Configure smart card redirection over the Remote Desktop Protocol
Tip
This article is shared for services and products that use the Remote Desktop Protocol (RDP) to provide remote access to Windows desktops and apps.
Select a product using the buttons at the top of this article to show the relevant content.
You can configure the redirection behavior of smart card devices from a local device to a remote session over the Remote Desktop Protocol (RDP).
For Azure Virtual Desktop, we recommend you enable smart card redirection on your session hosts using Group Policy, then control redirection using the host pool RDP properties.
For Windows 365, you can configure your Cloud PCs using Group Policy.
For Microsoft Dev Box, you can configure your dev boxes using Group Policy.
This article provides information about the supported redirection methods and how to configure the redirection behavior for smart card devices. To learn more about how redirection works, see Redirection over the Remote Desktop Protocol.
Prerequisites
Before you can configure smart card redirection, you need:
An existing host pool with session hosts.
A Microsoft Entra ID account that is assigned the Desktop Virtualization Host Pool Contributor built-in role-based access control (RBAC) roles on the host pool as a minimum.
- An existing Cloud PC.
- An existing dev box.
A smart card device available on your local device.
To configure Group Policy, you need:
- A domain account that has permission to create or edit Group Policy objects.
- A security group or organizational unit (OU) containing the devices you want to configure.
You need to connect to a remote session from a supported app and platform. To view redirection support in Windows App and the Remote Desktop app, see Compare Windows App features across platforms and devices and Compare Remote Desktop app features across platforms and devices.
Smart card redirection
Configuration of a session host using Group Policy, or setting an RDP property on a host pool governs the ability to redirect smart card devices from a local device to a remote session, which is subject to a priority order.
The default configuration is:
- Windows operating system: Smart card redirection isn't blocked.
- Azure Virtual Desktop host pool RDP properties: Smart card devices are redirected from the local device to the remote session.
- Resultant default behavior: Smart card devices are redirected from the local device to the remote session.
Important
Take care when configuring redirection settings as the most restrictive setting is the resultant behavior. For example, if you disable smart card redirection on a session host with Group Policy, but enable it with the host pool RDP property, redirection is disabled.
Configuration of a Cloud PC governs the ability to redirect smart card devices from a local device to a remote session, and is set using Group Policy.
The default configuration is:
- Windows operating system: Smart card redirection isn't blocked.
- Windows 365: Smart card redirection is enabled.
- Resultant default behavior: Smart card devices are redirected from the local device to the remote session.
Configuration of a dev box governs the ability to redirect smart card devices from a local device to a remote session, and is set using Group Policy.
The default configuration is:
- Windows operating system: Smart card redirection isn't blocked.
- Microsoft Dev Box: Smart card redirection is enabled.
- Resultant default behavior: Smart card devices are redirected from the local device to the remote session.
Configure smart card device redirection using host pool RDP properties
The Azure Virtual Desktop host pool setting smart card redirection controls whether to redirect smart card from a local device to a remote session. The corresponding RDP property is redirectsmartcards:i:<value>
. For more information, see Supported RDP properties.
To configure smart card redirection using host pool RDP properties:
Sign in to the Azure portal.
In the search bar, type Azure Virtual Desktop and select the matching service entry.
Select Host pools, then select the host pool you want to configure.
Select RDP Properties, then select Device redirection.
For Smart card redirection, select the drop-down list, then select one of the following options:
- The smart card device on the local computer is not available in remote session
- The smart card device on the local computer is available in remote session (default)
- Not configured
Select Save.
To test the configuration, connect to a remote session, then use an application or website that requires your smart card. Verify that the smart card is available and works as expected.
Configure smart card device redirection using Group Policy
Configure smart card device redirection using Group Policy
Select the relevant tab for your scenario.
To allow or disable smart card device redirection using Group Policy:
Open the Group Policy Management console on device you use to manage the Active Directory domain.
Create or edit a policy that targets the computers providing a remote session you want to configure.
Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection.
Double-click the policy setting Do not allow smart card device redirection to open it.
To allow smart card device redirection, select Disabled or Not configured, then select OK.
To disable smart card device redirection, select Enabled, then select OK.
Ensure the policy is applied to the computers providing a remote session, then restart them for the settings to take effect.
Test smart card redirection
To test smart card redirection:
Connect to a remote session using Window App or the Remote Desktop app on a platform that supports smart card redirection. For more information, see Compare Windows App features across platforms and devices and Compare Remote Desktop app features across platforms and devices.
Check your smart cards are available in the remote session. Run the following command in the remote session in Command Prompt or from a PowerShell prompt.
certutil -scinfo
If smart card redirection is working, the output starts similar to the following output:
The Microsoft Smart Card Resource Manager is running. Current reader/card status: Readers: 2 0: Windows Hello for Business 1 1: Yubico YubiKey OTP+FIDO+CCID 0 --- Reader: Windows Hello for Business 1 --- Status: SCARD_STATE_PRESENT | SCARD_STATE_INUSE --- Status: The card is being shared by a process. --- Card: Identity Device (Microsoft Generic Profile) --- ATR: aa bb cc dd ee ff 00 11 22 33 44 55 66 77 88 99 ;.........AB12.. ab . --- Reader: Yubico YubiKey OTP+FIDO+CCID 0 --- Status: SCARD_STATE_PRESENT | SCARD_STATE_UNPOWERED --- Status: The card is available for use. --- Card: Identity Device (NIST SP 800-73 [PIV]) --- ATR: aa bb cc dd ee ff 00 11 22 33 44 55 66 77 88 99 ;.........34yz.. ab . [continued...]
Open and use an application or website that requires your smart card. Verify that the smart card is available and works as expected.