The automatic lock of the workstation upon smart card removal is managed by the Windows system policies.
Generally, in an enterprise environment, these policies are managed by an administrator within the global group policies. These group policies are normally mandatory for every workstation within the domain. It is also possible to set the required policies only for a local workstation. Setting the local policies are useful for demo or testing cases and for standalone and non-domain computers. For an auto-lock upon smart card removal it is necessary to enable two Windows policy features like described below:
Setting Group Policies
- run "Group Policy Management Editor"
- navigate to: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options (German: Computerkonfiguration\Richtlinien\Windows-Einstellungen\Sicherheitseinstellungen\Lokale Richtlinien\Sicherheitsoptionen)
- set "Interactive logon: Smart card removal behavior" (German: Interaktive Anmeldung: Verhalten bei Entfernen von Smartcards) to "Lock Workstation" (German: Arbeitsstation sperren)
- navigate to: Computer Configuration\Policies\Windows Settings\Security Settings\System Services (German: Computerkonfiguration\Richtlinien\Windows-Einstellungen\Sicherheitseinstellungen\Systemdienste)
- select "Smart Card Removal Policy" (German: Richtlinie zum Entfernen der Smartcard); From the menu click on Action > Properties
- tick “Define this policy setting”
- set "Startup mode" to "Automatic"
Setting Local Policies
- run "gpedit.msc" as an administrator
- navigate to: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options (German: Computerkonfiguration\Windows-Einstellungen\Sicherheitseinstellungen\Lokale Richtlinien\Sicherheitsoptionen)
- set "Interactive logon: Smart card removal behavior" (German: Interaktive Anmeldung: Verhalten bei Entfernen von Smartcards) to "Lock Workstation" (German: Arbeitsstation sperren)
- run "services.msc" as an administrator
- right click on "Smart Card Removal Policy" (German: Richtlinie zum Entfernen der Smartcard), and click property.
- Set "Startup type" to "Automatic (delayed)"