Windows 10: Windows 11 24H2 Smart Card PIV with ECC Certificates

Discus and support Windows 11 24H2 Smart Card PIV with ECC Certificates in Windows 10 Software and Apps to solve the problem; My company utilizes Yubikey smart cards with ECC Certificates from AD CS. Pre-24H2, we had no issues with signing in on/off-net, SSO, etc. for two... Discussion in 'Windows 10 Software and Apps' started by Kevin Hester, Nov 22, 2024.

  1. KEVIN HESTER
    Kevin Hester Win User

    Windows 11 24H2 Smart Card PIV with ECC Certificates


    My company utilizes Yubikey smart cards with ECC Certificates from AD CS. Pre-24H2, we had no issues with signing in on/off-net, SSO, etc. for two years Win 10 or 11. Post W11 24H2, smart card users can not log into their devices off-net. Even while On-Net, the users token for MFA is non-existent. A user is prompted via MFA for every Microsoft Application when first run after logging in. A reboot forces MFA again. This effects four different manufacturers with Intel 13th Gen+ No AMD W11 24H2. I have done the following:All drivers / firmware / BIOS updatedCleared / reset TPMRefreshed P

    :)
     
    Kevin Hester, Nov 22, 2024
    #1
  2. JASIELTEGO
    jasieltego Win User

    PIV Smart Card Reader

    Hi All,

    I am running Windows 10 Pro 64bit 1909 and 2004.
    I am tasked with trying to figure out how to a PIV Reader on my physical PC and then VPN\remote into another network PC , and have that PIV Card reader be functional on the remote session.

    I have gone into remote desktop connection and check smart cards, also ports and it doesn't work.
    I need the PIV reader to show up, so I can insert the PIV card and gain access to a resource on another network.
    I can do it, if I go to the remote PC Physically but that is not in the plans to go there everyday.

    Any ideas?
    Most articles I read I have not found anything relevant.

    I found this, do you all think this would work
    Share USB smart card reader over Ethernet

    or do you think this is not possible , and a security issue , therefore Microsoft does not allow it.
     
    jasieltego, Nov 22, 2024
    #2
  3. GEOFFREY150
    Geoffrey150 Win User
    Certificate based smart card logon to Windows 10/11 with FIPS certified smart card

    Hi Zhou,

    Thank you very much for your response.

    I have already migrated my Root CA and smart card certificate to use SHA256, and my Windows 10/11 are latest version. But the Kerberos/PKINIT still use SHA1 instead of SHA2.

    From version 8 to version 16 of [MS-PKCA]: Public Key Cryptography for Initial Authentication (PKINIT) in Kerberos Protocol we can find that SHA1 can be used with ECC and RSA, but SHA2 can only be used with ECC. Does that mean we should use ECC certificate?

    Best Regards,

    Geoffrey
     
    Geoffrey150, Nov 22, 2024
    #3
  4. BFUNKE
    bfunke Win User

    Windows 11 24H2 Smart Card PIV with ECC Certificates

    Smart Card Certificates in Win10AU


    I frequently access work sites that require me to use a CAC/PIV card. Some sites require my encryption certificate but OWA requires my email certificate. Prior to Win10AU update both my certs displayed but now I have to click show more to see all my certs. It's minor but annoying change with Win10AU. Microsoft if you read this please change it.
     
    bfunke, Nov 22, 2024
    #4
Thema:

Windows 11 24H2 Smart Card PIV with ECC Certificates

Loading...

  1. Windows 11 24H2 Smart Card PIV with ECC Certificates - Similar Threads - 24H2 Smart Card

  2. Windows 11 24H2 Smart Card PIV with ECC Certificates

    in Windows 10 Gaming
    Windows 11 24H2 Smart Card PIV with ECC Certificates: My company utilizes Yubikey smart cards with ECC Certificates from AD CS. Pre-24H2, we had no issues with signing in on/off-net, SSO, etc. for two years Win 10 or 11. Post W11 24H2, smart card users can not log into their devices off-net. Even while On-Net, the users token...

  3. Certificate based smart card logon to Windows 10/11 with FIPS certified smart card

    in Windows 10 Gaming
    Certificate based smart card logon to Windows 10/11 with FIPS certified smart card: Latest FIPS 140-2 Level 3 and FIPS 140-3 have limited HASH algorithm to SHA256/384/512 and SHA-1 can not be used for security reasons. If I use a FIPS certified smart card to do certificate based smart card logon to Windows 10 and Windows 11 Windows 10/11 has been on-prem...

  4. Certificate based smart card logon to Windows 10/11 with FIPS certified smart card

    in Windows 10 Software and Apps
    Certificate based smart card logon to Windows 10/11 with FIPS certified smart card: Latest FIPS 140-2 Level 3 and FIPS 140-3 have limited HASH algorithm to SHA256/384/512 and SHA-1 can not be used for security reasons. If I use a FIPS certified smart card to do certificate based smart card logon to Windows 10 and Windows 11 Windows 10/11 has been on-prem...

  5. Certificate based smart card logon to Windows 10/11 with FIPS certified smart card

    in Windows Hello & Lockscreen
    Certificate based smart card logon to Windows 10/11 with FIPS certified smart card: Latest FIPS 140-2 Level 3 and FIPS 140-3 have limited HASH algorithm to SHA256/384/512 and SHA-1 can not be used for security reasons. If I use a FIPS certified smart card to do certificate based smart card logon to Windows 10 and Windows 11 Windows 10/11 has been on-prem...

  6. Certification for smart card minidriver. HLK

    in Windows 10 Software and Apps
    Certification for smart card minidriver. HLK: Good afternoon. Help me please. I need Microsoft certification for my smart card minidriver. I passed the "Smart Card Minidriver Certification Test" at HLK successfully. But when submitting the package for certification, I received a "Fail error. Errata ID is not provided for...

  7. Certification for smart card minidriver. HLK

    in Windows 10 Drivers and Hardware
    Certification for smart card minidriver. HLK: Good afternoon. Help me please. I need Microsoft certification for my smart card minidriver. I passed the "Smart Card Minidriver Certification Test" at HLK successfully. But when submitting the package for certification, I received a "Fail error. Errata ID is not provided for...

  8. Certificate/PKI/Smart Card Logon

    in Windows 10 Software and Apps
    Certificate/PKI/Smart Card Logon: Hello,I am having an issue with authenticating users in an air gapped network after a patch. Any users prior created in AD prior to May 2022, can still authenticate with the server. However, if I create a new test account and attach my X.509 to altSecurityID attribute, I get...

  9. PIV Smart Card Reader

    in AntiVirus, Firewalls and System Security
    PIV Smart Card Reader: Hi All, I am running Windows 10 Pro 64bit 1909 and 2004. I am tasked with trying to figure out how to a PIV Reader on my physical PC and then VPN\remote into another network PC , and have that PIV Card reader be functional on the remote session. I have gone into remote...

  10. Smart Card Certificates in Win10AU

    in Windows 10 Drivers and Hardware
    Smart Card Certificates in Win10AU: I frequently access work sites that require me to use a CAC/PIV card. Some sites require my encryption certificate but OWA requires my email certificate. Prior to Win10AU update both my certs displayed but now I have to click show more to see all my certs. It's minor but...