Configure smart card redirection over the Remote Desktop Protocol
Tip
This article is shared for services and products that use the Remote Desktop Protocol (RDP) to provide remote access to Windows desktops and apps.
Select a product using the buttons at the top of this article to show the relevant content.
You can configure the redirection behavior of smart card devices from a local device to a remote session over the Remote Desktop Protocol (RDP).
For Azure Virtual Desktop, we recommend you enable smart card redirection on your session hosts using Microsoft Intune or Group Policy, then control redirection using the host pool RDP properties.
For Windows 365, you can configure your Cloud PCs using Microsoft Intune or Group Policy.
For Microsoft Dev Box, you can configure your dev boxes using Microsoft Intune or Group Policy.
This article provides information about the supported redirection methods and how to configure the redirection behavior for smart card devices. To learn more about how redirection works, see Redirection over the Remote Desktop Protocol.
Prerequisites
Before you can configure smart card redirection, you need:
An existing host pool with session hosts.
A Microsoft Entra ID account that is assigned the Desktop Virtualization Host Pool Contributor built-in role-based access control (RBAC) roles on the host pool as a minimum.
- An existing Cloud PC.
- An existing dev box.
A smart card device available on your local device.
To configure Microsoft Intune, you need:
- Microsoft Entra ID account that is assigned the Policy and Profile manager built-in RBAC role.
- A group containing the devices you want to configure.
To configure Group Policy, you need:
- A domain account that has permission to create or edit Group Policy objects.
- A security group or organizational unit (OU) containing the devices you want to configure.
You need to connect to a remote session from a supported app and platform. To view redirection support in Windows App and the Remote Desktop app, see Compare Windows App features across platforms and devices and Compare Remote Desktop app features across platforms and devices.
Smart card redirection
Configuration of a session host using Microsoft Intune or Group Policy, or setting an RDP property on a host pool governs the ability to redirect smart card devices from a local device to a remote session, which is subject to a priority order.
The default configuration is:
- Windows operating system: Smart card redirection isn't blocked.
- Azure Virtual Desktop host pool RDP properties: Smart card devices are redirected from the local device to the remote session.
- Resultant default behavior: Smart card devices are redirected from the local device to the remote session.
Important
Take care when configuring redirection settings as the most restrictive setting is the resultant behavior. For example, if you disable smart card redirection on a session host with Microsoft Intune or Group Policy, but enable it with the host pool RDP property, redirection is disabled.
Configuration of a Cloud PC governs the ability to redirect smart card devices from a local device to a remote session, and is set using Microsoft Intune or Group Policy.
The default configuration is:
- Windows operating system: Smart card redirection isn't blocked.
- Windows 365: Smart card redirection is enabled.
- Resultant default behavior: Smart card devices are redirected from the local device to the remote session.
Configuration of a dev box governs the ability to redirect smart card devices from a local device to a remote session, and is set using Microsoft Intune or Group Policy.
The default configuration is:
- Windows operating system: Smart card redirection isn't blocked.
- Microsoft Dev Box: Smart card redirection is enabled.
- Resultant default behavior: Smart card devices are redirected from the local device to the remote session.
Configure smart card device redirection using host pool RDP properties
The Azure Virtual Desktop host pool setting smart card redirection controls whether to redirect smart card from a local device to a remote session. The corresponding RDP property is redirectsmartcards:i:<value>
. For more information, see Supported RDP properties.
To configure smart card redirection using host pool RDP properties:
Sign in to the Azure portal.
In the search bar, type Azure Virtual Desktop and select the matching service entry.
Select Host pools, then select the host pool you want to configure.
Select RDP Properties, then select Device redirection.
For Smart card redirection, select the drop-down list, then select one of the following options:
- The smart card device on the local computer is not available in remote session
- The smart card device on the local computer is available in remote session (default)
- Not configured
Select Save.
To test the configuration, connect to a remote session, then use an application or website that requires your smart card. Verify that the smart card is available and works as expected.
Configure smart card device redirection using Microsoft Intune or Group Policy
Configure smart card device redirection using Microsoft Intune or Group Policy
Select the relevant tab for your scenario.
To allow or disable smart card device redirection using Microsoft Intune:
Sign in to the Microsoft Intune admin center.
Create or edit a configuration profile for Windows 10 and later devices, with the Settings catalog profile type.
In the settings picker, browse to Administrative templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection.
Check the box for Do not allow smart card device redirection, then close the settings picker.
Expand the Administrative templates category, then toggle the switch for Do not allow smart card device redirection, depending on your requirements:
To allow smart card device redirection, toggle the switch to Disabled.
To disable smart card device redirection, toggle the switch to Enabled.
Select Next.
Optional: On the Scope tags tab, select a scope tag to filter the profile. For more information about scope tags, see Use role-based access control (RBAC) and scope tags for distributed IT.
On the Assignments tab, select the group containing the computers providing a remote session you want to configure, then select Next.
On the Review + create tab, review the settings, then select Create.
Once the policy applies to the computers providing a remote session, restart them for the settings to take effect.
Test smart card redirection
To test smart card redirection:
Connect to a remote session using Window App or the Remote Desktop app on a platform that supports smart card redirection. For more information, see Compare Windows App features across platforms and devices and Compare Remote Desktop app features across platforms and devices.
Check your smart cards are available in the remote session. Run the following command in the remote session in Command Prompt or from a PowerShell prompt.
certutil -scinfo
If smart card redirection is working, the output starts similar to the following output:
The Microsoft Smart Card Resource Manager is running. Current reader/card status: Readers: 2 0: Windows Hello for Business 1 1: Yubico YubiKey OTP+FIDO+CCID 0 --- Reader: Windows Hello for Business 1 --- Status: SCARD_STATE_PRESENT | SCARD_STATE_INUSE --- Status: The card is being shared by a process. --- Card: Identity Device (Microsoft Generic Profile) --- ATR: aa bb cc dd ee ff 00 11 22 33 44 55 66 77 88 99 ;.........AB12.. ab . --- Reader: Yubico YubiKey OTP+FIDO+CCID 0 --- Status: SCARD_STATE_PRESENT | SCARD_STATE_UNPOWERED --- Status: The card is available for use. --- Card: Identity Device (NIST SP 800-73 [PIV]) --- ATR: aa bb cc dd ee ff 00 11 22 33 44 55 66 77 88 99 ;.........34yz.. ab . [continued...]
Open and use an application or website that requires your smart card. Verify that the smart card is available and works as expected.