WinSecWiki > Security Settings > Local Policies > Security Options > Interactive Logon > Require Windows Hello for Business or smart card

Interactive logon: Require Windows Hello for Business or smart card

Even after enrolling users with smart cards for interactive logon, Windows will, by default, still allow users to logon with their password and without their smart card. That of course obviates any security benefit of the smart card since intruders can still gain access by just guessing the user’s password. You create a smart card requirement on either the user’s account or on specific computers. Normally you would configure the accounts of smart card enrolled users to require the smart card and this is a check box on the Account tab of the user’s properties dialog in Active Directory Users and Computers. The user account level smart card requirement follows the user no matter what computer they attempt to logon to. 

However this workstation level setting also allows you to configure certain computers to require smart cards for interactive logon no matter who the user is. I have not yet researched how this impacts your ability to logon to the computer with a local account or how it affects logging on via the recovery console. 

Note: Like all “Interactive logon:” policies, this policy is a workstation level policy. This policy needs to be defined in a GPO that gets applied to workstations such as Default Domain Policy. If you only configure this policy on the domain controllers, such as with Default Domain Controllers Policy, you will only impact users logging on at the console of the domain controller. You should also configure this policy on Terminal Servers accessible to end-users. 

Bottom line

Enabling this setting would be very unusual. Normally security requirements will be met more closely by using the user account level setting to require smart card.

Back to top

 

Additional Resources