Disclaimer: All postings are provided "AS IS" with no warranties, and confer no rights. This weblog does not represent the thoughts, intentions, plans or strategies of Microsoft. Because a weblog is intended to provide a semi-permanent point-in-time snapshot, you should not consider out of date posts to reflect current thoughts and opinions.
We're logging on with smartcards to our laptops but we've recently discovered that you're also able to perform cached logons on to the laptops using a username/password combination even if you've only ever logged on using smartcards!
This is by design, smartcard logons generate a secondary logon that creates an additional lscache entry that contains NTLM credentials....*UNLESS* the 'Smartcard is required' tickbox is ticked in which case no secondary NTLM entry is created.In fact, ticking the 'Smartcard is required' box and logging on to a laptop where username/password credentials were previously stored will clear that entry out.
Further details:Cached User logon fails when LSASRV event 45058 indicates FIFO deletion of cached credential http://support.microsoft.com/kb/2555663
Cached Logons and CachedLogonsCounthttp://blogs.technet.com/b/instan/archive/2011/12/06/cached-logons-and-cachedlogonscount.aspx