The ScPolicySvc service works by monitoring a specific registry key (See Deconstructing the Smartcard Removal Policy Service).
The VPN client (Connection Manager aka CM) on the other hand doesn’t use the Credential Provider architecture, it uses its own code for picking which certificate from the smartcard will be used for logon.
The VPN component not using CredUI or LogonUI has two side-effects:
- The Smartcard Removal Policy Service doesn’t monitor logons made with the VPN client as the registry key isn’t touched when the VPN logon occurs
- The user logging on doesn’t get to pick which smartcard certificate will be used for the VPN connection – the VPN components does a simple certificate selection and picks the smartcard logon certificate in the default container (usually the last certificate enrolled for).
How to Support Smart Card Logon for Remote Access VPN Connections
Deconstructing the Smartcard Removal Policy Service:
Where Is “Logon Using Dial-Up Connections” in Windows Vista?