Windows 10: Problems with authentication on domain using smart card logon

Dear MS Support,



we're using Smart Card logon as second method of our users to sign into domain based PCs.

After latest Servicing Stack update KB4586863 and Cumulative update KB4586786, logon with smart card stopped working with this message: "This smart card could not be used. Additional detail may be available in the system log. Please report this error to your administrator".

We've done several things:


1 Deleted current Smart card driver and reinstalled it - Alcor Micro USB Smart Card reader- didn't helped

2 Tryed to uninstall specified updates using wusa.exe script in Command Prompt in elevated mode and in Power Shell and got reply: "Security Update for Microsoft Windows KB4586863 is required by your computer and cannot be unninstaled".

3 Tryed to modifiy it using Local Group Policy Editor:

gpedit.smc Run As Admin / Computer Configuration / Administrative Templates / Windows Components /Smart Card

and enable feature: Turn on certificate propagation from smart card


Despite this troubleshooting, we haven't find any Microsoft related TechNet or similar link or blog where Event ID 5 after we've searched Event Viewer was described and resolution for this kind of error.


Endpoints whic experienced this kind of issue are Windows 10 PRO OS, versions 1909, 2004 and 20H2, latest builds.

Domain controllers are on Windows Server 2019 Standard OS version.


We have several PCs that haven't yet got those latests updates, and logon is working just fine on their PCs.

Please provide us help and navigate us what else can we troubleshoot further on since we're out of ideas.

Is the solution for this case to reset PC installing clean OS version or is there anything else we can do about this issue?


Thank you in advance for the provided help.


BR,

Dragan

:)

 

Smart card is required for interactive logon and windows mobile

No.... I am not developing an application...

It is a general question about connecting windows mobile clients remotely (over a secure reverse proxy etc.), when the domain feature (Smartcard is required for interactive logon) on a user base is active...

What do you do then?

It is not possible to insert a separate smart card into the mobile which contains the certificates used for the domain authentication? Or is it?

Thanks for an answer

 

Group Policy Interactive Logon smart card enforced with admin username and password enabled?

Hello,

I have a gpo setup to enforce interactive logon: smart card authentication on some of the computers in my domain. That works as it should. Group policy is applied to my group of computers and users are forced to insert their card and logon with their pin.
No problem there.

Here is my question: It possible to leave that intact but allow a subset of admin accounts to be used normally (username/password) on those computers? Essentially I want to enforce smart cards but allow our admins to still elevate privileges normally without
having to create them admin smart cards.

Thank you.

 

Windows 10 Smart Card Authentication Only Logon Option for 2 minutes during logon

Good Day,

I have a difficult problem that has cropped up intermittently after imaging some of our enterprise Windows 10 Systems. We are using the Windows 10 release just prior to Anniversary edition, whatever that number is.

After a completed image using DISM and WDS, 99% of our Windows 10 systems work normally. Recently though, we have had a few Dell Latitude E5470's with internal smart-card readers come up with this issue:

When logon appears, it's only smart card logon that is available. You don't get the ability to pick the little key icon or the little smart card icon at all. It's totally missing from the screen. Also, we have a policy-based lock
screen background that normally shows at logon, but instead all you see is the Windows translucent blue flag background. If you do not touch the mouse or keyboard, at about 2 minutes the screen will switch to the lock screen and give you the options you should
normally see.

So here are the things we have tried to resolve the issue:

• We have seen this once before, and when it happened before if the user waited for the screen change, and then logged on successfully w/out using a smart card, after reboot the system would work normally. But, the latest occurrence of this (2 systems now)
  have continued to act the same after successful logons.
• We thought maybe if we disabled the smart card reader, it would force it to use normal logon. Nope! Disabling the smart card reader left us with NO Logon options until after the 2 minute wait period. Just the pretty blue Windows flag.
• We tried using wired ethernet and/or wireless and no difference.
• There didn't appear to be any failures that seemed related in the event logs.

The only thing that seems to fix the issue is completely re-imaging it. It doesn't make sense that this would work because we have not changed the image or drivers at all for this model.

So brainiacs out there - anyone else seen this? Had success resolving it? (Without having to re-image of course)

By the way - I know you're probably saying to yourself ... 2 minutes. What's the big deal. Well, we have demanding customers and they seem to think it's the end of the world. So we are not able to just let it go and see if it eventually fixes itself with
system updates or something.