How to Change the Certificate Store Used for Lync Client Certificates

Update 3/12/18 - Clarified the options for the registry setting (HKLM or HKCU).

I've gotten this question from time to time from customers about the certificate that Lync issues to users and it showing up in the certificate picker for users.  The Lync server issues a certificate to the clients with the Client Authentication Enhanced Key Usage (EKU), so the certificate can sometimes show up in the certificate picker in Windows.  This can cause confusion for users on which certificate they should pick.  Since the certificate from Lync isn't issued from the corporate PKI environment, it's not trusted by anything other than the Lync server, so choosing it can really cause some issues:

If you open up the certificates MMC for the user and take a look at the Personal certificate store, you'll see both certificates that were shown in the certificate picker:

You can actually change the certificate store that the Lync certificate is kept in.  In order to make the change, you will need to sign out of Lync and select "Delete my sign-in info":

You can create this registry entry either under HKCU or HKLM. If you use HKCU, you will need to completely exit the client and re-open it for the change to go into effect. If you use HKLM, you will need to reboot the machine for the change to go into effect. Open the Registry Editor and navigate to:

For Lync 2013/Skype for Business 2015:

HKLM\Software\Policies\Microsoft\Office\15.0\Lync

or

HKCU\Software\Policies\Microsoft\Office\15.0\Lync

For Skype for Business 2016:

HKLM\Software\Policies\Microsoft\Office\16.0\Lync

or

HKCU\Software\Policies\Microsoft\Office\16.0\Lync

Create a new DWORD named UseLyncCertStore with a value of 1:

Sign back into the Lync client and if you now look in the Personal certificate store, you'll notice that the certificate issued by the Lync server isn't shown:

That's because there's now a new certificate store called LyncCertStore that contains the certificate:

Now when the user gets the certificate picker, only their user certificate is shown:

 

This should help to alleviate some confusion from user's on which certificate to choose.