Before You Begin Troubleshooting

Applies To: Windows 7, Windows Server 2008 R2

Before you begin troubleshooting, you should ensure that you can provide administrative credentials. You should also understand smart card solutions that are not compatible with Plug and Play and how smart cards work with Remote Desktop connections. In addition, you should also know when you can use Safe Mode to help troubleshoot smart card-related issues.

Administrative credentials

You must be a member of the local Administrators group on the Windows 7–based computer on which you are troubleshooting smart card issues or know the user name and password of a local administrator account. If you are not logged on with an administrator account, you must provide administrator credentials to perform many of the tasks in this guide.

Smart card solutions that are not compatible with Plug and Play

Smart card Plug and Play only supports smart cards that require drivers to function. Not all smart card solutions require drivers for integrating with Windows. These solutions do not use the Windows Smart Card Framework and must be installed on the computer before using the smart card for the first time.

The following solutions are not compatible with smart card Plug and Play:

  • Custom cryptographic service provider (CSP)-based solutions.

  • Custom key storage provider (KSP)-based solutions.

  • Public Key Cryptography Standard #11 (PKCS #11)-based solutions.

  • Smart card driver packages without complete INF files or with incorrect device identifications.

  • Some multislot smart card readers that create only one device for all available slots in the smart card reader.

Each time a smart card is inserted in the computer, Windows attempts to download and install the smart card driver if it is not already available on the computer. You may see a Plug and Play error when you insert a non-Plug and Play smart card on the computer. This does not necessarily mean that there is a problem with the smart card.

If your deployment uses only non-Plug and Play smart card solutions, smart card Plug and Play can be disabled by a local administrator on a client computer. Disabling smart card Plug and Play prevents smart card drivers, also known as smart card mini-drivers, from downloading and prevents smart card Plug and Play prompts.

To disable smart card Plug and Play in local Group Policy

  1. Click Start, type gpedit.msc in the Search programs and files box, and then press ENTER.

  2. In the console tree under Computer Configuration, click Administrative Templates.

  3. In the details pane, double-click Windows Components, and then double-click Smart Card.

  4. Right-click Turn on Smart Card Plug and Play service, and then click Edit.

  5. Click Disabled, and then click OK.

For enterprise deployments, smart card Plug and Play can be disabled by using Group Policy. For information about administrative templates in Group Policy, see Administrative templates overview for GPMC (https://go.microsoft.com/fwlink/?LinkId=152390).

Important

For commercial deployments that target end-users (such as online banking) and environments that include both Plug and Play and non-Plug and Play smart cards, using Group Policy to disable Plug and Play for smart cards is strongly discouraged because it will affect all the smart cards in your environment.

Remote Desktop connections and smart cards

Smart card Plug and Play works only for local sessions on a computer. The smart card driver must be installed on the local computer before attempting to use smart cards with Remote Desktop connections. The driver can be installed by inserting a Plug and Play–compatible smart card in a smart card reader on the local computer or by manually installing the driver. For information about manually installing drivers, see Manually Install a Smart Card Driver in this guide.

Using Safe Mode with smart cards

Safe Mode is typically used to identify and resolve problems with hardware devices, drivers, and applications running in Windows. The following table identifies scenarios for using a smart card to log on in Safe Mode with Networking and whether they are supported by the Smart Card Framework. The scenarios that are not supported in Safe Mode with Networking may work, but they are not officially supported.

Note

The Smart Card Framework is not supported when Windows is running in any other Safe Mode.

Scenario Supported in Safe Mode with Networking

Domain logon using smart cards

Yes

Cached logon using smart cards

No

Remote Desktop Services logon when the host is running in Safe Mode

No

Remote Desktop Services logon when the remote computer is running in Safe Mode

No

Unlock a workstation by using smart card

Yes

Smart card PIN management (change/unblock)

Yes

External PIN entry for unlocking smart cards

No

Authenticate to a network resource by using credentials on a smart card (CredUI)

No

Secure Socket Layer (SSL) client authentication

No

Certificate propagation

No

Smart card device management and Plug and Play

No

User Account Control management

No

Certutil –scinfo command

Yes

S/MIME

No

Smart card enrollment

No

Join a domain by using smart card

No

Secure PIN channel

No