Disablecapioverrideforrsa
The registry value DisableCapioverrideForRSA (typically found under HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Defaults\Provider\... ) acts as a toggle for this redirection:
In October 2025, Microsoft released security updates (such as and KB5066782 ) aimed at addressing vulnerabilities like CVE-2024-30098 . These updates changed how Windows handles RSA-based smart card certificates. disablecapioverrideforrsa
Some older Hardware Security Modules (HSMs) or smart cards rely on specific CAPI behaviors that are lost during CNG translation. Some older Hardware Security Modules (HSMs) or smart
In environments utilizing smart cards or RSA SecurID tokens for two-factor authentication, the VMware Horizon Client and the Connection Server interact to verify user identity. By default, certain versions of the Horizon software attempt to optimize the authentication flow by handling Input/Output (I/O) operations for the smart card reader locally on the client side, rather than redirecting the entire smart card device to the virtual desktop. disablecapioverrideforrsa
While modernizing cryptography is usually a priority, administrators might set DisableCapioverrideForRSA to 1 for specific reasons:
Enabling this setting may have a slight impact on the user experience. Because the setting forces USB redirection, the login process might take longer than the optimized I/O capture method. Additionally, the smart card reader becomes "locked" to the remote session, meaning it may not be accessible for other local applications on the endpoint while the VDI session is active.
DisableCapIOOverrideForRSA is a technical switch for VMware Horizon administrators. It serves as a critical fallback mechanism for resolving authentication failures related to smart card middleware conflicts, ensuring users can successfully log in using two-factor authentication when standard optimization protocols fail.