Symptom fingerprint
The exact strings, error codes, and UI surfaces that map to this issue:
| UI message | Surface | Code |
|---|---|---|
| No smart card reader was found on this system | Windows credential dialog / DocuSign signing modal | — |
| Smart card reader is not ready | Event Viewer → Windows Logs → System (source 'Microsoft-Windows-SmartCard') | SCARD_E_READER_UNAVAILABLE |
| Yellow caution on 'Microsoft Usbccid Smartcard Reader (WUDF)' | Device Manager → Smart card readers | — |
Why Windows fails to enumerate the token
Windows ships generic Microsoft Usbccid support that handles CCID-compliant readers (most modern tokens), but the certificate inside the token is only readable by software once the vendor middleware loads its CSP/KSP or PKCS#11 module and the Smart Card service has propagated the certificate into the user's MY store.
'Not detected' has three meaningful states: (1) Windows does not see the USB device at all, (2) Windows sees the device but no middleware claims it, (3) middleware loaded but certificate propagation failed.
Windows vs macOS — what differs
Windows 10 / 11
- Smart Card service (SCardSvr) and Certificate Propagation service must both be Running and set to Automatic — recently observed to default to Manual after Windows 11 23H2.
- Group Policy 'Allow certificates with no extended key usage' can suppress otherwise-valid smartcard logon certificates.
- USB power: front-panel USB hubs frequently underpower tokens — diagnose by moving to a rear USB 2.0 port.
macOS Sonoma / Sequoia
- Not the same stack — see our DocuSign macOS notes. CryptoTokenKit replaces SCardSvr; vendor .tokend or PKCS#11 .dylib replaces CSP/KSP.
- Use 'sc_auth identities' to list visible smartcard identities, not certmgr.msc-style tools.
Browser-specific behaviour
Chrome
Reads CAPI; if the cert appears in certmgr but not in Chrome, restart the browser fully (chrome://restart) to force re-enumeration.
Edge
Same CAPI path; IE Mode for legacy banking portals may bypass enumeration entirely — disable for the affected site.
Firefox
Independent NSS store; must load the vendor PKCS#11 module under Settings → Privacy & Security → Certificates → Security Devices.
Diagnostic sequence
Run each step in order. Stop at the first failing expectation — that's where the root cause lives.
1. Confirm USB enumeration
Get-PnpDevice -Class SmartCardReader (PowerShell)
Expected: Status = OK for at least one device.
2. Confirm Smart Card service
Get-Service SCardSvr, CertPropSvc | Select Name,Status,StartType
Expected: Both Running, both Automatic.
3. List CAPI personal certificates
Get-ChildItem Cert:\CurrentUser\My
Expected: Certificate from your token appears with HasPrivateKey = True.
4. Test PKCS#11 module directly
pkcs11-tool --module <vendor>.dll --list-slots
Expected: Slot 0 contains token; 'token initialized' = yes.
5. Check event log for SCardSvr errors
Get-WinEvent -LogName System | Where ProviderName -eq 'Microsoft-Windows-SmartCard' | Select -First 10
Expected: No 'SCARD_E_*' errors in the last hour.
Frequently asked questions
Why did my token stop working after a Windows 11 feature update?
Feature updates (23H2, 24H2) routinely reset the Smart Card and Certificate Propagation services to Manual and occasionally remove third-party CSPs from the registry. Run the diagnostic flow above; if services are Manual, set Automatic and reinstall the vendor middleware.
Is a USB hub safe for signing tokens?
Passive front-panel hubs and bus-powered hubs cause intermittent detection on most tokens. Use a powered hub or a rear motherboard port for production signing.
Does Windows 11 in S Mode support signing tokens?
No — S Mode blocks installation of vendor middleware. Switch out of S Mode (one-way) before deploying tokens to a fleet.
Can two middleware stacks coexist?
Rarely. SafeNet Authentication Client and Gemalto's Classic Client both register CSPs and can race for the same reader. Uninstall the unused one fully and reboot before reinstalling the active one.
Related services
Explore the consulting hub for this issue, or review session pricing.
Still seeing this error?
If these steps don't isolate the root cause inside your environment, an independent consultant can run a structured PKI diagnostic with you over a screen-shared session and deliver a written report identifying root cause, remediation, and — where relevant — the next responsible party (CA, internal IT, or software vendor).
Book a $49 Zoom diagnostic →Includes a written diagnostic summary. Independent consulting engagement — not affiliated with DocuSign, Adobe, or Microsoft.