We’re logging on with smartcards to our laptops but we’ve recently discovered that you’re also able to perform cached logons on to the laptops using a username/password combination even if you’ve only ever logged on using smartcards!
This is by design, smartcard logons generate a secondary logon that creates an additional lscache entry that contains NTLM credentials….*UNLESS* the ‘Smartcard is required’ tickbox is ticked in which case no secondary NTLM entry is created.
In fact, ticking the ‘Smartcard is required’ box and logging on to a laptop where username/password credentials were previously stored will clear that entry out.
Cached User logon fails when LSASRV event 45058 indicates FIFO deletion of cached credential
Cached Logons and CachedLogonsCount