Windows 11 CAC Setup Guide (2025)

Getting your CAC working on Windows 11 has gotten complicated with all the changes Microsoft made to smart card handling. As someone who’s been upgrading government and personal workstations to Windows 11 and fixing the CAC issues that follow, I learned everything there is to know about making this work without tearing your hair out. Today, I will share it all with you.

What Windows 11 Changed

Windows 11 reworked a lot of the security stack, and smart card handling got caught up in those changes. If you upgraded from Windows 10 and your CAC suddenly stopped working, you’re not alone — this is one of the most common issues I troubleshoot. The driver architecture changed, some services default to different settings, and new security features like Enhanced Sign-in Security can interfere with CAC authentication.

Before You Start the Setup

Probably should have led with this section, honestly. Gather everything first: a working CAC with valid certificates (check your expiration dates), a USB reader with a USB-C adapter if your laptop only has USB-C ports, admin access on your computer, and a decent internet connection for downloading certificates. If you’re missing any of these, stop and sort it out before proceeding.

Step 1: Connect Your Reader

Plug the reader into a USB port. Windows 11 typically auto-detects common readers like the SCR3310 and Identiv models immediately. Open Device Manager (right-click Start, Device Manager) and check under “Smart card readers” to confirm.

One thing I’ve noticed on Windows 11 specifically: USB 2.0 ports (the ones with black plastic inside the connector) work more reliably with older readers than USB 3.0 ports (blue plastic). If your reader isn’t being detected, try a different port type before assuming the reader is bad.

Step 2: Install DoD Certificates

Download the latest certificate bundle from public.cyber.mil/pki-pke/. Run the InstallRoot installer with administrator privileges. It adds all the DoD root and intermediate certificates that your browser needs to trust military websites. Restart your browser after installation.

That’s what makes getting the certificates right endearing to us support folks — it’s the one step that fixes about half the problems people call about, and most people skip it.

Step 3: Configure Smart Card Services

This is where Windows 11 gets tricky. Open services.msc (Windows + R, type services.msc, Enter). Find “Smart Card” in the list. Windows 11 sometimes sets this to Manual or even Disabled by default. Change it to Automatic and start the service. Do the same for “Smart Card Device Enumeration Service” and “Certificate Propagation.” All three need to be running.

Step 4: Browser Configuration

Edge and Chrome pull from the Windows certificate store directly, so once your DoD certs are installed and your reader is working, these browsers need no extra setup. This is why Edge is my default recommendation for CAC-authenticated sites on Windows 11.

Firefox needs manual configuration. Open Settings, search for “certificates” or “security devices,” and enable “Query PKCS#11 devices” or manually load the PKCS#11 module. Firefox uses its own certificate store, which is why it needs extra steps.

Step 5: Test

Insert your CAC and navigate to a site like MyPay or MilConnect. You should get a certificate selection prompt. Pick your certificate, enter your PIN, and you should be in. If the site loads and authenticates you, the setup is complete.

Windows 11-Specific Gotchas

Enhanced Sign-in Security: This is a new Windows 11 feature that can conflict with CAC readers. If you’re getting random disconnections or the reader keeps dropping, go to Settings, Accounts, Sign-in options, and disable Enhanced Sign-in Security. This has fixed the problem for at least a dozen people I’ve helped.

Windows Hello conflicts: Windows Hello and CAC authentication sometimes fight each other. If you’re seeing certificate selection problems, try temporarily disabling Windows Hello in the same Sign-in options page. You can usually re-enable it after the initial CAC setup is done.

Reader works but no certificates appear: Reinstall the DoD certificates and restart your browser. Windows 11 updates occasionally wipe the certificate store. If this keeps happening after every update, create a post-update script that reinstalls the certs automatically.

PIN prompt never shows: The Smart Card service crashed or was stopped. Restart it in services.msc. If it keeps stopping, check Event Viewer for error details — there might be a driver conflict causing the service to crash.