Additional Features - GPO settings

 

 

1. Force SmartCard at Logon

Using Group Policies users can be forced to using smart card at Login. To configure this, create a new group policy that only allows smart card logon. Users or groups can then be assigned to the policy based on preferences or temporarily be removed from the policy to allow password logon if the SmardCard is forgotton at home.

To create the “Smart Card Only Logon” group policy:

Start the Group Policy Manager

 

Browse to Group Policy Management → Forest: <your-domainname> → Domains → <your-domainname> → Group Policy Objects

 

Right Click the right side of the window → Click “New”

 

In the “New GPO” windows set the Name “GlobalIDSmartLogon”, source = “(none)”, Click “OK”

 

Right Click the new GlobalIDSmartLogon in the list and click “Edit”

 

Browse to: Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → Security Options

 

Select “Interactive logon: Require Windows Hello for Business or smart card”

 

Enable the setting

 

Based on your security requirement, configure the “Interactive Logon:Smart Card Removal Option“. When the smart card is removed from the reader, the options are:

  • “No Action”

  • “Lock Workstation”

  • “Force logoff”

  • “Disconnect if a remote ‘Remote Desktop Services’ Session”.

The recommendation is the “Lock Workstation” option.

 

2. Force the Smart Card Removal Service to run on clients

Start the Group Policy Manager Editor

Browse to Computer Configuration → Policies → Windows Settings → Security Settings → System Services

 

Set the service: “Smart Card removal Policy” to Automatic and Click “OK” to save

 

3. Windows 10 Smart Card login by default at login screen

Here you can see there are two sign-in options available to the user. If you minutely observe this login screen, you’ll find that PIN sign-in icon is selected by default, when you would have click Sign-in options link.

This is because the PIN sign-in provider is actually the default credential provider here.
You may need to sign-in as administrator to follow these steps.
Assign default Credential Provider in Windows 10

  • Press Windows Key + R combination, type regedit in Run dialog box and hit Enter to open the Registry Editor.

  • Navigate here:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers

The list of registered credential providers and their GUIDs can be found here.

  • In the above-shown window, expand the Credential Providers key and you’ll see some long-named sub-keys. These long sub-keys are with their name as CLSID, corresponds to a specific credential provider. You’ve to highlight these sub-keys, one-by-one and in the corresponding right pane, checkout the Data for (Default) registry string. This will help you to identify which CLSID is for which provider. In this way, pick the default credential provider’s CLSID and note down it.

  • Now press Windows Key + R combination, type gpedit.msc in Run dialog box and hit Enter to open the Local Group Policy Editor.

  • In the Local Group Policy Editor window, go to:

Computer Configuration -> Administrative Templates -> System -> Logon

  • In the right pane of the above-shown window, look for the policy setting named Assign a default credential provider. The policy is Not Configured by default. Double click on it to get this window:

 This policy setting allows the administrator to assign a specified credential provider as the default credential provider. If you enable this policy setting, the specified credential provider is selected on other user tile. If you disable or do not configure this policy setting, the system picks the default credential provider on other user tile.

  • Finally, set the policy to Enabled state and in the Assign the following credential provider as the default credential provider input box, type the CLSID we noted down in step 3.

Click Apply followed by OK. You can close the Group Policy Editor and reboot to make changes effective.

4. Disable password login at PC or Server

This service - if activated - will disable password login to the specific Windows machine or groups of machines.

  • Start the Group Policy Manager Editor

  • Browse to Computer Configuration → Policies → Windows Settings → Security Settings
    → Local Policies → Security Options

  • Open the service: “Interactive logon: Required Windows Hello for Business or smart card”

  • Click “Define this policy setting”

  • Select “Enable”

  • Click “OK” to save

© All rights reserved Liga Software ApS 2014 - 2022