Troubleshooting the Smart Card Removal Policy

If you have set the “Interactive logon: Smart card removal behavior” Group Policy to lock the workstation but the workstation does not lock when the YubiKey is removed, this usually indicates the Smart Card Removal Policy service on the workstation is not running. You can confirm this with the Services MMC. To resolve this, start the service and set it to Auto (Delayed) start. 

If the service is running and the workstation still does not lock, then the GPO is not applying to the workstation. Use gpresult, gpupdate, and regedit to troubleshoot why the GPO is not applying.