deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 21:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Document Windows LAPS integraton with smart-card-only policy.

Browse Source
This commit is contained in:
Jay Simmons 2023-10-26 11:09:42 -07:00
parent 2419eac930
commit f1907b7f59
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
View File

@ -411,7 +411,7 @@ The following smart card-related Group Policy settings are in Computer Configura
| Group Policy setting and registry key | Default | Description |
|------------------------------------------|------------|---------------|
| Interactive logon: Require smart card<br><br>**scforceoption** | Disabled | This security policy setting requires users to sign in to a computer by using a smart card.<br><br>**Enabled** Users can sign in to the computer only by using a smart card.<br>**Disabled** Users can sign in to the computer by using any method. |
| Interactive logon: Require smart card<br><br>**scforceoption** | Disabled | This security policy setting requires users to sign in to a computer by using a smart card.<br><br>**Enabled** Users can sign in to the computer only by using a smart card.<br>**Disabled** Users can sign in to the computer by using any method.<br><br>NOTE: the Windows LAPS-managed local account is exempted from this policy when Enabled. For more information see [Windows LAPS integration with smart card policy](/windows-server/identity/laps/laps-concepts#windows-laps-integration-with-smart-card-policy).<br> |
| Interactive logon: Smart card removal behavior<br><br>**scremoveoption** | This policy setting isn't defined, which means that the system treats it as **No Action**. | This setting determines what happens when the smart card for a signed-in user is removed from the smart card reader. The options are:<br>**No Action**<br>**Lock Workstation**: The workstation is locked when the smart card is removed, so users can leave the area, take their smart card with them, and still maintain a protected session.<br>**Force Logoff**: The user is automatically signed out when the smart card is removed.<br>**Disconnect if a Remote Desktop Services session**: Removal of the smart card disconnects the session without signing out the user. The user can reinsert the smart card and resume the session later, or at another computer that's equipped with a smart card reader, without having to sign in again. If the session is local, this policy setting functions identically to the **Lock Workstation** option.<br><br>**Note**: In earlier versions of Windows Server, Remote Desktop Services was called Terminal Services. |
From the Local Security Policy Editor (secpol.msc), you can edit and apply system policies to manage credential delegation for local or domain computers.