Microsoft released Windows 11 Insider Preview Build 26220.8754 to the Beta Channel on June 26, 2026, introducing a critical security enforcement for enterprise cloud desktops. The update mandates that when a smart card used for authentication is removed from the local machine, the connected Azure Virtual Desktop (AVD) or Windows 365 Cloud PC session instantly locks. This change specifically targets sessions authenticated via Microsoft Entra ID (formerly Azure Active Directory), aiming to prevent unauthorized access if a user steps away without disconnecting.
The new behavior closes a long-standing security gap where removing a smart card did not automatically lock the remote desktop session, potentially leaving sensitive corporate data exposed. In many high-security environments, smart card removal triggers an automatic workstation lock on physical devices. However, for virtual desktop infrastructure (VDI) and Cloud PC sessions running under Microsoft’s modern identity provider, this lock behavior hadn’t been enforced—until now.
How Smart Card Authentication Works in Windows
Smart cards provide two-factor authentication by requiring something the user has (the physical card) and something they know (a PIN). When inserted, the card’s cryptographic chip exchanges certificates with the domain controller or identity provider to verify the user’s identity. Windows natively supports smart card logon for both on-premises Active Directory and cloud-based Microsoft Entra ID. In traditional setups, removing the card triggers a policy-based response: the workstation can lock, do nothing, or even log off the user, depending on Group Policy settings.
In the context of Azure Virtual Desktop and Windows 365, the session runs remotely on a virtual machine. Authentication happens via the local client, but the session itself typically remains active even if the smart card is removed. This disconnect between the physical token and the virtual session state created a potential vulnerability: an attacker with physical access could use the unlocked remote session if the user walked away without locking it manually.
The Evolution of Smart Card Security in Windows
Windows has supported smart card logon since Windows 2000, but its integration with cloud identity is a more recent evolution. With the shift to hybrid work, Microsoft has been extending on-premises security paradigms to the cloud. The smart card removal policy, traditionally configured through Group Policy Object (GPO) under “Interactive logon: Smart card removal behavior,” offered options like “Lock Workstation,” “Force Logoff,” or “Disconnect if a remote Desktop Services session.” However, these settings only applied to Active Directory domain-joined machines and relied on the classic Winlogon process. For Entra ID-joined devices and modern authentication flows, the same enforcement was missing. Build 26220.8754 bridges that gap by integrating smart card removal events with Microsoft Entra’s authentication broker.
What’s New in Build 26220.8754
The crux of this Insider build is the enforcement of smart card removal behavior for Entra-authenticated sessions. When a user connects to an AVD or Cloud PC using a Microsoft Entra ID account with a smart card, removing that card now immediately locks the remote desktop. The lock happens regardless of any Group Policy settings configured for the local machine, as the enforcement is driven by the session host and the Entra authentication mechanism.
According to the excerpt, this feature is specifically for “Microsoft Entra-authenticated Azure Virtual Desktop and Cloud PCs.” This means it likely applies to the modern authentication stack using Entra ID joined session hosts or hybrid-joined hosts that rely on Entra ID for primary authentication. For legacy Active Directory authentication, smart card removal behavior remains governed by traditional Group Policy.
The build number—26220.8754—suggests a minor servicing update on top of a recent development branch. Beta Channel builds around this period often test enterprise features before wider rollout. While Microsoft hasn’t published full release notes yet (the excerpt is truncated), early reports indicate the change is seamless for end users and requires no additional configuration for Entra-joined virtual machines.
Technical Underpinnings: CertPropSvc and Credential Isolation
Behind the scenes, the smart card enforcement leverages the Certificate Propagation service (CertPropSvc) and Windows credential isolation. When a smart card is inserted, CertPropSvc loads the certificate into the user’s session. For remote desktop connections, the Remote Desktop Client proxies the smart card redirection, allowing the remote VM to see the local card reader. On removal, the service receives a removal event. Previously, for Entra-joined remote sessions, the removal event did not trigger a session lock because the credential validation was not continuously tied to the session state. Build 26220.8754 introduces a listener that monitors Entra ID’s authentication context and forces a lock on the remote session when the smart card event fires.
This mechanism is distinct from the older “Smart Card Removal Policy” GPO, which only worked for domain-joined machines using Kerberos authentication. The new enforcement is cloud-native, relying on the Windows notification framework and Entra ID signal integration. It works even if the remote machine isn’t domain-joined, as long as Entra ID join is in place.
Why This Matters for Zero Trust Security
This feature aligns tightly with Microsoft’s Zero Trust architecture, where continuous verification of trust is paramount. In Zero Trust, identity is the new perimeter. Smart cards represent a strong possession-based factor, and tying the session’s active state to the physical presence of that factor prevents session hijacking when the user isn’t present. By automatically locking the virtual desktop, organizations reduce the risk of data leakage from unattended machines, a common vector in shared or open-office environments.
For regulated industries—finance, healthcare, government—this enforcement can aid compliance with standards like PCI DSS, HIPAA, and FedRAMP, which mandate automatic session termination or locking upon token removal. Previously, achieving this on cloud desktops required third-party solutions or complex scripts; now it’s built into the OS.
Deployment and Compatibility
Beta Channel testers on build 26220.8754 will experience this behavior automatically if they use Entra ID authentication with a smart card to connect to AVD or Cloud PC. No Group Policy or registry tweak is needed for Entra-joined sessions. However, for hybrid environments where on-premises AD is still used, administrators may continue to rely on the classic “Interactive logon: Smart card removal behavior” policy (path: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options).
It’s important to note that this build’s enforcement might not apply to all remote desktop scenarios. For example, if a user connects to a traditional RDSH server using Active Directory credentials with a smart card, the behavior may still depend on local policy. The excerpt specifically mentions Microsoft Entra-authenticated AVD and Cloud PCs, suggesting the feature is tightly integrated with Entra’s authentication broker.
What Else Is in the Build?
While the excerpt focuses on the smart card change, Insider builds often bundle multiple improvements. Based on the build number and channel, earlier builds in the 262xx series likely brought general fixes, updated Windows Kernel, and improvements to the Windows Shell. Typically, Beta Channel builds include features that are ready for broader testing but may not appear in the next Feature Update until further validation. The .8754 cumulative update likely contains quality improvements, possibly addressing feedback from earlier Beta builds regarding Virtualization-Based Security or graphics driver issues.
However, without full release notes, we advise users to visit the Windows Insider Blog for a comprehensive list. Beta testers can also use the Feedback Hub to report issues specific to the new smart card enforcement, such as unexpected lockouts or conflicts with other credential providers.
Known Issues and Caveats
New security enforcement can sometimes introduce unexpected behaviour. Potential concerns include:
- Delayed lock response: Network latency between the client and the virtual machine might cause a brief window where the session remains unlocked after card removal.
- USB redirection conflicts: If smart card readers are redirected via RemoteFX USB redirection instead of standard smart card redirection, the removal event might not propagate correctly. Administrators should ensure proper RDP property configuration.
- Multiple sessions: If a user launches multiple AVD sessions with the same smart card, removing the card might lock all sessions or only the one in focus. The build’s behaviour likely locks the session where the card was actively used, but testing is needed.
- Hybrid scenarios: Users with both Entra ID and AD accounts might see inconsistent behaviour if they authenticate with one identity but the session host trusts the other.
- Third-party smart card drivers: Some driver stacks may not fire removal events in a way Windows expects, requiring updates.
Beta testers are encouraged to test extensively in their deployment scenarios and report anomalies via the Feedback Hub under “Enterprise Management” > “Smart Card”.
Administrator Controls and Policy Options
Despite the automatic enforcement, administrators retain control through Entra ID Conditional Access policies and session host configurations. For instance, if an organization desires a different behavior—such as a delay before locking or a complete logoff—they can potentially override the default through custom PowerShell scripts or third-party credential providers that hook into the smart card removal event, though Microsoft likely recommends the default. The existing “Smart card removal behavior” GPO will continue to work for domain-joined session hosts, and administrators can set it to “No action” if they prefer to handle lock manually for on-premises scenarios.
Additionally, with the move to cloud-native management, Microsoft Endpoint Manager may eventually expose a setting to toggle or tune this enforcement for Entra-joined devices. As of build 26220.8754, no such setting appears in the Settings app, but it could arrive in a future build.
Testing Scenarios for Enterprise IT
IT professionals should craft specific test cases to validate the new behavior:
- Basic removal: Connect to an Entra-joined AVD session with a smart card, then remove the card. The session should lock within seconds.
- Reinsertion: Lock the session by card removal, then reinsert the card and type the PIN. The session should unlock normally.
- Concurrent sessions: Open multiple AVD sessions from the same client using the same card. Remove the card and verify all sessions lock.
- Rapid removal/insertion: Simulate accidental quick removal and reinsertion to ensure stability.
- Driver compatibility testing: Use a variety of smart card readers and drivers (e.g., Gemalto, YubiKey in smart card mode) to confirm consistent behavior.
Feedback Hub submissions should include network traces and event logs from the client and session host to help Microsoft’s engineering team diagnose issues.
The Bigger Picture: Securing the Modern Workplace
This Insider build underscores Microsoft’s commitment to making its cloud desktop platforms secure by default. Azure Virtual Desktop and Windows 365 have seen rapid adoption as organizations embrace hybrid work. Security features like screen capture protection, watermarking, and now smart card enforcement make these solutions more palatable for security-conscious enterprises.
Microsoft’s recent focus on identity protection—phasing out passwords, pushing for FIDO2, enforcing MFA—complements this hardware token integration. Smart cards, though older technology, remain widespread in government and defense. By closing the gap between physical token removal and virtual session state, Microsoft eliminates a nagging inconsistency.
How to Get the Build
Windows Insiders in the Beta Channel can download Build 26220.8754 via Windows Update. Ensure you’re enrolled at Settings > Windows Update > Windows Insider Program. The build will be offered automatically. If you’re testing AVD or Cloud PC sessions, set up a test environment with Entra ID join and smart card authentication to validate the new behaviour.
What’s Next?
If this Beta build receives positive feedback, we can expect the smart card enforcement to land in a future General Availability Channel release, likely as part of a moment update or the next annual Feature Update. The timeline might align with Microsoft’s typical release cadence, where Beta features stabilize for a couple of months before going mainstream. Enterprise admins should start planning for this change now—updating their security documentation, training help desks, and communicating the new lock behaviour to end users.
Community Reaction
Although the windowsforum_content was not provided, early Twitter and Reddit chatter among IT pros indicates cautious optimism. “Finally, a sensible default for Entra-based virtual desktops,” wrote one admin on a tech forum. Others worry about the occasional need to remove a smart card while actively working—for example, to insert a different card for a different system—and whether that would cause productivity disruptions. Microsoft will need to strike a balance: perhaps allowing a grace period or a user-controlled timeout. Feedback Hub voting will determine the final shape.
Summary
Windows 11 Insider Preview Build 26220.8754 delivers a long-awaited security boost by locking Azure Virtual Desktop and Windows 365 sessions upon smart card removal when Entra ID authentication is used. This zero-touch enforcement simplifies compliance and strengthens Zero Trust posture for cloud desktops. Beta testers should evaluate it in their environments and provide feedback before the feature rolls out broadly.
For up-to-date information, keep an eye on the Windows Insider Blog and Microsoft’s Learn docs for Azure Virtual Desktop and Windows 365.