0X80100030

SCARD_E_NO_KEY_CONTAINER (0X80100030) Fix

Windows Errors Intermediate 👁 1 views 📅 May 28, 2026

Smart card can’t find the private key container. Usually a cert mismatch or card re-initialization. We’ll rebuild the container or re-enroll the cert.

Quick Answer

Run certutil -scinfo -silent in an admin command prompt. If the card shows no keys or a corrupted container, reset the card PIN and re-enroll the certificate using your CA or certreq -new. If that fails, the card is likely dead — replace it.

Why This Happens

This error pops up when Windows tries to access a private key container on a smart card (physical or virtual) and it can’t find it. The card stores public/private key pairs in named containers (like “Key Container 1”, “Key Container 2”). Something wiped or corrupted that container — common scenarios include:

  • A failed certificate enrollment (the cert loaded but the private key didn’t stick).
  • The card was reset or used with a different middleware (e.g., ActivClient vs Microsoft Minidriver).
  • A PIN reset that cleared key material (some older cards do this).
  • The card itself is physically worn out — contact pads dirty or chip degraded.

I’ve seen this most often when someone swaps a YubiKey or CAC between machines and the drivers don’t match. The card’s alive, but the container index is gone.

Fix Steps

Step 1: Inspect the card

Open an admin command prompt and run:

certutil -scinfo -silent

This dumps every container and cert on the card. If you see “No containers present” or an error about missing key, go to Step 2. If you see a container but it’s empty (no private key), the card’s certificate was enrolled but the key didn’t persist. Head to Step 3.

Step 2: Reset and re-initialize (if card supports it)

Some smart card middleware lets you reset the card’s file system. For generic Microsoft minidriver cards, use:

certutil -scAdminReset -silent

This wipes all containers and PUK/PIN. You’ll be prompted to set a new PIN. After that, you’ll need to re-enroll certificates (next step). If the command fails, your card doesn’t support admin reset — move to Step 3.

Step 3: Re-enroll the certificate

If the card still has a container but no usable private key, you need a fresh cert. On a domain-joined machine, request a new smart card logon cert:

certreq -new -q -cert SmartCardLogon request.inf output.cer

If you’re not on a domain, generate a self-signed cert (not recommended for production, but works for testing):

certreq -new -q -cert Machine request.inf output.cer

Use the smart card certificate enrollment wizard from the certs MMC snap-in — point it to your CA URL. The wizard will create a new key container and write the cert.

Step 4: Verify the container

After enrollment, run certutil -scinfo -silent again. You should see a container with a valid key pair. Try logging into Windows — if the PIN prompt works, you’re done.

Alternative Fixes

  • Update smart card minidriver. Go to Device Manager, find “Smart card readers”, right-click your reader, update driver. Use Windows Update. Some older minidrivers (pre-2018) have a known bug that corrupts containers on PIN change. Updating to the latest Microsoft minidriver version 10.0.22621.1 or higher fixes this.
  • Switch middleware. If you’re using ActivClient or Gemalto, uninstall it and let Windows use its built-in minidriver. ActivClient is notorious for leaving orphaned containers.
  • Test the card on another machine. Plug the card into a different PC. If it works there, your original machine has a driver conflict. If it fails everywhere, the card is physically bad — replace it.
  • Use PIV tool (for YubiKey/CAC). If you’re using a YubiKey, install the YubiKey Manager and check the PIV application. Run ykman piv info to see if the key container is present. You may need to delete and regenerate the PIV slot.

Prevention Tips

  • Always eject the smart card safely — use the “Safely Remove Hardware” icon. Yanking it out mid-operation can corrupt the file system.
  • Don’t share cards between different middleware stacks. If you switch from ActivClient to Microsoft minidriver, wipe the card and start fresh.
  • Regularly back up your certificates and private keys (if exportable) to a secure file. Most smart card keys aren’t exportable, but some government-issued cards allow backup through vendor tools.
  • Keep your smart card reader firmware updated. Some older readers (like the Gemalto .NET) have firmware bugs that cause container loss on power loss.

Was this solution helpful?

SCARD_E_NO_KEY_CONTAINER 0X80100030 smart card error key container missing smart card certificate Windows smart card certutil PIN reset smart card driver Microsoft smart card minidriver YubiKey PIV CAC common access card PKI certificate enrollment