Link to home
Start Free TrialLog in
Avatar of amendala
amendala

asked on

Is it possible to force the use of a Smart Card to unlock a session if the initial logon was with a Smart Card?

Folks -

is it possible to force Windows to require a user to use a Smart Card to unlock a session (e.g. unlocking a screen saver or returning from sleep mode) if the initial logon they performed was with a Smart Card?

My organization will be leveraging Authentication Mechanism Assurance and I don't want a user able to initially logon with a Smart Card, and then have someone else step in with a username/password combo for the same account and operate the session as if they had the smart card.  Admittedly, an unlikely scenario, but one I need to have answers for.

I'd like to make it so that if a user initially authenticated with a Smart Card, they cannot unlock their session without it.

Is this possible?

Thanks in advance.
Avatar of David Johnson, CD
David Johnson, CD
Flag of Canada image

explore group policy
 Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.
Interactive logon: Require smart card enabled
Interactive logon: Smart card removal behavior  lock workstation

https://technet.microsoft.com/en-us/library/ff404287%28v=ws.10%29.aspx
ASKER CERTIFIED SOLUTION
Avatar of amendala
amendala

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of amendala
amendala

ASKER

Microsoft support case feedback indicates there is no way to configure this behavior.