none
GPO settings not being enforced correctly over domain controller (Interactive logon: Smart card removal behavior)

    Question

  • We're trying to set our domain (running on Windows 2008 R2) up with smart cards to avoid username/password reset woes, but we need to be able to have the users remove their card after authentication.

    We've set the GPO setting "Interactive logon: Smart card removal behavior" to "No action". RSoP and our test machines joined to the domain show the policy in effect after applying the updates, but will still be logged off when we remove the smart card.

    We tested to make sure that the GPO settings pushed via the domain controller were actually taking effect by enforcing the "Forced Logoff" setting, which did in fact work fine.

    Anyone have any ideas of a potential hangup we're not seeing?

    Wednesday, October 28, 2015 9:33 PM

Answers

  • By default, the behavior of smart card removal is "No Action". The policy configures the following registry:
     
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SCRemoveOption
     
    Please check whether the value of SCRemoveOption is 0 after applying the policy setting (1 for Lock Workstation, 2 for Force Logoff, and 3 for Disconnect if a remote Terminal Services session).
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Thursday, October 29, 2015 9:45 AM
    Moderator