Hello, we have a problem with no locking workstation when I remove smart card.
How is it look like. Whan I turn the computer, the first step is McAfee preboot screen where i need type PIN with inserted smardcard (PKI). Next step is loading windows and followed automatic SSO login. This is looking great. But..... Whan I remove card from reader so nothing happens and I'm still signed in. We have in GPO value "Lock Workstation" and when i turn off SSO in ePO DE policy its working correctly. Is there anybody who know where can be problem please?
Thank you very much
PS: It's on Windows 10 b1903
Solved! Go to Solution.
Hi @VitezslavKu ,
Thank you for the information.
The credentials which you enter in the MDE login screen are usually replayed to the windows login UI screen and that is how the SSO mechanism works.
If your GPO policies are defined for credential providers then when SSO is enabled MDE controls the automatic login functionality for windows, however MDE does not know to lock-down the machine when the card is removed. That is why when you disable SSO your GPO rules work.
I do not have an answer, however support can help you on the same if you raise a support ticket and support can check with dev to check your requirement in depth. Kindly share the GPO rule configurations in the support ticket.
Thank you.
Hi @VitezslavKu ,
Thank you for writing in here.
When are you removing the card? after login to the Windows Desktop screen or after authentication at the MDE PBA screen?
Hi, when I remove card after PBA the OS is automatic sign in. And when I remove card in after logo on in windows so the system i still signed in. And that's what I don't want.
Thank you
Hi @VitezslavKu ,
Thank you for the information.
The credentials which you enter in the MDE login screen are usually replayed to the windows login UI screen and that is how the SSO mechanism works.
If your GPO policies are defined for credential providers then when SSO is enabled MDE controls the automatic login functionality for windows, however MDE does not know to lock-down the machine when the card is removed. That is why when you disable SSO your GPO rules work.
I do not have an answer, however support can help you on the same if you raise a support ticket and support can check with dev to check your requirement in depth. Kindly share the GPO rule configurations in the support ticket.
Thank you.
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA