KB40667 - Pulse Secure Desktop client with credential provider enabled uses smart card as the logon method if a smart card reader is present

This article describes an issue where Pulse Secure Desktop client with credential provider will default to smart card logon when a smart card reader is present.  This may not be a desired result if end user would like to use username and password to authenticate to the Pulse Connect Secure device.

If a computer has a smart card reader and drivers installed but the user uses username and password credentials to log on to Windows, if Pulse is installed with credential provider enabled then Windows makes the smart card reader the default credential provider and users are unable to log on without a smart card.

This issue will occur will all conditions are met:

• Windows machine with Pulse Secure Desktop client installed
• Credential Provider is enabled 
• Smart card reader is installed

If Pulse Secure Deskopt client is installed and credential provider authentication is enabled, the Pulse client will hide the standard Windows password and smart card login methods (credential providers) and wraps them with the Pulse password and smart card providers with different IDs (GUIDs) in order to intercept the user credentials and perform network authentication before the Windows log on. When Windows displays the login screen after Pulse is installed, it will choose the Pulse smart card as the default method over the password one.

If the Pulse smart card method will never be used it can be explicitly disabled/removed then Windows will display the Pulse password method as default, this can be achieved by deleting the registry key:
 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\
{EAB1A79F-DFAA-4faf-A7B9-A6652E97EE16}]
@="Pulse Secure SSO Smartcard Credential Provider"

In Windows 10 a Group Policy for ​"Assign a default credential provider"  (Computer Configuration > Policies > Administrative Templates > System > Logon > Exclude credential providers in policy editor) can be used to change the default provider as mentioned in a Microsoft Technet post, the relevant GUIDs are:
 

Pulse Secure smart card credential provider GUID:

{EAB1A79F-DFAA-4faf-A7B9-A6652E97EE16}

Pulse Secure password credential provider GUID:

{4EFD0F35-BFBA-44eb-8F25-2B3530203C1D}