We're logging on with smartcards to our laptops but we've recently discovered that you're also able to perform cached logons on to the laptops using a username/password combination even if you've only ever logged on using smartcards!

This is by design, smartcard logons generate a secondary logon that creates an additional lscache entry that contains NTLM credentials....*UNLESS* the 'Smartcard is required' tickbox is ticked in which case no secondary NTLM entry is created.

In fact, ticking the 'Smartcard is required' box and logging on to a laptop where username/password credentials were previously stored will clear that entry out.

Further details:
Cached User logon fails when LSASRV event 45058 indicates FIFO deletion of cached credential

Cached Logons and CachedLogonsCount