Troubleshooting "The smart card is read-only"


If you are attempting to enroll the YubiKey and receive a Windows Security prompt that shows the “The smart card is read-only” error, this indicates that the YubiKey Smart Card Minidriver is not installed or is not being detected correctly. This article describes the troubleshooting steps to take both for enrolling on a local computer and enrolling over RDP.

Local Enrollment

  1. Download and install the latest version of the YubiKey Smart Card Minidriver.
  2. Remove and reinsert the YubiKey.
  3. Open Command Prompt.
  4. Run: certutil -scinfo
  5. Verify that the Card value near the beginning of the output shows Yubikey Smart Card.

If the card is still detected incorrectly, this indicates other issues with the device or driver installation. Some common troubleshooting steps for device installation issues are listed below.

  • Uninstalling and reinstalling the minidriver.
  • In Device Manager, show hidden devices and then remove all Smart Card objects. This forces a device reinstallation the next time you insert the YubiKey.
  • Using a 3rd party driver manager such as DriverStoreExplorer, force uninstall the minidriver and then reinstall the minidriver.

Remote Enrollment Over RDP

First, follow the steps in the Local Enrollment section above to ensure that your local computer is using the YubiKey Smart Card Minidriver, then proceed to the steps below if you are still experiencing the read only error.

  1. RDP to the remote server.
  2. Open the Services MMC and ensure that the Plug and Play service is running and set to automatically start after reboots.
  3. Log out of the RDP session.
  4. RDP to the remote server again.
  5. Open Command Prompt.
  6. Run: certutil -scinfo
  7. Verify that the Card value near the beginning of the output shows Yubikey Smart Card.

If the issue persists, you can manually trigger Windows to use the minidriver with the steps below.

  1. On the remote server, open Device Manager.
  2. Click Action > Add legacy hardware.
  3. Click Next.
  4. Select Install the hardware that I manually select from a list and click Next.
  5. Select Smart cards and click Next.
  6. Select Yubico in the Manufacturer section. Yubikey Smart Card in the Model section, and click Next.
  7. Click Next to confirm the installation.
  8. Click Finish to exit the wizard.
  9. Open Command Prompt.
  10. Run: certutil -scinfo
  11. Verify that the Card value near the beginning of the output shows Yubikey Smart Card.

Note: You may want to set the Plug and Play service to automatically start on all servers you will RDP to via GPO. Having this set ahead of time helps to avoid the need to manually trigger the driver with the Add Hardware wizard.



Article is closed for comments.