This policy setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. Countermeasure: Configure the Smart card removal behavior setting to Lock Workstation. If you select Lock Workstation in the Properties dialog box for this policy setting, the workstation locks when the smart card is removed. Users can leave the area, take their smart card with them, and still maintain a protected session. If you select Force Logoff in the Properties dialog box for this policy setting, the user is automatically logged off when the smart card is removed. Potential Impact: If you select Force Logoff, users will have to re-insert their smart cards and re-enter their PINs when they return to their workstations. Enforcing this setting on computers used by people who must log onto multiple computers in order to perform their duties could be frustrating and lower productivity. For example, if network administrators are limited to a single account but need to log into several computers simultaneously in order to effectively manage the network enforcing this setting will limit them to logging onto one computer at a time. For these reasons Microsoft recommends that this setting only be enforced on workstations used for purposes commonly associated with typical users such as document creation and email.

[no action/Lock Workstation/force logoff/Disconnect if a Remote Desktop Services session]

(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Smart card removal behavior (2) REG: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon!scremoveoption