Microsoft says the October 2025 Windows security updates are causing smart card authentication and certificate issues due to a change designed to strengthen the Windows Cryptographic Services.
This known issue impacts all Windows 10, Windows 11, and Windows Server releases, including the latest versions designated for broad deployment.
Affected users may observe various symptoms, from the inability to sign documents and failures in applications that use certificate-based authentication to smart cards not being recognized as CSP providers (Cryptographic Service Provider) in 32-bit apps.
They can also see “invalid provider type specified” and “CryptAcquireCertificatePrivateKey error.” error messages.
“This issue is linked to a recent Windows security improvement to use KSP (Key Storage Provider) instead of CSP (Cryptographic Service Provider) for RSA-based smart card certificates to improve cryptography,” Microsoft said.
“You can detect if your smart card will be affected by this issue if you observe the presence of Event ID 624 in the System event logs for the Smart Card Service prior to installing the October 2025 Windows security update.”
As the company explained, this known issues occurs because this month’s security updates are automatically enabling by default a security fix designed to address a security feature bypass vulnerability (CVE-2024-30098) in the Windows Cryptographic Services, built-in Windows service that handles security-related and cryptographic operations.
This fix is enabled by setting the DisableCapiOverrideForRSA registry key value to 1 to isolate cryptographic operations from the Smart Card implementation and block attackers from creating a SHA1 hash collision to bypass digital signatures on vulnerable systems.
Those who are experiencing authentication problems can manually resolve it by disabling the DisableCapiOverrideForRSA registry key using the following procedure:
- Open Registry Editor. Press Win + R, type regedit, and press Enter. If prompted by User Account Control, click Yes.
- Navigate to the subkey. Go to: HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptographyCalais.
- Edit the key and set the value. Inside Calais, check if key DisableCapiOverrideForRSA exists. Double-click DisableCapiOverrideForRSA. In Value date, enter: 0.
- Close and restart. Close Registry Editor. Restart the computer for changes to take effect.
However, it’s important to note that you should first back up the registry before editing the Windows registry because any errors could lead to system issues.
While this will mitigate the issue, the DisableCapiOverrideForRSA registry key will be removed in April 2026, and Microsoft advised affected users to work with their application vendors to resolve the underlying problem.
Redmond fixed a similar issue that caused smartcard authentication failures on Windows 10 systems when connecting via Remote Desktop.
On Thursday, Microsoft fixed another known issue breaking IIS websites and HTTP/2 localhost (127.0.0.1) connections after installing recent Windows security updates.
The same day, the company also removed two compatibility holds preventing users from upgrading their systems to Windows 11 24H2 via Windows Update.
46% of environments had passwords cracked, nearly doubling from 25% last year.
Get the Picus Blue Report 2025 now for a comprehensive look at more findings on prevention, detection, and data exfiltration trends.
