WinSecWiki > Security Settings > Local Policies > Security Options > Interactive Logon > Smart card removal behavior

Interactive logon: Smart card removal behavior

After logging on to a computer with a smart card, this policy determines what happens when the user removes the smart card.

No Action

The computer does nothing special when the smart card is removed

Lock Workstation

The computer immediately locks the console similar to the behavior of a password protected screen saver.

Force Logoff

The computer immediately initiates a mandatory logoff.

Disconnect if a remote Terminal Services session

This only applies to remote desktop sessions to a Terminal Server. If the smart card is removed from the user’s local workstation, the session is disconnected. Remember that a disconnected session and all the user’s programs remain active for later reconnection. I have not tested whether this setting must be configured on the user’s local workstation or on the Terminal Server. I suspect it’s the local workstation since the Terminal Server would not be able to detect smart card removal from the workstation unless such notification is a feature of Remote Desktop Protocol

Although “Lock Workstation” seems at first blush a nice idea consider the implications. With that setting you are basically telling users to leave their smart card inserted throughout the duration of their logon session and it’s foreseeable users would leave the card with the computer unattended making it easy for someone to steal both the computer and the smart card. Of course the intruder would not be able to use the smart card without the smart card’s PIN.

Note: Like all “Interactive logon:” policies, this policy is a workstation level policy. This policy needs to be defined in a GPO that gets applied to workstations such as Default Domain Policy. If you only configure this policy on the domain controllers, such as with Default Domain Controllers Policy, you will only impact users logging on at the console of the domain controller. You should also configure this policy on Terminal Servers accessible to end-users.

Bottom line

Configure this setting in accordance with the way you intend users to use the smart card. If you want it to remain on their person at all times you will probably go with “No Action” unless you can trust them to remove it every time they leave their computer.

Upcoming Webinars

Additional Resources

Interactive Logon

•	Display user information when the session is locked
•	Do not require CTRL+ALT+DEL
•	Don't display last signed-in
•	Message text for users attempting to log on
•	Message title for users attempting to log on
•	Number of previous logons to cache
•	Prompt the user to change password before expiration
•	Require Domain Controller authentication to unlock workstation
•	Require Windows Hello for Business or smart card
•	Smart card removal behavior

User name:
Password:
	/ Forgot?
	Register

April 2024 Patch Tuesday	"Patch Tuesday - One Zero Day and Record Number of Patches! " - sponsored by LOGbinder

Follow @randyfsmith

About | Newsletter | Contact

Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2024 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact abuse@ultimatewindowssecurity.com.