We're trying to set our domain (running on Windows 2008 R2) up with smart cards to avoid username/password reset woes, but we need to be able to have the users remove their card after authentication.
We've set the GPO setting "Interactive logon: Smart card removal behavior" to "No action". RSoP and our test machines joined to the domain show the policy in effect after applying the updates, but will still be logged off when we remove the smart card.
We tested to make sure that the GPO settings pushed via the domain controller were actually taking effect by enforcing the "Forced Logoff" setting, which did in fact work fine.
Anyone have any ideas of a potential hangup we're not seeing?