2.4 Minidriver-based smart cards

All cards that use minidrivers require some additional setup.

2.4.1 Archive keys

To allow certificates with archive keys to be used, you must set the following registry settings each client:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider]

"AllowPrivateSignatureKeyImport"=dword:00000001

"AllowPrivateExchangeKeyImport"=dword:00000001

2.4.2 Windows integrated unblock

If you want to use the card unblocking feature that is built into Windows for your minidriver-based smart cards, on Windows 7, 8, 8.1, and 10, you must enable the feature according to Microsoft's documentation. The Group Policy AllowIntegratedUnblock must be enabled in Computer Configuration\Administrative Templates\Windows Components\Smart Card.

The registry key is:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider]

"AllowIntegratedUnblock"=dword:00000001

This key can be pushed to clients by a global policy.

To unblock a card using this method, the cardholder uses the Windows unblock feature to generate a code. Once the cardholder has generated this code, they can call the helpdesk, who will use the Unlock Credential workflow within MyID to generate an unlocking code that you can use to unblock your smart card.

See the Unlocking a credential remotely section in the Operator's Guide for details of using the Unlock Credential workflow.

2.4.3 Certificate propagation

For card issuance workstations, you must ensure that the Certificate Propagation service is not running on the client PC when using minidriver-based cards; if this service is running, the certificates are registered in the current user's certificate store.

For self-service clients, you can retain the Certificate Propagation service.