Microsoft says the October 2025 Windows security updates are causing smart card authentication and certificate issues due to a change designed to strengthen the Windows Cryptographic Services.
This known issue impacts all Windows 10, Windows 11, and Windows Server releases, including the latest versions designated for broad deployment.
Affected users may observe various symptoms, from the inability to sign documents and failures in applications that use certificate-based authentication to smart cards not being recognized as CSP providers (Cryptographic Service Provider) in 32-bit apps.
They can also see "invalid provider type specified" and "CryptAcquireCertificatePrivateKey error." error messages.
"This issue is linked to a recent Windows security improvement to use KSP (Key Storage Provider) instead of CSP (Cryptographic Service Provider) for RSA-based smart card certificates to improve cryptography," Microsoft said.
"You can detect if your smart card will be affected by this issue if you observe the presence of Event ID 624 in the System event logs for the Smart Card Service prior to installing the October 2025 Windows security update."
As the company explained, this known issues occurs because this month's security updates are automatically enabling by default a security fix designed to address a security feature bypass vulnerability (CVE-2024-30098) in the Windows Cryptographic Services, built-in Windows service that handles security-related and cryptographic operations.
This fix is enabled by setting the DisableCapiOverrideForRSA registry key value to 1 to isolate cryptographic operations from the Smart Card implementation and block attackers from creating a SHA1 hash collision to bypass digital signatures on vulnerable systems.
Those who are experiencing authentication problems can temporarily resolve it by disabling the DisableCapiOverrideForRSA registry key using the following procedure:
- Open Registry Editor. Press Win + R, type regedit, and press Enter. If prompted by User Account Control, click Yes.
- Navigate to the subkey. Go to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais.
- Edit the key and set the value. Inside Calais, check if key DisableCapiOverrideForRSA exists. Double-click DisableCapiOverrideForRSA. In Value date, enter: 0.
- Close and restart. Close Registry Editor. Restart the computer for changes to take effect.
However, it's important to note that you should first back up the registry before editing the Windows registry because any errors could lead to system issues.
While this will mitigate the issue, the DisableCapiOverrideForRSA registry key will be removed in April 2026, and Microsoft advised affected users to work with their application vendors to resolve the underlying problem.
"For a permanent resolution, developers should update their authenticating app to perform Key Storage Retrieval using Key Storage API documented at Key Storage and Retrieval," Microsoft added.
Redmond fixed a similar issue that caused smartcard authentication failures on Windows 10 systems when connecting via Remote Desktop.
On Thursday, Microsoft fixed another known issue breaking IIS websites and HTTP/2 localhost (127.0.0.1) connections after installing recent Windows security updates.
The same day, the company also removed two compatibility holds preventing users from upgrading their systems to Windows 11 24H2 via Windows Update.
Break down IAM silos like Bitpanda, KnowBe4, and PathAI
Broken IAM isn't just an IT problem - the impact ripples across your whole business.
This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what "good" IAM looks like, and a simple checklist for building a scalable strategy.
Comments
Zomalaja - 2 months ago
Update KB5070773 that fixes this issue is available as of today.