My customer is planning to introduce new Policy regarding smart card removal in their Windows Environment, most probably session break since it's a Citrix environment. Microsoft documentation on the policy
I've provided them with a third party PKI and a smart card management system where end users have access to the portal in which they can check the status of their credentials, change PIN and renew their card when needed.
Users are using smart cards to authenticate in the system.
When an end user is using the renewal process his smart card is formatted (completely zeroized) before it is re-encoded and the new/recovered certificates are placed on it. Hence my question is this rewal going to trigger the card removal policy? Or is it happening when the card is physically removed from the reader?
Yes, it will work. Due the authentication process of MS read the subject alternatives name to verify if the user match in to AD and also verify if the certificate is not revoked but once the user is logged in with certificate the removal policy will always apply when smart card are removed, does not meter the certificate change over the time. We had an authentication system with tird party certificate and we use (manual) but same process for install new cert in the token/smart card, we zero head them, and all works nominally.