Policy
Filter duplicate logon certificates
Windows 11 25H2
Policy overview
Key metadata and intent for this policy.
Supported OS tags: Windows10, Windows10RT, Windows11, Windows7, Windows8, Windows81, WindowsRT, WindowsRT81, WindowsServer2008, WindowsServer2012, WindowsServer2012R2, WindowsServer2016, WindowsVista
This policy settings lets you configure if all your valid logon certificates are displayed. During the certificate renewal period, a user can have multiple valid logon certificates issued from the same certificate template. This can cause confusion as to which certificate to select for logon. The common case for this behavior is when a certificate is renewed and the old one has not yet expired. Two certificates are determined to be the same if they are issued from the same template with the same major version and they are for the same user (determined by their UPN). If there are two or more of the "same" certificate on a smart card and this policy is enabled then the certificate that is used for logon on Windows 2000, Windows XP, and Windows 2003 Server will be shown, otherwise the the certificate with the expiration time furthest in the future will be shown. Note: This setting will be applied after the following policy: "Allow time invalid certificates" If you enable or do not configure this policy setting, filtering will take place. If you disable this policy setting, no filtering will take place.
Registry values
How enabled and disabled states update the registry.
| Registry location | Type | Enabled value | Disabled value |
|---|---|---|---|
| HKLM\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider\FilterDuplicateCerts | REG_DWORD | 1 | 0 |
Policy elements
Inputs and configuration options exposed by this policy.
This policy has no additional user input fields.
Other policies in this category
Explore related policies at the same level.
- ComputerAllow certificates with no extended key usage certificate attributeAt least Windows Vista
- ComputerAllow ECC certificates to be used for logon and authenticationAt least Windows Server 2008 R2 or Windows 7
- ComputerAllow Integrated Unblock screen to be displayed at the time of logonAt least Windows Vista
- ComputerAllow signature keys valid for LogonAt least Windows Vista
- ComputerAllow time invalid certificatesAt least Windows Vista
- ComputerAllow user name hintAt least Windows Vista
- ComputerConfigure root certificate clean upAt least Windows Vista
- ComputerDisplay string when smart card is blockedAt least Windows Vista
- ComputerForce the reading of all certificates from the smart cardAt least Windows Vista
- ComputerNotify user of successful smart card driver installationAt least Windows Server 2008 R2 or Windows 7
- ComputerPrevent plaintext PINs from being returned by Credential ManagerAt least Windows Vista Service Pack 1
- ComputerReverse the subject name stored in a certificate when displayingAt least Windows Vista