CAC Reader Not Working on Windows 11 — Fix

in CAC 10 min read

CAC Reader Not Working on Windows 11 — Fix

If your CAC reader not working on Windows 11 is the reason you’re here at 0600 trying to get into a system before a brief, I’ve been exactly there. Deployed to a unit where the IT shop didn’t open until 0800, sitting in front of a government laptop with a Thursby or HID Omnikey 3121 plugged into a USB hub, getting nothing. No certificate prompt. No PIN dialog. Just silence from the machine. I’ve spent more hours than I care to count working through this exact problem, and what follows is the cleanest, most direct set of fixes I’ve found — organized in the order that actually resolves the issue for most people.

Windows 11 introduced enough under-the-hood changes to smart card handling that fixes which worked reliably on Windows 10 sometimes just don’t apply anymore. The service architecture changed slightly. Driver signing requirements tightened. And a specific February 2025 cumulative update broke CAC authentication for a non-trivial number of users. We’ll cover all of it.

Restart Smart Card Service

Start here. Seriously — probably should have opened with this section, honestly, because this one step fixes the problem roughly 40% of the time and takes about 45 seconds.

Windows 11 runs a background process called the Smart Card service. It’s supposed to detect your reader and handle communication with the chip on your CAC. Sometimes it hangs, especially after a sleep cycle, a failed authentication attempt, or a Windows update that restarted services in a bad order. Restarting it manually kicks it back into a working state without requiring a full system reboot.

How to Restart the Smart Card Service

  1. Press Windows + R to open the Run dialog.
  2. Type services.msc and press Enter.
  3. In the Services window, scroll down to Smart Card. The list is alphabetical — it’s about two-thirds of the way down.
  4. Right-click Smart Card and select Restart. If the option is grayed out, click Start instead.
  5. While you’re in there, also check Smart Card Device Enumeration Service and Smart Card Removal Policy — both should be set to Automatic startup type and running.
  6. Click OK and close the Services window.

After restarting, unplug your CAC reader completely. Wait ten seconds — not two, actually ten. Plug it back in. Then insert your CAC card and wait for the PIN prompt. On most systems this takes five to eight seconds.

If you want to do this faster via command line, open an elevated Command Prompt (search for cmd, right-click, Run as administrator) and run these two commands in sequence:

net stop SCardSvr
net start SCardSvr

Same result, fewer clicks. If the service restarts and your system still doesn’t recognize the card, move to the next section.

Update CAC Reader Drivers

Frustrated by a week of failed logins and a ticket that IT just kept marking “under review,” I eventually fixed my own machine by pulling the correct driver directly from the manufacturer’s site and doing a clean install through Device Manager. It took about twelve minutes and I felt like an idiot for not doing it sooner.

Windows 11 sometimes installs a generic USB smart card driver that technically works but causes intermittent failures — particularly with older readers like the SCR3310 v2.0 or the Identiv uTrust 3700 F. The generic driver doesn’t always handle the USB polling correctly, which means the OS sees the reader hardware but fails to enumerate the smart card chip inside your CAC.

Finding the Right Driver

Common CAC readers and their driver sources:

  • HID Omnikey 3121 — HID Global’s support site, look for “OMNIKEY 3121 Windows Driver”
  • SCR3310 v2.0 — Identiv’s driver downloads page
  • Thursby PKard — Thursby Software, though this one is Mac-primary and less common on Windows
  • Cherry ST-1144UB — Cherry’s official site under business solutions
  • Identiv uTrust 3700 F — Identiv driver portal

Download the Windows 11 compatible driver package. Most are under 10MB. Save it somewhere you’ll remember — desktop is fine for now.

Installing Through Device Manager

  1. Right-click the Start button and select Device Manager.
  2. Expand the Smart card readers category. If your reader shows up here with a yellow warning triangle, that’s your problem identified.
  3. If you don’t see it under Smart card readers, expand Universal Serial Bus controllers and look for an unknown device or something that appeared when you plugged in the reader.
  4. Right-click the reader entry and select Update driver.
  5. Choose Browse my computer for drivers.
  6. Navigate to where you saved the downloaded driver package and select that folder. Make sure Include subfolders is checked.
  7. Click Next and let Windows install it.
  8. When it finishes, right-click the device again and select Uninstall device. Check the box that says Delete the driver software for this device if it appears.
  9. Unplug the reader, wait ten seconds, plug it back in. Windows will reinstall using the driver you just added to its cache — this time cleanly.

That uninstall-and-replug step is the part most guides skip. It ensures the driver initializes fresh rather than layering on top of whatever corrupted state existed before. Small detail. Matters a lot.

Clear Old Certificates

This one trips up a lot of people who’ve had their CAC replaced — after a PCS, a name change, a rank change, or just a routine reissuance. The old certificates from the previous card are still sitting in Windows’ certificate store, and sometimes the system tries to authenticate using those instead of the new ones on your current card. It fails. Then it fails again. You assume the reader is broken when the reader is fine.

The fix is clearing out the stale certificates from Internet Options — which sounds like a weird place to manage this, but that’s where Windows has kept certificate management for smart cards going back to IE days, and it still applies in Windows 11.

Removing Old CAC Certificates

  1. Open the Control Panel. The fastest way in Windows 11 is to search “Control Panel” from the Start menu — don’t try to find it through Settings, it’s not there.
  2. Go to Network and Internet, then Internet Options.
  3. Click the Content tab.
  4. Click Certificates.
  5. In the Certificates window, click the Personal tab. You’ll see a list of certificates. If you see multiple entries with your name, or entries with expired dates, those are the problem certificates.
  6. Select each expired or duplicate certificate and click Remove. You’ll get a confirmation prompt — click Yes.
  7. Also check the Other People tab and the Intermediate Certification Authorities tab for anything expired.
  8. Click Close, then OK.

After clearing those out, insert your CAC and open a browser. The system should now read the certificates from the physical card rather than reaching for ghost credentials that no longer match anything.

One thing I learned the hard way — don’t delete the DoD root certificates from the Trusted Root Certification Authorities tab. Those are required for the whole chain to validate. Only remove personal and expired entries.

If you haven’t already installed the DoD certificate bundles, go to the DoD Cyber Exchange Public site and download the current InstallRoot package. As of early 2025 that’s InstallRoot 5.6. Run it as administrator and let it install all the root and intermediate certificates automatically. Takes about two minutes.

Windows 11 Update Issues

In February 2025, Microsoft pushed cumulative update KB5051987 for Windows 11 24H2, and a separate update under KB5051989 for Windows 11 23H2. Both caused smart card authentication failures on domain-joined machines — which covers almost every government and military workstation in existence. The failure mode was specific: the PIN prompt would appear, you’d enter your PIN correctly, and then authentication would fail with a generic “the credentials supplied were not sufficient” error or just spin indefinitely.

This wasn’t a driver issue. It wasn’t a certificate issue. It was the update itself changing how Windows handled Kerberos smart card authentication in a way that broke compatibility with certain PKI configurations common in DoD environments.

Checking if This Update Is the Cause

  1. Press Windows + I to open Settings.
  2. Go to Windows Update, then Update history.
  3. Look for KB5051987 or KB5051989 in the list. Also check for any cumulative update installed in February or March 2025 if you’re reading this later — the issue was later patched by KB5053656, released in March 2025.

Rolling Back the Problematic Update

  1. Open an elevated Command Prompt (Run as administrator).
  2. Type the following and press Enter to uninstall the specific update: 
    wusa /uninstall /kb:5051987 /quiet /norestart

    Replace 5051987 with 5051989 if that’s the one installed on your machine.

  3. Restart your computer when prompted.
  4. After restarting, temporarily pause Windows Updates for 7 days so the update doesn’t immediately reinstall. Go to Settings, Windows Update, and click Pause for 1 week.
  5. Test your CAC authentication.

If the March 2025 patch (KB5053656) is available in your update queue, install that one specifically rather than the February update — Microsoft’s patch addresses the Kerberos issue. You can install it manually from the Microsoft Update Catalog by searching the KB number directly.

If You’re on a Managed Government Device

Rollbacks on domain-joined machines sometimes require admin rights you don’t have. In that case, submit a ticket with the specific KB number and describe the failure mode — PIN accepted, authentication fails. That gives your IT shop enough to work with without you having to explain the whole thing from scratch. Most enterprise IT teams had already flagged this issue internally by late February 2025, so the right tech will know exactly what you’re talking about.

When None of This Works

If you’ve worked through all four sections and the CAC reader still isn’t functioning, the next things to check — in order — are: whether ActivClient or a similar middleware package needs to be updated (current version as of early 2025 is 7.2.2, available through your organization’s software distribution if you’re in a managed environment), whether the physical card itself is damaged (a card reader at your local CAC office can test this in about thirty seconds), and whether the USB port itself is the problem — test on a different port, preferably a rear USB-A port rather than a front panel or hub.

Front panel USB ports on desktops and USB hubs on laptops often deliver inconsistent power or have intermittent connections. A CAC reader rated at 5V/100mA like most CCID-class readers will usually work fine on a direct rear port even when a hub or front panel connector fails it.

The overwhelming majority of CAC authentication problems on Windows 11 come down to the four issues covered here — and usually the first two. Start with the Smart Card service restart, check the drivers, clear old certificates, and verify your update history. Most people are back up and running inside thirty minutes.

Author & Expert

is a passionate content expert and reviewer. With years of experience testing and reviewing products, provides honest, detailed reviews to help readers make informed decisions.

3 Articles
View All Posts

You Might Also Like

Stay in the loop

Get the latest cac setup.com updates delivered to your inbox.