Registry keys for smart card PIN caching options are no longer available in Windows 10

Applies to: Windows 10

Symptoms


In Windows 10, you find that the following registry settings no longer work:

  • HKEY_LOCAL_MACHINE\SOFTWARE\GSC\Policies\PIN\Authentication\Allow
  • HKEY_LOCAL_MACHINE\SOFTWARE\GSC\Policies\PIN\Authentication\Minutes

Note These settings are described in more detail in KB 2589130.

Status


This behavior is by design.

More information


Smart card PIN caching behavior depends on the minidriver of the smart card reader. The minidriver should implement the  PIN_CACHE_POLICY policy. At the time of PIN operation, the behavior of Smart Card BaseCSP is based on the cache policy parameters that are passed to it by the smart card minidriver.

Smart card minidriver vendors can control this behavior in their respective Smart Card Cryptographic Service Provider (CSP) or Key Storage Provider (KSP) products.

For more information, see PIN_CACHE_POLICY_TYPE and PIN_CACHE_POLICY.

If the smart card implements a Personal Identity Verification (PIV) card, a third-party minidriver is not required. This is because the minidriver for PIV is included in Windows.

We have a fixed PIN caching policy for the default minidriver for a PIV card. This policy is defined as follows:

  • If the container is the digital signature container (according to the PIV specification), we forcibly assign a no–pin-caching policy.
  • For any other container, we forcibly assign the standard PIN policy (PIN caching is enabled).

The registry locations that are mentioned in the "Symptoms" section are relevant only to the third-party minidriver that's affected by the issue that's described in KB 2589130. These registry locations are not used for all PIV cards. The affected PIV minidriver was used in 2011. Therefore, these registry settings aren't provided by Microsoft.