Crayonic Credential Provider

Overview

Crayonic Credential Provider is a Windows login add-on that replaces the native smart-card and password login UI with a cleaner, passkey-style experience. It supports all three credential types used by Crayonic wallets:

• X.509 certificates via PIV
• FIDO2 passkeys
• Legacy passwords

It removes the PIN dialog from the Windows login screen for X.509 certificates, making the experience close to FIDO2 passkey sign-in. The provider is a standalone component that can replace or supplement the default Microsoft credential provider on Windows 7 and later.

When to Use It

• You want uniform, modern login visuals across a mixed fleet still using smart-card PIV authentication.
• You want to remove the native PIN prompt on the lock screen for PIV users.
• You need a base for domain-less / local-account authentication (see the demo variant below).

Variants

Domain Credential Provider

Standard Credential Provider intended for Windows machines joined to an AD or Entra-joined domain. Distribute centrally through Group Policy or SCCM, or locally with the bundled .bat.

• Download: CrayonicCredentialProviderEN.zip

Local-User Demo Credential Provider

A reference implementation for local accounts only. It is the basis for domain-less authentication and, in a production scenario, would be paired with a backend service that manages those local accounts.

• Download: CrayonicCredentialProviderLocalUserEN.zip
• Follow the README inside the archive to configure a local user for demonstration.

System Requirements

• Windows 7 or later
• Administrator privileges for install
• For PIV login: a Crayonic device or smart card enrolled with a valid X.509 certificate issued by a trusted CA
• For FIDO2 login: a passkey registered in Entra ID or Active Directory (hybrid / cloud-only tenants supported)

Installation

1. Download the appropriate variant from the Downloads page.
2. Extract the archive on each target Windows workstation (or on a shared AD-distributed folder).
3. Run the included .bat as an administrator. The script installs the provider and registers it with Windows.
4. Reboot (or log out and back in) to apply.
5. On the next Windows sign-in screen the Crayonic tile appears alongside standard tiles. Select it to continue.

Deployment at Scale

• Place the extracted folder on a shared network path accessible by workstations.
• Push via Group Policy or SCCM (Intune supported for managed Windows 10/11 endpoints).
• Use AD policy for silent installation without user interaction.

Login Flow

Passkey

Insert or approach the Crayonic device → the provider prompts for user verification (fingerprint or PIN on-device) → Windows signs in.

X.509 / PIV

Insert or approach the Crayonic device → the provider verifies the certificate and signs a login nonce → Windows signs in. No separate PIN dialog appears on the lock screen.

Password

Enter credentials in the Crayonic tile. The UI mirrors the other two flows but still performs a legacy Windows password sign-in.

Related

• Crayonic Agent — locks the screen when the Crayonic device is removed
• Crayonic Credential Manager — provisions FIDO2 passkeys and X.509 certificates onto wallets
• Windows Desktop Domain Login Use Case — end-to-end enterprise deployment walkthrough

Download

See the Downloads page for both variants.