Use Windows Hello for Business certificates as smart card certificates

Supported OS tags: Windows10, Windows10RT

If you enable this policy setting, applications use Windows Hello for Business certificates as smart card certificates. Biometric factors are unavailable when a user is asked to authorize the use of the certificate's private key. This policy setting is designed to allow compatibility with applications that rely exclusively on smart card certificates. If you disable or do not configure this policy setting, applications do not use Windows Hello for Business certificates as smart card certificates, and biometric factors are available when a user is asked to authorize the use of the certificate's private key. This policy setting is incompatible with Windows Hello for Business credentials provisioned when the "Turn off smart card emulation" is enabled. Windows requires a user to lock and unlock their session after changing this setting if the user is currently signed in.

This policy has no additional user input fields.

• Computer
  Allow enumeration of emulated smart card for all users

  At least Windows 10
• Computer
  Configure device unlock factors

  At least Windows 10
• Computer
  Configure dynamic lock factors

  At least Windows 10
• Computer
  Enable ESS with Supported Peripherals

  At least Windows 11 Version 22H2
• Computer
  Turn off smart card emulation

  At least Windows 10
• Computer
  Use a hardware security device

  At least Windows 10
• Computer
  Use biometrics

  At least Windows 10
• Computer
  Use certificate for on-premises authentication

  At least Windows 10
• User
  Use certificate for on-premises authentication

  At least Windows 10
• Computer
  Use cloud trust for on-premises authentication

  At least Windows 10
• Computer
  Use PIN Recovery

  At least Windows 10
• User
  Use Windows Hello for Business

  At least Windows 10