WinSecWiki > Security Settings > Local Policies > Security Options > Interactive Logon > Smart card removal behavior

Interactive logon: Smart card removal behavior

After logging on to a computer with a smart card, this policy determines what happens when the user removes the smart card. 

  • No Action

The computer does nothing special when the smart card is removed

  • Lock Workstation

The computer immediately locks the console similar to the behavior of a password protected screen saver.

  • Force Logoff

The computer immediately initiates a mandatory logoff.

  • Disconnect if a remote Terminal Services session

This only applies to remote desktop sessions to a Terminal Server. If the smart card is removed from the user’s local workstation, the session is disconnected. Remember that a disconnected session and all the user’s programs remain active for later reconnection. I have not tested whether this setting must be configured on the user’s local workstation or on the Terminal Server. I suspect it’s the local workstation since the Terminal Server would not be able to detect smart card removal from the workstation unless such notification is a feature of Remote Desktop Protocol

Although “Lock Workstation” seems at first blush a nice idea consider the implications. With that setting you are basically telling users to leave their smart card inserted throughout the duration of their logon session and it’s foreseeable users would leave the card with the computer unattended making it easy for someone to steal both the computer and the smart card. Of course the intruder would not be able to use the smart card without the smart card’s PIN. 

Note: Like all “Interactive logon:” policies, this policy is a workstation level policy. This policy needs to be defined in a GPO that gets applied to workstations such as Default Domain Policy. If you only configure this policy on the domain controllers, such as with Default Domain Controllers Policy, you will only impact users logging on at the console of the domain controller. You should also configure this policy on Terminal Servers accessible to end-users. 

Bottom line

Configure this setting in accordance with the way you intend users to use the smart card. If you want it to remain on their person at all times you will probably go with “No Action” unless you can trust them to remove it every time they leave their computer.

Back to top


Additional Resources