none
UAC behavior with smart card on Windows 10 1607 RRS feed

  • Question

  • Hi! Yesterday we started to test Windows 10 1607 in our environment. The first thing I noticed is the new strange behavior of the UAC used with smart card login. If I have to start an application as administrator on Windows 10 1511 the UAC prompt opens to enter the credentials. On Windows 10 1607 the new windows opens reading the smart card information and ends up with the prompt for the PIN. However, we never want to enter the PIN for the user who is logged on because I want to enter admin credentials. Now we have to click on More Options > Use another user account to enter creds. First we have to wait until the smart card is ready and then two additional clicks to enter admin creds.

    This is very annoying! Is there any way to change this behavior back to the good "old" UAC prompt? Every help is appreciated. Thanks... Dietmar

    Friday, August 19, 2016 7:32 AM

Answers

  • Hallo!

    With 1703 this problem is solved. The new UAC Windows opens with username / password. After a short while the information of the smart card is available and appears as additional option as it was before 1607. Now we have to wait until 1703 gets CBB.

    Wow, thanks to Microsoft to change this behaviour!

    Cheers... Dietmar

      

    • Marked as answer by -Dietmar- Monday, April 3, 2017 11:30 AM
    Monday, April 3, 2017 11:30 AM

All replies

  • You may be able to change this behavior through Group Policy or by disable PIN, but if you are not able to do this or it is not very user friendly, open start and search for Feedback and open Feedback App and report this issue.
    Friday, August 19, 2016 10:52 AM
  • Hi -Dietmar-,

    " the new windows opens reading the smart card information and ends up with the prompt for the PIN."
    According to the symptom, it seems that Credential Manager didn`t read the smart card correctly and it prompted for PIN instead.
    There is a gpo could be used to disable this behavior. Please note some smart cards may not work in Windows after deploying this gpo.
    Computer Configuration\Administrative Templates\Windows Components\Smart Card\Prevent plaintext PINs from being returned by Credential Manager

    Please check the Event Viewer for any related error or warning messages to troubleshoot this issue.
    Windows Logs\Application, System Applications and Services\Microsoft\Windows\Smartcard

    Best regards


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, August 22, 2016 7:31 AM
    Moderator
  • Hi thanks for answer. The smart card works as expected. The UAC windows now select the smart card as first credential provider and -of course- ask for PIN. However, I am logged on as user with smart card and want to enter admin creds ...with this two extra clicks.

    I hope you know what I mean.

    • Edited by -Dietmar- Monday, August 22, 2016 11:50 AM
    Monday, August 22, 2016 11:47 AM
  • Hi -Dietmar-,

    Have you tried the gpo I have posted before? Are there any errors or warnings reocrded in the event viewer?

    After a deep research, I found the following link. I hope it will be useful. Please run "rsop" to ensure all the gpo has been applied to the machine correctly.

    How to assign default Credential Provider in Windows 10

    http://www.thewindowsclub.com/assign-default-credential-provider-windows-10

    NOTE: This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites.

    Best regards


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com



    Tuesday, August 23, 2016 9:26 AM
    Moderator
  • Hi! Yes, of course I tried everything you posted! However, nothing works. No errors in event viewer. The settings in the second link I tried a views days ago. This behavior of the UAC is a big step back for us because it worked from Windows Vista until Windows 10 1511 but now it's unusable.

    If I am logged on with username / password it works normal but if I am logged on with smart card this strange behavior happens.

    I really hope when 1607 gets CBB Microsoft release an update to change this back. 

    Thanks... Dietmar

    BTW: I checked to get a message if someone answers but this also do not work.

    Tuesday, August 23, 2016 11:03 AM
  • Hi -Dietmar-,

    I feel like this issue is related to a registry key`s configuration. I have an idea to troubleshoot it.
    We could use Process monitor tool to capture the process. Then search the key word "Credential Providers". Compare the configuration with a normal machine.

    Due to the limited working environment, it is not available for me to test this. You could submit the issue with the built-in "Feedback" tool.
    Process Monitor v3.3
    https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx?f=255&MSPPError=-2147217396

    Best regards


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, August 24, 2016 7:32 AM
    Moderator
  • Hi! Tons of entries. No chance for me to compare. Too much information. Sorry.

    I hope there is someone out there who is able to fix this. I am not. I already sent this problem with Feedback-Hub but I do not believe in this "service".

    Thanks for help.

    Thursday, August 25, 2016 7:56 AM
  • No more ideas? What should I do now?
    Monday, September 12, 2016 12:43 PM
  • I also have this same issue and it is driving me crazy.  Our users log in with a smart card and often times I need to perform some administrative function while sitting at their computer with the user logged in. Because a smart card is in the smart card reader, the UAC prompt automatically chooses the smart card as the default credential and the cursor is set to the PIN entry field for the smart card. I have to click "More Choices" then choose "Use a Different Account. What's more is that if the smart card is slow to load in the UAC window and I quickly click "More Choices" and "Use a Different Account" and start typing in my credentials and then the smartcard finally loads, the UAC window will automatically switch back to the smart card and the cursor automatically goes to the PIN entry field even while I am still typing the credentials for my admin account. If I'm not paying attention I can end up locking out the user's smart card because of this. Isn't there some way of telling the UAC prompt to default to username and password instead of smart card?
    Tuesday, December 20, 2016 1:20 PM
  • Dietmar,

    I just found this article that describes how to get the old style UAC back:
    http://winaero.com/blog/enable-windows-7-like-uac-prompt-in-windows-10-anniversary-update/

    Essentially you change the following registry key to 0 to disable to new UAC and revert to the old style:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\TestHooks\XamlCredUIAvailable

    I added this registry key to our group policy under Computer Configuration->Preferences->Windows Settings->Registry and it work great.

    Hope this helps

    
    • Proposed as answer by ldavis17 Tuesday, December 20, 2016 1:36 PM
    • Unproposed as answer by -Dietmar- Thursday, December 22, 2016 4:15 PM
    Tuesday, December 20, 2016 1:35 PM
  • This is not a solution because this "fallback" also switch from username / password to PIN after reading the smart card. This behaviour is new in 1607. 1511 did work "normal".

    We need a solution which does not switch from username / password to PIN because this is useless.

    Please Microsoft read this and create a regkey to let us use more options > another account as standard without reading smart card and switch!

    THANKS!

    Thursday, December 22, 2016 4:21 PM
  • Bump, was anyone able to figure out a solution?

    This has become a bit of a headache for our CAC users due to locking out Pins.  Changing the UI does not allow you to change the order and defaults to the smart card/pin

    Wednesday, February 1, 2017 10:24 PM
  • Sorry, I am still searching for a solution. I posted a view times in Feedback Hub, too. It seems there are too less companies out there using smart cards.
    Thursday, March 16, 2017 2:49 PM
  • Hi All, we see the same problem with UAC when doing adminstrative tasks and have setting Interactive Logon : Smartcard Required.

    To solve this now: create two separete users and certificates on smartcard, one normal user account and one administrativ user with certificate.

    When using several user certificates on same smartcards its imporent which order certificates are placed, normal user certificate should be placed first.

    Whould be grate if there will be a sloution for the UAC handling.


    Roger Persson System technician MSB Sweden

    Monday, March 20, 2017 9:57 AM
  • Hallo!

    With 1703 this problem is solved. The new UAC Windows opens with username / password. After a short while the information of the smart card is available and appears as additional option as it was before 1607. Now we have to wait until 1703 gets CBB.

    Wow, thanks to Microsoft to change this behaviour!

    Cheers... Dietmar

      

    • Marked as answer by -Dietmar- Monday, April 3, 2017 11:30 AM
    Monday, April 3, 2017 11:30 AM
  • I'm on version 10.0.14393 and facing exactly the same annoying behaviour of the UAC dialog.
    Wednesday, April 5, 2017 10:48 AM
  • Hello Dietmar,

    We are seeing this same behaviour on 1709. You?

    Best regards, MSMS_MSMS

    Thursday, June 7, 2018 6:38 PM
  • It defaults to user/pass on 1909 and I can't figure out a way to change it back to default to PIN.

    Do you have any news on that?

    Friday, February 14, 2020 11:44 AM