A newer version of this documentation is available.

View Latest

CredentialProvider

This section specifies the behavior for Credential Provider. This provider is used by Microsoft standard dialogs in three different scenarios: selecting credential, selecting certificate, and enter PIN. In the scenarios of smart cards with certificates; selecting credential will be a combination of both selecting a certificate and enter PIN.

This section is used to configure the behavior for selecting credential. CredentialProvider Certificate is used to specify the behavior for certificate selection, and CredentialProvider Pin is used to specify the behavior for enter PIN.

All parameters in the CredentialProvider section can also be set using the application.

Example 1. CredentialProvider syntax
Mode=iid.exe,0x1121;*,0

This example sets Mode=0x1121 for iid.exe application and Mode=0 for all others.

It is a requirement that the credential provider component is included in the installation and that this configuration section is present.

Version

All entries except those used for presentation may have different values depending on Windows version. A value with version number as a postfix will only apply to that version of Windows.

  • <entry>_v61 → Windows 7

  • <entry>_v62 → Windows 8

  • <entry>_v63 → Windows 8.1

  • <entry>_v100 → Windows 10

Example 2. CredentialProvider Version syntax
Enable=0
Enable_v61=1
Enable_v100=1

Presentation

Presentation will be based on the information from [Dialog Presentation], but if presentation should be different it will be possible to specify the same entries in this section.

  • Image

  • Title

  • SubTitle

  • TextAbove

  • TextBelow

Enable

This entry specifies whether Credential Provider should be enabled or not.

0

Credential Provider not available

1

Credential Provider available

Default value is 1, Credential Provider is available, will still require that the configuration section is present and the component is available.

Disable

This entry specifies a list of applications that will not use the Credential Provider. Use semicolon (;) to separate the applications.
By default the list is empty; all applications will use Credential Provider.

AutoLogon

This entry specifies the automatically logon behavior in situations where there is only a single credential available and the PIN already has been entered. The dialog will be shown but the PIN entry will be automatically filled and the OK button will automatically be pressed.

0

Will not use automatically logon

1

Will use automatically logon

Default value is 0; automatically logon is disabled.

Activate

This entry is used to prompt PIN for Credential Provider.

0

Will not prompt

1

Will prompt PIN for windows logon

2

Will prompt PIN for CredUI

3

Will prompt PIN for all scenarios

Default value is 3; prompt PIN for all scenarios.

DisableAutoLogon

This entry specifies a list of applications that should not use the automatically logon feature. Use semicolon (;) to separate the applications. Default Windows logon applications logonui.exe;lsass.exe.

Example 3. CredentialProvider DisableAutoLogon syntax
DisableAutoLogon=lsass.exe;logonui.exe

InitChangePin

This entry is used to force a PIN change for Credential Provider. Used together with PinExpire in SmartCard section.

0

Will not force PIN change

1

Will force PIN change for windows logon

2

Will force PIN change for CredUI

3

Will force PIN change for all scenarios

Default value is 3; force PIN change for all scenarios.

Mode

This entry specifies the mode of operation, either pass-through provider or full provider. The pass-through provider will intercept the Microsoft standard provider and modify the behavior, but the full provider will implement all functionality itself and will not rely on anything else.
To make the full provider work as expected for all available parameters it is also necessary with some additional configurations that will not be described.

0

Will use pass-through provider

0x???1

Will use full provider

Default value is 0; will use pass-through provider.

Full CredentialProvider Mode.

Detect insert/remove Access mode:

0x01??

via PC/SC.

0x02??

via polling.

0x03??

via PKCS#11.

Read certificate Access mode:

0x00??

using CSP.

0x10??

using PKCS#11.

The values for Detect and Read are combined to form the complete access value.

Example 4. CredentialProvider Mode syntax (Detect via PC/SC and read via CSP)
Mode=0x01??
Example 5. CredentialProvider Mode syntax (Detect via PKCS#11 and read via PKCS#11)
Mode=0x13??

Other modes:

0x??1?

Show certificate even if it does not contain UPN.

0x??2?

Show all certificates, not only first.

0x??4?

Show all card readers, not all unused.

0x??8?

Show only certificates with key usage smart card logon.

Combining Access and Other mode will give the complete Full CredentialProvider mode.

Example 6. CredentialProvider Mode syntax (Detect PCSC, read PKCS11, show all cert)
Mode=0x1121
Example 7. CredentialProvider Mode syntax (Detect PKCS11, read PKCS11, show all cert but require smart card logon)
Mode=0x13A1

Soft token mode, currently only supported for test.

0x???4

Soft token mode.

Recommended mode for Windows login with soft token (virtual smart card):

Example 8. CredentialProvider Mode syntax (Detect PKCS11, read PKCS11, show all certificates and allow soft tokens.)
Mode=0x1325

[SmartCardReader]>Detect=0 is recommended for optimal performance.

When using Full Credential Provider, CredentialProvider Pin must be disabled, see CredentialProvider Pin — Enable.

WrappedGUID

This entry specifies the guid for the provider that should be wrapped when used in pass-through mode.
The default value will wrap Microsoft standard providers and is depending on provider scenario and Windows version.

BlockGUID

This entry specifies the guid which should be blocked. Default will block a possible provider that is wrapped when using pass-through, but this entry may also specify additional providers.

AcceptIssuers

This entry specifies a list of issuers of user certificates that are allowed to be used in Credential Provider, no other certificates will be shown. The configuration is only valid with the full provider.
Default none; certificates from all issuers are shown.

[CredentialProvider]
Mode=0x???1
AcceptIssuers=subject|O=User Org;issuer|CN=User CA v1;issuer|CN=User CA v2

DefaultIssuers

This entry specifies a list of issuers that will be used when deciding which user certificate that should be considered as the default certificate in Credential Provider. Will set the certificate that is matching the most prioritized value in the list as default. The values in the list are prioritized from left to right. The configuration is only valid with the full provider.
Default none; no default certificate defined.

[CredentialProvider]
Mode=0x???1
DefaultIssuers=subject|O=User Org;issuer|CN=User CA v1;issuer|CN=User CA v2

DenyIssuers

This entry specifies a list of issuers of user certificates that are not allowed to be used in Credential Provider, all other certificates will be shown. The configuration is only valid with the full provider.
Default none; certificates from all issuers are shown.

[CredentialProvider]
Mode=0x???1
DenyIssuers=subject|O=User Org;issuer|CN=User CA v1;issuer|CN=User CA v2

RememberLastUsed

This entry is used to remember last used credential for LogonUI and CredUI. Max 10 credentials.

0

Will not remember last used

1

Will remember last used

Default value is 0; Will not remember last used credential.