Hello, We have a PKI and we don't want to purchase external devices to store certificate securely. However we would like the user to use 2 factors authentication with a certificate . By putting a a certificate we issued in the OS certificate store (that will be stored in the registry), therefore the certificate is stored on the machine. I was wondering if it was possible for a user to authentication at logon with the AD password and the certificate on the machine? In summary is the GINA able to check the certificate in the registry at logon? Cheers M.

No, I’m afraid that’s impossible. When you logon, you can use PKI logon or admin password logon. But you cannot use both at the same time. Seven

so for windows logon, I can put in place the below to access the workstation User ID certificate password even if the OS is not completely started and the certificate is in the certificate store (i.e. somewhere in the registry)?