CAC Reader Not Working on Windows 11 — Fix

CAC authentication has gotten complicated with all the Windows 11 updates flying around — and if you’re here at 0600 trying to get into a system before a brief, I’ve been exactly there. Deployed to a unit where the IT shop didn’t open until 0800, sitting in front of a government laptop with a Thursby or HID Omnikey 3121 jammed into a USB hub, getting nothing. No certificate prompt. No PIN dialog. Just silence. I’ve spent more hours than I care to count working through this exact problem. What follows is the cleanest set of fixes I’ve found — organized in the order that actually resolves things for most people.

Windows 11 introduced enough under-the-hood changes to smart card handling that fixes which worked reliably on Windows 10 sometimes just don’t apply anymore. The service architecture shifted. Driver signing requirements tightened. And a specific February 2025 cumulative update broke CAC authentication for a non-trivial number of users on domain-joined machines. We’ll cover all of it.

Restart Smart Card Service

Probably should have opened with this section, honestly — because this one step fixes the problem roughly 40% of the time and takes about 45 seconds.

Windows 11 runs a background process called the Smart Card service. It’s supposed to detect your reader and handle communication with the chip on your CAC. Sometimes it hangs — after a sleep cycle, a failed authentication attempt, or a Windows update that restarted services in a bad order. Restarting it manually kicks it back into a working state without requiring a full system reboot.

How to Restart the Smart Card Service

1. Press Windows + R to open the Run dialog.
2. Type services.msc and press Enter.
3. In the Services window, scroll down to Smart Card. The list is alphabetical — it’s about two-thirds of the way down.
4. Right-click Smart Card and select Restart. If the option is grayed out, click Start instead.
5. While you’re in there, also check Smart Card Device Enumeration Service and Smart Card Removal Policy — both should show Automatic as the startup type and display as running.
6. Click OK and close the window.

After restarting, unplug your CAC reader completely. Wait ten seconds — not two, actually ten. Plug it back in. Insert the card and wait for the PIN prompt. On most systems that takes five to eight seconds.

Faster method: open an elevated Command Prompt (search cmd, right-click, Run as administrator) and run these two commands back to back:

net stop SCardSvr
net start SCardSvr

Same result, fewer clicks. If the service restarts and your system still doesn’t recognize the card, move on.

Update CAC Reader Drivers

Frustrated by a week of failed logins and a ticket IT kept marking “under review,” I eventually fixed my own machine by pulling the correct driver directly from the manufacturer’s site and doing a clean install through Device Manager. Twelve minutes. I felt like an idiot for not doing it sooner.

Windows 11 sometimes installs a generic USB smart card driver that technically functions but causes intermittent failures — particularly with older readers like the SCR3310 v2.0 or the Identiv uTrust 3700 F. The generic driver doesn’t always handle USB polling correctly, so the OS sees the reader hardware but fails to enumerate the smart card chip inside the CAC. That’s what makes correct driver installation endearing to us troubleshooters — it’s boring, unglamorous, and it works.

Finding the Right Driver

Common CAC readers and their driver sources:

• HID Omnikey 3121 — HID Global’s support site, search “OMNIKEY 3121 Windows Driver”
• SCR3310 v2.0 — Identiv’s driver downloads page
• Thursby PKard — Thursby Software, though this one is Mac-primary and less common on Windows
• Cherry ST-1144UB — Cherry’s official site under business solutions
• Identiv uTrust 3700 F — Identiv driver portal

Download the Windows 11 compatible package. Most are under 10MB. Save it somewhere obvious — the desktop is fine for now.

Installing Through Device Manager

1. Right-click the Start button and select Device Manager.
2. Expand Smart card readers. If your reader shows up here with a yellow warning triangle, that’s your problem identified right there.
3. If you don’t see it under Smart card readers, expand Universal Serial Bus controllers and look for an unknown device that appeared when you plugged in the reader.
4. Right-click the reader entry and select Update driver.
5. Choose Browse my computer for drivers.
6. Navigate to the downloaded driver package folder. Make sure Include subfolders is checked.
7. Click Next and let Windows install it.
8. When it finishes, right-click the device again and select Uninstall device. Check the box that says Delete the driver software for this device if it appears.
9. Unplug the reader, wait ten seconds, plug it back in. Windows will reinstall using the driver you just cached — this time cleanly.

Don’t make my mistake and skip that uninstall-and-replug step. It’s the part most guides leave out. It ensures the driver initializes fresh rather than layering on top of whatever corrupted state existed before. Small detail. Matters a lot.

Clear Old Certificates

This one trips up a lot of people who’ve had their CAC replaced — after a PCS, a name change, a rank change, or routine reissuance. The old certificates from the previous card are still sitting in Windows’ certificate store. Sometimes the system tries to authenticate with those instead of the new ones on your current card. It fails. You assume the reader is broken. The reader is fine.

But what is the certificate store? In essence, it’s a local database Windows uses to cache and validate digital credentials. But it’s much more than that — it’s also where stale credentials from old CACs pile up and quietly cause authentication failures that look like hardware problems.

The fix is clearing out stale certificates from Internet Options — which sounds like a weird place to manage this, but that’s where Windows has handled smart card certificate management going back to IE days, and it still applies in Windows 11.

Removing Old CAC Certificates

1. Open Control Panel. Fastest method in Windows 11: search “Control Panel” from the Start menu — don’t go hunting through Settings, it’s not there.
2. Go to Network and Internet, then Internet Options.
3. Click the Content tab.
4. Click Certificates.
5. In the Certificates window, click the Personal tab. If you see multiple entries with your name or entries with expired dates, those are the problem certificates.
6. Select each expired or duplicate entry and click Remove. Confirm each prompt.
7. Also check the Other People tab and Intermediate Certification Authorities tab for anything expired.
8. Click Close, then OK.

After clearing those out, insert your CAC and open a browser. The system should now read certificates directly from the physical card rather than reaching for ghost credentials that no longer match anything.

One thing I learned the hard way — don’t delete the DoD root certificates from the Trusted Root Certification Authorities tab. Those are required for the whole chain to validate. Only remove personal and expired entries. Everything else, leave alone.

If you haven’t already installed the DoD certificate bundles, go to the DoD Cyber Exchange Public site and download the current InstallRoot package — as of early 2025, that’s InstallRoot 5.6. Run it as administrator. It installs all root and intermediate certificates automatically. Takes about two minutes.

Windows 11 Update Issues

In February 2025, Microsoft pushed cumulative update KB5051987 for Windows 11 24H2 and a separate update under KB5051989 for Windows 11 23H2. Both caused smart card authentication failures on domain-joined machines — which covers almost every government and military workstation in existence. The failure mode was specific: the PIN prompt would appear, you’d enter your PIN correctly, and then authentication would fail with a generic “the credentials supplied were not sufficient” error or just spin indefinitely.

This wasn’t a driver issue. It wasn’t a certificate issue. The update itself changed how Windows handled Kerberos smart card authentication in a way that broke compatibility with PKI configurations common in DoD environments. Apparently Microsoft’s internal testing didn’t catch this one before it went out.

Checking if This Update Is the Cause

1. Press Windows + I to open Settings.
2. Go to Windows Update, then Update history.
3. Look for KB5051987 or KB5051989 in the list. Also check for any cumulative update installed in February or March 2025 — the issue was later patched by KB5053656, released in March 2025.

Rolling Back the Problematic Update

1. Open an elevated Command Prompt (Run as administrator).
2. Type the following and press Enter:

   wusa /uninstall /kb:5051987 /quiet /norestart

   Replace 5051987 with 5051989 if that’s the one installed on your machine.

3. Restart when prompted.
4. After restarting, temporarily pause Windows Updates for 7 days so the update doesn’t immediately reinstall. Go to Settings, Windows Update, and click Pause for 1 week.
5. Test your CAC authentication.

If the March 2025 patch (KB5053656) is available in your update queue, install that one specifically — it addresses the Kerberos issue directly. You can grab it manually from the Microsoft Update Catalog by searching the KB number.

If You’re on a Managed Government Device

Rollbacks on domain-joined machines sometimes require admin rights you don’t have. In that case, submit a ticket with the specific KB number and describe the failure mode — PIN accepted, authentication fails. That gives your IT shop enough to act on without you having to explain the whole situation from scratch. Most enterprise IT teams had already flagged this issue internally by late February 2025, so the right tech will know exactly what you’re talking about.

When None of This Works

If you’ve worked through all four sections and the reader still isn’t functioning, the next things to check — in order — are: whether ActivClient or similar middleware needs to be updated (current version as of early 2025 is 7.2.2, available through your organization’s software distribution if you’re in a managed environment), whether the physical card itself is damaged (a card reader at your local CAC office can test this in about thirty seconds), and whether the USB port itself is the problem.

A rear USB-A port might be the best option, as CAC authentication requires stable, consistent power delivery. Front panel USB ports on desktops and hubs on laptops often deliver inconsistent power or have intermittent connections — a CAC reader rated at 5V/100mA will usually work fine on a direct rear port even when a hub or front panel connector fails it.

First, you should rule out the port — at least if you haven’t already tried plugging directly into the back of the machine. It sounds too simple. It fixes things more often than it should.

The overwhelming majority of CAC authentication problems on Windows 11 come down to the four issues covered here — and usually the first two. Start with the Smart Card service restart, check the drivers, clear old certificates, verify your update history. Most people are back up and running inside thirty minutes.