0

When you get a certificate drop-down selection prompt in Edge or Chrome, how do you prevent it from showing certificates belonging to previous users?

Certificate issue:
Certificate issue

Background - I'm in charge of a unusual project to create a kiosk mode Windows 10 account for a multi-user government computer. Most of the users rely on their government issued "PIV" cards for authentication to log into various websites. Even though this is a multi-user computer, the users are handling sensitive HR forms and privacy is important. I've configured the kiosk mode as such. But the certificate prompt they see where they see former users' cards and names is a disaster and a privacy violation.

Right now I have a script running in the task scheduler that clears the certificate cache every 24 hours. But it's not a solution, just a workaround. Any ideas?

Rets86
  • 1
  • 3
  • "I've configured the kiosk mode as such." - Edge or any browser on Windows will use the certificate store. **I am very familiar with PIV certificates.** – Ramhound Jul 05 '23 at 15:38
  • [This](https://superuser.com/questions/651175/automatically-remove-certificate-from-certificate-store) would clear Smart Card certificates. You could automate this to be performed automatically. You might have to modify the `my` values as it appears they don't actually match for government PIV certificates. **I can't provide the correct number for obvious reasons.** – Ramhound Jul 05 '23 at 15:56
  • Thank you sir. When you link that page as a solution, are you specifically referring to the custom program mentioned in the main answer as a solution? If so, that's tough since I'm no programmer. I can write basic batch and PowerShell scripts but that's it. So there's no policy I can set right? Can you help out and clarify? – Rets86 Jul 06 '23 at 10:27
  • I can’t publish my knowledge on this domain, but wiping certificates the way that answer suggests, using the correct value would be the best solution. You’ll have to get closer to a solution for me to help you. – Ramhound Jul 06 '23 at 11:25
  • That's fine, I know this stuff can be sensitive. Unfortunately I can't download any thing external to fix this, it has to be native to Windows. Looks like that's not an option. For now I'll just keep my PowerShell script in the Task Scheduler that clears the cache every 24 hours.. – Rets86 Jul 07 '23 at 04:56
  • Hmm so look what I found - https://admx.help/?Category=ActivClient&Policy=HIDGlobal.Policies.HIDGlobal.ActivClient::AutoUnRegOnRemove This looks extremely promising and exactly what I was looking for - with no programming needed! I'll test and report back. – Rets86 Jul 08 '23 at 13:11
  • You would want to enable the group policy that removes the certificate when the card is removed and when the user logs out of their account. This way, the certificate for previous users, are guaranteed to be deleted. – Ramhound Jul 08 '23 at 13:32
  • Ah thanks I did notice that policy as well. However there's a problem with it - the kiosk account doesn't actually log out when a user stops using it. It just locks, though the browser refreshes of course. I learned this after testing on a non-domain computer with user switching enabled, because Task Manager still showed the kiosk account as logged on...just disconnected. – Rets86 Jul 09 '23 at 00:24

1 Answers1

0

Ok, so as noted in the comments I found the solution. It' super easy and convenient, hard to believe I didn't see it first.

Open the Registry with admin rights and navigate to/create:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\HID Global\ActivClient\CertificateRegistration

Add the following D-word and set it to 1:

AutoUnRegOnRemove

Now when users pull out their smart card it will always clear the certificate cache immediately.

Source- https://admx.help/?Category=ActivClient&Policy=HIDGlobal.Policies.HIDGlobal.ActivClient::AutoUnRegOnRemove

Rets86
  • 1
  • 3