DeviceLoginScreenPromptOnMultipleMatchingCertificates

This policy controls whether the user is prompted to select a client certificate on the sign-in screen in the frame hosting the SAML flow when more than one certificate matches DeviceLoginScreenAutoSelectCertificateForUrls. If this policy is set to Enabled, the user is asked to select the client certificate whenever the auto-selection policy matches multiple certificates. If this policy is set to Disabled or not set, the user is never prompted to select a client certificate on the sign-in screen. Note: This policy is in general not recommended, since it imposes potential privacy risks (in case device-wide TPM-backed certificates are used) and presents poor user experience.