output of certutil -scinfo command, which indicates there is a PIV Smart Card driver problem." />This article describes how to resolve a problem where users can't sign in to Windows until the incorrect driver is removed.
Applies to: Windows 10, version 2004, Windows 10, version 1909, Windows 10, version 1903
Original KB number: 4563240
If you use a Personal Identity Verification (PIV) smart card or any multifunction device that uses PIV smart cards that rely on the Windows Inbox Smart Card Minidriver, you may have received an incorrect driver update. When you try to use a smart card to authenticate to Windows, you might receive error messages such as "This smart card cannot be used" or "The operation requires a different smart card."
The incorrect update contains the "FEITIAN - SmartCard - 1.0.0.3" provider app that installs the Feitian xPass Smart Card driver. This is a legitimate, signed update that was published by a verified partner. However, it was inadvertently targeted to a broader set of devices than it was originally intended for.
The driver has been pulled from the Windows Update publishing system. To mitigate any adverse effects, any user who received the update has to manually roll back to the Windows inbox driver. For more information, see the "Resolution" section.
You observe one or more of the following symptoms:
The following example shows the results of the certutil -scinfo command that runs on an affected computer. The certificates were generated as part of a Microsoft AD CS enrollment. However, they're no longer able to interface with the YubiKey PIV device after the xPass Smart Card driver is installed.
output of certutil -scinfo command, which indicates there is a PIV Smart Card driver problem." />
The Feitian xPass Smart Card driver version 1.0.0.3 specifies SCFILTER\CID_2777BE07-6993-4513-BD80-C184FCB0AB2D as a compatible identifier in the .inf file of its driver package. However, the Windows inbox smart card minidriver for PIV smart cards (Identity Device (NIST SP 800-73 [PIV])) uses the same compatible identifier. If you connect a non-Feitian device that uses the inbox driver to your computer, Windows recognizes the Feitian driver as compatible. Windows downloads, installs, and loads the Feitian driver.
For more information about how Windows selects drivers for a device, see Overview of the Driver Selection Process and How Windows selects a driver for a device.
If the Feitian xPass Smart Card driver has been installed on your computer, you have to remove it to revert to the inbox Identity Device (NIST SP 800-73 [PIV]) driver. After you remove the xPass Smart Card driver, Windows automatically loads the inbox driver for the device.
To do this, you can manually delete the driver, or create and run a script to delete it.
In Settings, select Updates & Security > View update history. You should be able to identify the driver update in the list.
To manually remove the driver, follow these steps:
To automate the driver removal, create a script that can run in a batch file. The script identifies the driver .inf file name and uses PnPUtil.exe to delete the driver. The script can delete the driver even if a smart card or smart card device isn't connected to the computer. To create and use such a script, follow these steps:
@echo off for /r %windir%\System32\DriverStore\FileRepository %%i in (*eps_piv_csp11.inf*) do (@echo %%i pnputil /delete-driver %%i /uninstall /force) pause If you've followed the steps in the "Resolution" section but you need additional help, go to the Microsoft Support website.
