none
How to change, in interactive logon local policy, the actions related to smart card removal?

    问题

  • Hello,

    We are using a smart card authentication to some web apps. we would like for the smart card removal policy to close the browser instead of locking the session altogethe.

    in the registry, the actions following the SC removal are set in the following path:

    Ordinateur\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SecEdit\Reg Values\MACHINE/Software/Microsoft/Windows NT/CurrentVersion/Winlogon/ScRemoveOption

    the choices being 0, 1, 2 or 3 related to some dll : wsecedit.dll

    0|@wsecedit.dll,-59035
    1|@wsecedit.dll,-59036
    2|@wsecedit.dll,-59037
    3|@wsecedit.dll,-59038

    How can I change the behavior behind choosing one of the options???

    I tried 0|calc.exe just to test it out but it didn't work. I'm afraid of messing with my computer config so I thought i'd ask you guys if this is even possible?

    Thank you so much for your kind feedback

    2018年5月31日 10:58

答案

全部回复

  • The policy has four option, but none of them is close the browser.

    Not action

    lock workstation

    force logoff

    disconnect if a remote desktop seesion

    These options are correspond to the registry entry, so I am afraid the policy can't achieve your purpose.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    2018年6月1日 6:35
  • Hello,

    Yes, thank you, the four options are normally that. but in the registry it just translates to actions per option as displayed in the DIsplaychoices value :

    0|@wsecedit.dll,-59035
    1|@wsecedit.dll,-59036
    2|@wsecedit.dll,-59037
    3|@wsecedit.dll,-59038

    but since there is something in the dll file that translates into those actions, can't I change the value of the registry? example :

    Display choices would have he value:

    0|"launch calc.exe"
    1|"launch cmd.exe"
    2|"launch notepad.exe"
    3|"launch firefox.exe"

    I just need the right syntax for it. so even if the the policy editor it shows "force logoff", but SC removal would do some other action i set in the reg.

    Or does it not work like that, is the behavior behind the smart card removal coded elsewhere in the OS?

    2018年6月1日 9:39
  • I believe that the registry entry need to match the gp option. If you change the registry , the policy will not be applied correctly.

    It is by design, do not recommend to change them.

    Thanks for you understanding.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    2018年6月4日 7:32
  • Haven't heard from you for a long time, any updates?

    It is appreciated that you can mark the helpful suggestions as an answer to help us close the thread.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    2018年6月5日 7:29
  • Sorry, did not recieve notification,

    Thank you vivian_zhou.

    as the smart card has two certificates for two different applications accessed via different computers. it is hard to switch back in forth between the two to authenticate.

    any other proposition would be helpful though,thanks

    2018年6月5日 13:27