1

I have created a EFI Pre-Boot Application were in I enter the user credentials which are passed to windows to logon (Single Sign On) using my credential provider.

I have a Group policy "Interactive logon: Smart card removal behavior" set to "Lock Workstation: The workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session."

So if I reboot the machine and use login using my credential provider, then the Group policy is not enforced when I remove the Smart Card. But if I lock and unlock the machine and then remove the smart card, Group policy works and machine gets locked.

As per this article https://blogs.technet.microsoft.com/instan/2010/03/08/deconstructing-the-smartcard-removal-policy-service/ I can see that registry entry is NOT created under \HKLM\Software\Microsoft\Windows NT\CurrentVersion\Removal Policy when I logon using smartcard SSO (my custom credential provider).

So my question was, am I missing something in my credential provider ? Do I have to call any API from my credential provider to make GPO work or do I have to implement the corresponding logic in my credential provider so that GPO is enforced by Smartcard Removal Service ?

Alex
  • 11
  • 2

1 Answers1

1

Before starting service you must prepare registry values for it.

  1. Parameter in the registry path SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Removal Policy
  2. It's name must be logon session id (text '0', '1' etc.)
  3. Value is binary combination of SmartCard Reader Name and it's status (as noted in article).

In my case it is look like this:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Removal Policy] "1"=hex:41,00,4b,00,53,00,20,00,69,00,66,00,64,00,68,00,20,00,30,00,00,00,00,00,1f,00

It is decoded as Unicode string "AKS ifdh 0" with NULL terminator and DWORD value 0x00190000, where 0x0019 is insertion and removal count of smart-card into reader since boot.

Alexander
  • 1,232
  • 1
  • 15
  • 24
  • Appreciate your reply. So do I have to set this registry from my credential provider ? – Alex Oct 31 '18 at 18:44
  • Yea. In my case I do it aftrer packing credentials and before returning control from `GetSerialization` method. – Alexander Oct 31 '18 at 20:31