Many people ask me about this feature and how it works. Let me first give an example scenario:
Let's say you have a user named Mark, this user is a member of the department Section5. Section5 deals with classified development. In the classical Windows way, you would create a group, let's name it "S5-Classified" (stupid name but it is just an example) and add the users within the department Section5 to it.
Let's say you have a file server with a share with top secret material, and you want only the members of the group S5-Classified to have access to it. You obviously grant the S5-Classified group the needed access, right?
This is all good, except that you now want them only to be able to access the files when they logon with a certifiacate-based logon. I.e. they should not be able to access it without the smart-card.
So this is what it is all about, granting access based on the logon method. With certificate-based logon you will get a certain access, without a smart-card - you get less access.
What happens behind the GUI:
First, it is not enabled by default in Windows Server 2008 R2 and it requires DFL Windows Server 2008 R2. What happens when you enable it is that authentication mechanism assurance adds a universal group (which you as an admin designate) to the user's access token when the user logon with a certificate-based method.
So if access is granted based on the designated universal group, the user Mark have only access if using a certificate-based logon. If using another logon method the universal group will not be present in the access token, and thus no access.