Windows 10: Smart Card Authentication and Cached Logons

Hello,Scenario:Windows 10 laptops are PIV Enforced Smart cards are required to log on to the OSUser has been remote for over a year COVIDVPN is split tunnelMany users are overseas with low bandwidth connectionMost work can be done without direct access to on-prem resources, Email, O365, SharePoint Online, etc.User has a normal Domain

:)

 

Windows 10 Smart Card Authentication Only Logon Option for 2 minutes during logon

Good Day,

I have a difficult problem that has cropped up intermittently after imaging some of our enterprise Windows 10 Systems. We are using the Windows 10 release just prior to Anniversary edition, whatever that number is.

After a completed image using DISM and WDS, 99% of our Windows 10 systems work normally. Recently though, we have had a few Dell Latitude E5470's with internal smart-card readers come up with this issue:

When logon appears, it's only smart card logon that is available. You don't get the ability to pick the little key icon or the little smart card icon at all. It's totally missing from the screen. Also, we have a policy-based lock
screen background that normally shows at logon, but instead all you see is the Windows translucent blue flag background. If you do not touch the mouse or keyboard, at about 2 minutes the screen will switch to the lock screen and give you the options you should
normally see.

So here are the things we have tried to resolve the issue:

• We have seen this once before, and when it happened before if the user waited for the screen change, and then logged on successfully w/out using a smart card, after reboot the system would work normally. But, the latest occurrence of this (2 systems now)
  have continued to act the same after successful logons.
• We thought maybe if we disabled the smart card reader, it would force it to use normal logon. Nope! Disabling the smart card reader left us with NO Logon options until after the 2 minute wait period. Just the pretty blue Windows flag.
• We tried using wired ethernet and/or wireless and no difference.
• There didn't appear to be any failures that seemed related in the event logs.

The only thing that seems to fix the issue is completely re-imaging it. It doesn't make sense that this would work because we have not changed the image or drivers at all for this model.

So brainiacs out there - anyone else seen this? Had success resolving it? (Without having to re-image of course)

By the way - I know you're probably saying to yourself ... 2 minutes. What's the big deal. Well, we have demanding customers and they seem to think it's the end of the world. So we are not able to just let it go and see if it eventually fixes itself with
system updates or something.

 

Disable PIN caching for Virtual Smart Cards

Hi,



Thank you for writing to Microsoft Community forum.



Pass-through authentication with smart cards work on domain environments. You may want to go through
Use Virtual Smart Cards to know
more about the same. As this requires expertise in an environment which has a direct two-way trust relationship, I suggest you to post your query in the
TechNet forums.



Regards,

 

Group Policy Interactive Logon smart card enforced with admin username and password enabled?

Hello,

I have a gpo setup to enforce interactive logon: smart card authentication on some of the computers in my domain. That works as it should. Group policy is applied to my group of computers and users are forced to insert their card and logon with their pin.
No problem there.

Here is my question: It possible to leave that intact but allow a subset of admin accounts to be used normally (username/password) on those computers? Essentially I want to enforce smart cards but allow our admins to still elevate privileges normally without
having to create them admin smart cards.

Thank you.