Windows will allow a user to logon using a smart card whenever a smart card reader is identified, and a smartcard logon certificate is available at logon. However, by default, Windows does not require a smart card for logon when it is available. The following group policy security settings can be changed to force use of a smart card.
Before setting this policy make sure there is an emergency access process in place for users when they lose their smart card, or when their smart card is blocked. Users, such as traveling employees, can have a second card or token. Or an alternative log on process can be set up, such as OTP-one time password based. Or, for smaller deployments, an alternative is to leave password based logon enabled, but to randomize the passwords for all users, so that the password is not known to the user. Then when a user needs emergency access, the administrator can reset the password and allow the user to use the password until the smart card is replaced with a new one or their current card is unblocked.
This security policy setting requires users to log on to a computer by using a smart card. Enabled Users can only log on to the computer by using a smart card. Disabled Users can log on to the computer by using any method.