Since SystoLOCK relies heavily on smart card infrastructure during RDP logins, and since RDP servers borrow some of that smart card functionality from the clients, it is very important to make sure this infrastructure is configured properly on both target RDP servers and login-initiating clients.
To eliminate most problems you would need two Group Policy objects, attached to the root of your domain or to any place where the computers in questions can read that GPO.
Use the following path to locate the GPO:
Computer Configuration > Policies > Windows Settings > Security Settings > System Services
Under that path, find the Smart Card service and set it to start automatically:
Use the following path to enable the GPO:
Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection
Set the value of
Do not allow smart card device redirection to disabled.
Although counterintuitive, this is often the crux for the mysterious smart card problems.
For smart cards to work properly over RDP, the clients should not block them from being redirected. The options for smart card redirection can be found within the options of the RDP client. Though this option is on by default, sometimes it gets switched off for no reason.
The setting can also be corrected via GPO by modifying the following registry setting:
Key: HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default
Value Name: redirectsmartcards (REG_DWORD)
Value: Set to 1 for smart cards to be redirected