Fix 0xC0000386: Smart Card Keyset Missing on Windows

When This Error Hits

You're logging into a domain-joined Windows 10 or 11 machine with a smart card. You plug it in, enter the PIN, and instead of a desktop you get a dialog: "The requested keyset does not exist" with code 0xC0000386. This usually happens after a user profile migration, a Windows reinstall, or when you've mapped a roaming profile to a new machine. The smart card certificate is on the card, but Windows can't find the private key container it expects in the local certificate store.

Root Cause

What's actually happening here is a mismatch between the certificate store and the cryptographic service provider (CSP). Windows stores metadata about smart card certificates in the registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Keys or in the user profile's \AppData\Roaming\Microsoft\Crypto\RSA folder. When those entries are missing, stale, or pointing to a non-existent key container, the CryptAcquireContext call fails with STATUS_SMARTCARD_NO_KEYSET. The card itself is fine—the problem is Windows' bookkeeping.

Fix Steps

Step 1: Verify the Certificate Is Present

Open certmgr.msc (Current User). Expand Personal → Certificates. Look for your smart card certificate—it should show the smart card reader name under the Issued By column. If it's missing, you need to re-enroll or import it. But 9 times out of 10 it's there, just disconnected from its keys.

Step 2: Delete the Stale Key Container

This is the part people skip. Open regedit and go to:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Cryptography\Keys

You'll see entries like {GUID}. Each corresponds to a certificate's key container. Look at the Certificate Hash value—match it to your smart card cert's thumbprint (double-click the cert in certmgr.msc, go to Details tab, scroll to Thumbprint). Delete the key container entry for your smart card cert. Don't worry—it will be recreated when you next use the card.

Step 3: Clear the Certificate's Key Provider Link

Still in certmgr.msc, right-click your smart card cert → All Tasks → Manage Private Keys.... If this option is grayed out, close certmgr.msc and reopen it as Administrator. Click Add and add Everyone with Read permissions, then remove it again. This forces Windows to re-resolve the key provider. It sounds hacky, but it works because it forces a refresh of the ACL on the key container.



Step 4: Re-Import the Certificate with Key
If steps 2–3 fail, export the card certificate (without private key—you can't export it from the card) and re-import it. Open certmgr.msc, right-click the cert → All Tasks → Export. Choose Base-64 encoded X.509 (.CER). Save the file. Delete the original certificate from the Personal store. Go to Action → All Tasks → Import and browse to the exported .cer file. Place it back in Personal. This re-registers the certificate with the CSP.

If It Still Fails
Check three things:

Smart card driver version. Go to Device Manager, expand Smart card readers, right-click your reader → Properties → Driver tab. Use the latest driver from the manufacturer. Windows Update often delivers stale ones. I've seen Broadcom and Gemalto readers especially prone to this.
Group Policy. If you're on a domain, your admin may have set Smart Card Removal Policy to Lock Workstation or changed the Certificate Services Client – Auto-Enrollment settings. Ask them to push a gpupdate /force.
Corrupted user profile. If the error persists only for one user, create a test user, log in with the smart card, and see if it works. If yes, the original user's profile is corrupted. Back up data and rebuild the profile via Settings → Accounts → Family & other users → Add someone else to this PC.

One more thing: if you're running Windows 10 22H2 or Windows 11 23H2, Microsoft shipped a known bug where certmgr.msc doesn't properly display the Manage Private Keys option for smart card certs. The registry delete in Step 2 is your actual fix there. Don't waste time reinstalling drivers or re-enrolling certificates—the key container is just stale.