1

When you get a certificate drop-down selection prompt in Edge or Chrome, how do you prevent it from showing certificates belonging to previous users?

Certificate issue:
Certificate issue

Background - I'm in charge of a unusual project to create a kiosk mode Windows 10 account for a multi-user government computer. Most of the users rely on their government issued "PIV" cards for authentication to log into various websites. Even though this is a multi-user computer, the users are handling sensitive HR forms and privacy is important. I've configured the kiosk mode as such. But the certificate prompt they see where they see former users' cards and names is a disaster and a privacy violation.

Right now I have a script running in the task scheduler that clears the certificate cache every 24 hours. But it's not a solution, just a workaround. Any ideas?

Improve this question
8
  • "I've configured the kiosk mode as such." - Edge or any browser on Windows will use the certificate store. I am very familiar with PIV certificates.
    – Ramhound
    Commented Jul 5, 2023 at 15:38
  • This would clear Smart Card certificates. You could automate this to be performed automatically. You might have to modify the my values as it appears they don't actually match for government PIV certificates. I can't provide the correct number for obvious reasons.
    – Ramhound
    Commented Jul 5, 2023 at 15:56
  • Thank you sir. When you link that page as a solution, are you specifically referring to the custom program mentioned in the main answer as a solution? If so, that's tough since I'm no programmer. I can write basic batch and PowerShell scripts but that's it. So there's no policy I can set right? Can you help out and clarify?
    – Rets86
    Commented Jul 6, 2023 at 10:27
  • I can’t publish my knowledge on this domain, but wiping certificates the way that answer suggests, using the correct value would be the best solution. You’ll have to get closer to a solution for me to help you.
    – Ramhound
    Commented Jul 6, 2023 at 11:25
  • That's fine, I know this stuff can be sensitive. Unfortunately I can't download any thing external to fix this, it has to be native to Windows. Looks like that's not an option. For now I'll just keep my PowerShell script in the Task Scheduler that clears the cache every 24 hours..
    – Rets86
    Commented Jul 7, 2023 at 4:56

1 Answer 1

Reset to default
0

Ok, so as noted in the comments I found the solution. It' super easy and convenient, hard to believe I didn't see it first.

Open the Registry with admin rights and navigate to/create:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\HID Global\ActivClient\CertificateRegistration

Add the following D-word and set it to 1:

AutoUnRegOnRemove

Now when users pull out their smart card it will always clear the certificate cache immediately.

Source- https://admx.help/?Category=ActivClient&Policy=HIDGlobal.Policies.HIDGlobal.ActivClient::AutoUnRegOnRemove

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .