Offline unlocking is performed by system operator according to the principle of challenge-response authentication mechanism.
Unlocking a card (Smart card, USB token) on the Windows login screen is not supported when connected remotely via Remote Desktop.
When the number of PIN input attempts is exceeded, the user receives a message that their card is locked. Along with that, the user receives a unique 16-character request code. The user has to communicate with the system administrator (by phone, for instance), authenticate their identity by answering the security questions and tell the received request code.
The figure shows an example of smart card offline unlocking window in Windows 11 interface.
The system administrator opens the user card and selects Unlock item from the list of actions. Before generating the response code for card unlocking, the administrator has to ask security question (or several questions, depending on the policy settings) and enter the user response to the form.
Offline unlocking can be disabled in the Workflow section of smart card usage policy. In this case the Unlock button is inactive in the user card.
The need to answer to security questions during offline unlocking is defined by Validate answers to security questions option.
If the answers to all the questions are correct, the operator enters the code obtained from the user and the system generates the response code, which the operator tells to the user.
The user enters the response code and defines the new PIN for the smart card.
If unlocking was successful, the corresponding message is displayed.
