Smart Card Removal Policy Service

Updated: February 18, 2010

Applies To: Windows 7, Windows Server 2008 R2

The smart card removal policy is applicable when a user has logged on with a smart card and subsequently removes that smart card from the reader. The action that is performed when the smart card is removed is controlled by using Group Policy. For information about smart card Group Policy settings, see Smart Card Group Policy and Registry Settings.

  1. In Windows Server 2008 R2, Windows Server 2008, Windows 7, and Windows Vista, Winlogon is no longer directly involved in monitoring for smart card removal events. The sequence of steps involved in removal policy begins with the smart card credential provider in the logon UI process. When a user successfully logs on with a smart card, the smart card credential provider captures the reader name. This information is then stored in the registry along with the session identifier where the logon was initiated.

  2. The smart card resource manager notifies the smart card removal policy service that a logon has occurred.

  3. ScPolicySvc retrieves the smart card information from the registry that the smart card credential provider stored. This call is redirected if the user is in a remote session. If the smart card is removed, ScPolicySvc is notified.

  4. ScPolicySvc calls Remote Desktop Services to take the appropriate action if the request is to log the user off or to disconnect the user's session, which might result in data loss. If the setting is configured to lock the computer when the smart card is removed, then ScPolicySvc sends a message to Winlogon to lock the computer.