Configuring Smart Card Removal Behaviour

Companies deploying Smart Cards for SCLO want to control what happens when a user removes their Smart Card or token from the computer.  You have four options:

1. Do nothing (default)
2. Lock workstation
3. Force Log-off
4. Disconnect if a Remote Desktop Services connection.

All companies I work with want the workstation to Lock.  Here is how to configure it.

Microsoft changed the way it handles Smart Card removal in Windows 7.  They introduced a "Smart Card Removal Policy" service that must be running for this to work.  By default this service is configured to start up manually.  To test this locally, open up the Services console (services.msc),find the "Smart Card Removal Policy" service, and change the start up type to "automatic" and start the service.

Next, modify the Local Group Policy for your computer.

• Open gpedit.msc
• Expand Computer Configuration --> Windows Settings --> Security Settings --> Local Policies --> Security Options.
• Edit the "Interactive logon: Smart card removal behavior" policy to perform the desired action.

That is all there is to it!  Of course you will need to configure the Domain Policy to push these changes out to all of your users!