CredentialProvider
This section specifies the behavior for Credential Provider. This provider is used by Microsoft standard dialogs in three different scenarios: selecting credential, selecting certificate, and enter PIN. In the scenarios of smart cards with certificates; selecting credential will be a combination of both selecting a certificate and enter PIN.
This section is used to configure the behavior for selecting credential. CredentialProvider Certificate is used to specify the behavior for certificate selection, and CredentialProvider Pin is used to specify the behavior for enter PIN.
All parameters in the CredentialProvider section can also be set using the application.
Mode=iid.exe,0x1121;*,0
This example sets Mode=0x1121 for iid.exe application and Mode=0 for all others.
It is a requirement that the credential provider component is included in the installation and that this configuration section is present.
Version
All entries except those used for presentation may have different values depending on Windows version. A value with version number as a postfix will only apply to that version of Windows.
-
<entry>_v61 → Windows 7
-
<entry>_v62 → Windows 8
-
<entry>_v63 → Windows 8.1
-
<entry>_v100 → Windows 10
Enable=0 Enable_v61=1 Enable_v100=1
Presentation
Presentation will be based on the information from [Dialog Presentation], but if presentation should be different it will be possible to specify the same entries in this section.
-
Image
-
Title
-
SubTitle
-
TextAbove
-
TextBelow
Enable
This entry specifies whether Credential Provider should be enabled or not.
- 0
-
Credential Provider not available
- 1
-
Credential Provider available
Default value is 1, Credential Provider is available, will still require that the configuration section is present and the component is available.
Disable
This entry specifies a list of applications that will not use the Credential Provider. Use semicolon (;
) to separate the applications.
By default the list is empty; all applications will use Credential Provider.
AutoLogon
This entry specifies the automatically logon behavior in situations where there is only a single credential available and the PIN already has been entered. The dialog will be shown but the PIN entry will be automatically filled and the OK button will automatically be pressed.
- 0
-
Will not use automatically logon
- 1
-
Will use automatically logon
Default value is 0; automatically logon is disabled.
Activate
This entry is used to prompt PIN for Credential Provider.
- 0
-
Will not prompt
- 1
-
Will prompt PIN for windows logon
- 2
-
Will prompt PIN for CredUI
- 3
-
Will prompt PIN for all scenarios
Default value is 3; prompt PIN for all scenarios.
DisableAutoLogon
This entry specifies a list of applications that should not use the automatically logon feature. Use semicolon (;
) to separate the applications. Default Windows logon applications logonui.exe;lsass.exe
.
DisableAutoLogon=lsass.exe;logonui.exe
InitChangePin
This entry is used to force a PIN change for Credential Provider. Used together with PinExpire in SmartCard section.
- 0
-
Will not force PIN change
- 1
-
Will force PIN change for windows logon
- 2
-
Will force PIN change for CredUI
- 3
-
Will force PIN change for all scenarios
Default value is 3; force PIN change for all scenarios.
Mode
This entry specifies the mode of operation, either pass-through provider or full provider. The pass-through provider will intercept the Microsoft standard provider and modify the behavior, but the full provider will implement all functionality itself and will not rely on anything else.
To make the full provider work as expected for all available parameters it is also necessary with some additional configurations that will not be described.
- 0
-
Will use pass-through provider
- 0x???1
-
Will use full provider
Default value is 0
; will use pass-through provider.
Full CredentialProvider Mode.
Read certificate Access mode:
- 0x00??
-
using CSP.
- 0x10??
-
using PKCS#11.
The values for Detect
and Read
are combined to form the complete access value.
Mode=0x01??
Mode=0x13??
Other modes:
- 0x??1?
-
Show certificate even if it does not contain UPN.
- 0x??2?
-
Show all certificates, not only first.
- 0x??4?
-
Show all card readers, not all unused.
- 0x??8?
-
Show only certificates with key usage smart card logon.
Combining Access and Other mode will give the complete Full CredentialProvider mode.
Mode=0x1121
Mode=0x13A1
Soft token mode, currently only supported for test.
- 0x???4
-
Soft token mode.
Recommended mode for Windows login with soft token (virtual smart card):
Mode=0x1325
[SmartCardReader]>Detect=0 is recommended for optimal performance.
When using Full Credential Provider, CredentialProvider Pin must be disabled, see CredentialProvider Pin — Enable. |
WrappedGUID
This entry specifies the guid for the provider that should be wrapped when used in pass-through mode.
The default value will wrap Microsoft standard providers and is depending on provider scenario and Windows version.
BlockGUID
This entry specifies the guid which should be blocked. Default will block a possible provider that is wrapped when using pass-through, but this entry may also specify additional providers.
AcceptIssuers
This entry specifies a list of issuers of user certificates that are allowed to be used in Credential Provider, no other certificates will be shown. The configuration is only valid with the full provider.
Default none; certificates from all issuers are shown.
[CredentialProvider] Mode=0x???1 AcceptIssuers=subject|O=User Org;issuer|CN=User CA v1;issuer|CN=User CA v2
DefaultIssuers
This entry specifies a list of issuers that will be used when deciding which user certificate that should be considered as the default certificate in Credential Provider. Will set the certificate that is matching the most prioritized value in the list as default. The values in the list are prioritized from left to right. The configuration is only valid with the full provider.
Default none; no default certificate defined.
[CredentialProvider] Mode=0x???1 DefaultIssuers=subject|O=User Org;issuer|CN=User CA v1;issuer|CN=User CA v2
DenyIssuers
This entry specifies a list of issuers of user certificates that are not allowed to be used in Credential Provider, all other certificates will be shown. The configuration is only valid with the full provider.
Default none; certificates from all issuers are shown.
[CredentialProvider] Mode=0x???1 DenyIssuers=subject|O=User Org;issuer|CN=User CA v1;issuer|CN=User CA v2