Interactive logon: Smart card removal behavior

This security setting determines what happens when the smart card for a logged-on user is removed from the smart card reader.

The options are:

  • No Action
  • Lock Workstation
  • Force Logoff
  • Disconnect if a Remote Desktop Services session

If you click Lock Workstation in the Properties dialog box for this policy, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session.

If you click Force Logoff in the Properties dialog box for this policy, the user is automatically logged off when the smart card is removed.

If you click Disconnect if a Remote Desktop Services session, removal of the smart card disconnects the session without logging the user off. This allows the user to insert the smart card and resume the session later, or at another smart card reader-equipped computer, without having to log on again. If the session is local, this policy functions identically to Lock Workstation.

Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server.

On Windows Vista and above: For this setting to work, the Smart Card Removal Policy service must be started.

Policy path: 

Computer Configuration\Windows Settings\Local Policies\Security Options

Comments: 

Only LogOff is required for W2K, XP and W2K3 computers. In Vista, start/restart the scpolicysvc will work or LogOff

Default: 

This policy is not defined, which means that the system treats it as No action.

Supported on: 

At least Windows XP SP2, Windows Server 2003

Registry settings: 

MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption

Reboot required: 

No

Related content