting private keys and other forms of personal information.
+- Tamper-resistant storage for protecting private keys and other forms of personal information
-
+- Isolation of security-critical computations that involve authentication, digital signatures, and key exchange from other parts of the computer. These computations are performed on the smart card
-   Isolation of security-critical computations that involve authentication, digital signatures, and key exchange from other parts of the computer. These computations are performed on the smart card.
+- Portability of credentials and other private information between computers at work, home, or on the road
 -   Portability of credentials and other private information between computers at work, home, or on the road.
 Smart cards can be used to sign in to domain accounts only, not local accounts. When you use a password to sign in interactively to a domain account, Windows uses the Kerberos version 5 (v5) protocol for authentication. If you use a smart card, the operating system uses Kerberos v5 authentication with X.509 v3 certificates.
@ -38,26 +35,16 @@ Smart cards can be used to sign in to domain accounts only, not local accounts.
 ## In this technical reference
-This reference contains the following topics.
+This reference contains the following topics:
 - [How Smart Card Sign-in Works in Windows](smart-card-how-smart-card-sign-in-works-in-windows.md)
  - [Smart Card Architecture](smart-card-architecture.md)
  - [Certificate Requirements and Enumeration](smart-card-certificate-requirements-and-enumeration.md)
  - [Smart Card and Remote Desktop Services](smart-card-and-remote-desktop-services.md)
  - [Smart Cards for Windows Service](smart-card-smart-cards-for-windows-service.md)
  - [Certificate Propagation Service](smart-card-certificate-propagation-service.md)
  - [Smart Card Removal Policy Service](smart-card-removal-policy-service.md)
 - [Smart Card Tools and Settings](smart-card-tools-and-settings.md)
  - [Smart Cards Debugging Information](smart-card-debugging-information.md)
  - [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md)
  - [Smart Card Events](smart-card-events.md)