search cancel

Troubleshooting smart card registration failures in Symantec Endpoint Encryption Drive Encryption version 11.0.0 or later

book

Article ID: 161836

calendar_today

Updated On:

Products

Endpoint Encryption

Issue/Introduction

User registration with Symantec Endpoint Encryption Drive Encryption clients fails for smart card users.

Cause

User registration with a smart card might fail for one or more of the following reasons:

  • The smart card is not supported by Symantec Endpoint Encryption Drive Encryption.
     
  • The smart card does not contain a certificate with the “Smart card logon” enhanced key usage flag.
     
  • Either the smart card itself, or the smart card logon certificate within, is expired or revoked.
     
  • The smart card minidriver is corrupt or missing from the system.
     

Resolution

To identify the cause of the registration failure, perform the following checks:

  • Make sure that the Symantec Endpoint Encryption Drive Encryption client supports the smart card, and that neither the card nor the smart card logon certificate are expired or revoked.

    For more information about supported smart cards, see http://www.symantec.com/docs/TECH222272.
     
  • Make sure that the smart card is listed as a recognized device in the Device Manager. Ensure that the required minidriver is installed on the system, or that the minidriver is not corrupt or outdated.
     

If you think that a corrupt or missing minidriver is the cause of the issue, attempts one the following fixes:

Update the minidriver

Use the Device Manager to locate the smart card and update the minidriver.

Reinstall the minidriver

Use the Device Manager to locate the smart card and uninstall the minidriver. The next time you insert the smart card, Windows should prompt you to install the minidriver again.

If you require assistance with installing or uninstalling the minidriver manually, contact your system administrator.

Note: While uninstalling the minidriver, make sure that you check the option for deleting the minidriver file from the system.

Install the latest smart card management client software

The management client software is provided by the smart card vendor for the card that you want to register with Symantec Endpoint Encryption Drive Encryption. The software usually contains updated versions of the required minidrivers.

Manually enforce the ‘inbox’ driver in the Windows Registry

This fix is intended specifically for Personal Identity Verification (PIV) smart cards.

Warning: Before attempting this fix, make sure to back up the Windows Registry.

To apply the fix, launch the Registry Editor and delete the smart card key that is located under \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards.


Applies To

This issue applies to smart card users who are trying to register with Symantec Endpoint Encryption Drive Encryption version 11.0.0 or later on Microsoft Windows systems.