I always hated Smart Cards and called them legacy tech. But recently, I stumbled upon a very good use case. Have you ever tried typing in your password or using your FIDO2 key with gloves on?
Yep, not that funny.
So, I gave Smart Cards another shot. Turns out, they work natively on Windows devices, but configuring Interactive Logon Smart Card Removal Behavior requires additional settings. Today, I set up Smart Cards in Intune and ensured automatic locking when a user removes the card. To achieve this, I used a Settings Catalog profile in Intune.
Configure Smart Card Removal Behavior in Intune
- Open Microsoft Intune and navigate to Devices > Configuration Profiles.
- Click + Create profile, choose Windows 10 and later, then select Settings Catalog.
- Click Add Settings and search for
Smart Card
. - Select the following settings and configure them:
- Administrative Templates > Windows Components > Smart Card > Turn on Smart Card Plug and Play service:
Enabled - Local Policies Security Options > Interactive Logon Smart Card Removal Behavior:
Lock Workstation
- Administrative Templates > Windows Components > Smart Card > Turn on Smart Card Plug and Play service:
- Assign the policy to the appropriate group and click Create.
This ensures the device locks immediately when the Smart Card is removed.
Ensure the Smart Card Service is Running
To enable Smart Card authentication, the Smart Card service (SCardSvr) must be running. Intune does not provide a direct setting for this, so I deployed a PowerShell script.
Create the PowerShell Script
$ScriptName = "WIN-S-D-ServiceAutostart_SmartCardRemovalPolicy"
Start-Transcript -Path "$env:ProgramData\Microsoft\IntuneManagementExtension\Logs\$ScriptName.log" -Force
# Define service name
$ServiceName = "SCPolicySvc"
# Check if the service exists before modifying it
if (Get-Service -Name $ServiceName -ErrorAction SilentlyContinue) {
try {
Set-Service -Name $ServiceName -StartupType Automatic -ErrorAction Stop
Write-Output "Successfully set $ServiceName to Automatic startup."
# Start service if not running
if ($Service.Status -ne 'Running') {
Start-Service -Name $ServiceName -ErrorAction Stop
Write-Output "Successfully started $ServiceName."
} else {
Write-Output "$ServiceName is already running."
}
} catch {
Write-Error "Error while configuring $ServiceName : $_"
}
} else {
Write-Warning "Service $ServiceName not found."
}
# Stop transcript
Stop-Transcript
This script checks if the Smart Card Policy Service (SCPolicySvc) is present. If found, it sets the startup type to Automatic and ensures the service is running. All actions and potential errors are logged locally in the Intune log directory at C:\ProgramData\Microsoft\IntuneManagementExtension\Logs
.
Deploy the Script via Intune
- Open Microsoft Intune and go to Devices > Scripts.
- Click + Add, select Windows 10 and later, then choose PowerShell.
- Upload the script and set the following options:
- Run script as user: No
- Enforce script signature check: No
- Run script in 64-bit PowerShell: Yes
- Assign it to the appropriate device group and click Create.
Verify the Deployment
After deploying both configurations, check if everything is working:
- Sign in to a test device.
- Insert a Smart Card and ensure authentication works.
- Remove the Smart Card and verify that the device locks automatically.
- Open Services.msc and confirm that Smart Card (SCardSvr) is running.
Conclusion
By configuring Smart Card authentication in Intune, I enhanced security and ensured a seamless user experience. The Settings Catalog made it easy to enforce automatic locking, and the PowerShell script ensured the required service runs correctly.
Deploying Smart Card authentication via Intune strengthens device security and reduces risks associated with credential-based logins. If you're implementing this, let me know in the comments how it worked for you!