This section specifies the behavior for Credential Provider. This provider is used by Microsoft standard dialogs in three different scenarios: selecting credential, selecting certificate, and enter PIN. In the scenarios of smart cards with certificates; selecting credential will be a combination of both selecting a certificate and enter PIN.
This section is used to configure the behavior for selecting credential. CredentialProvider Certificate is used to specify the behavior for certificate selection, and CredentialProvider Pin is used to specify the behavior for enter PIN.
All parameters in the CredentialProvider section can also be set using the application.
This example sets Mode=0x1121 for iid.exe application and Mode=0 for all others.
It is a requirement that the credential provider component is included in the installation and that this configuration section is present.
All entries except those used for presentation may have different values depending on Windows version. A value with version number as a postfix will only apply to that version of Windows.
<entry>_v61 → Windows 7
<entry>_v62 → Windows 8
<entry>_v63 → Windows 8.1
<entry>_v100 → Windows 10
Enable=0 Enable_v61=1 Enable_v100=1
Presentation will be based on the information from [Dialog Presentation], but if presentation should be different it will be possible to specify the same entries in this section.
This entry specifies whether Credential Provider should be enabled or not.
Credential Provider not available
Credential Provider available
Default value is 1, Credential Provider is available, will still require that the configuration section is present and the component is available.
This entry specifies a list of applications that will not use the Credential Provider. Use semicolon (
;) to separate the applications.
By default the list is empty; all applications will use Credential Provider.
This entry specifies the automatically logon behavior in situations where there is only a single credential available and the PIN already has been entered. The dialog will be shown but the PIN entry will be automatically filled and the OK button will automatically be pressed.
Will not use automatically logon
Will use automatically logon
Default value is 0; automatically logon is disabled.
This entry is used to prompt PIN for Credential Provider.
Will not prompt
Will prompt PIN for windows logon
Will prompt PIN for CredUI
Will prompt PIN for all scenarios
Default value is 3; prompt PIN for all scenarios.
This entry specifies a list of applications that should not use the automatically logon feature. Use semicolon (
;) to separate the applications. Default Windows logon applications
This entry is used to force a PIN change for Credential Provider. Used together with PinExpire in SmartCard section.
Will not force PIN change
Will force PIN change for windows logon
Will force PIN change for CredUI
Will force PIN change for all scenarios
Default value is 3; force PIN change for all scenarios.
This entry specifies the mode of operation, either pass-through provider or full provider. The pass-through provider will intercept the Microsoft standard provider and modify the behavior, but the full provider will implement all functionality itself and will not rely on anything else.
To make the full provider work as expected for all available parameters it is also necessary with some additional configurations that will not be described.
Will use pass-through provider
Will use full provider
Default value is
0; will use pass-through provider.
Full CredentialProvider Mode.
Read certificate Access mode:
The values for
Read are combined to form the complete access value.
Show certificate even if it does not contain UPN.
Show all certificates, not only first.
Show all card readers, not all unused.
Show only certificates with key usage smart card logon.
Combining Access and Other mode will give the complete Full CredentialProvider mode.
Soft token mode, currently only supported for test.
Soft token mode.
Recommended mode for Windows login with soft token (virtual smart card):
[SmartCardReader]>Detect=0 is recommended for optimal performance.
|When using Full Credential Provider, CredentialProvider Pin must be disabled, see CredentialProvider Pin — Enable.|
This entry specifies the guid for the provider that should be wrapped when used in pass-through mode.
The default value will wrap Microsoft standard providers and is depending on provider scenario and Windows version.
This entry specifies the guid which should be blocked. Default will block a possible provider that is wrapped when using pass-through, but this entry may also specify additional providers.
This entry specifies a list of issuers of user certificates that are allowed to be used in Credential Provider, no other certificates will be shown. The configuration is only valid with the full provider.
Default none; certificates from all issuers are shown.
[CredentialProvider] Mode=0x???1 AcceptIssuers=subject|O=User Org;issuer|CN=User CA v1;issuer|CN=User CA v2
This entry specifies a list of issuers that will be used when deciding which user certificate that should be considered as the default certificate in Credential Provider. Will set the certificate that is matching the most prioritized value in the list as default. The values in the list are prioritized from left to right. The configuration is only valid with the full provider.
Default none; no default certificate defined.
[CredentialProvider] Mode=0x???1 DefaultIssuers=subject|O=User Org;issuer|CN=User CA v1;issuer|CN=User CA v2
This entry specifies a list of issuers of user certificates that are not allowed to be used in Credential Provider, all other certificates will be shown. The configuration is only valid with the full provider.
Default none; certificates from all issuers are shown.
[CredentialProvider] Mode=0x???1 DenyIssuers=subject|O=User Org;issuer|CN=User CA v1;issuer|CN=User CA v2