Symptom fingerprint
The exact strings, error codes, and UI surfaces that map to this issue:
| UI message | Surface | Code |
|---|---|---|
| Digital signature could not be applied | Acrobat / DocuSign / Office signing UI | — |
| Smart card service not running | services.msc after 23H2/24H2 upgrade | SCardSvr Manual |
| Certificate appears in certmgr but not in DocuSign | CurrentUser\My present, signing app blind | — |
Why feature updates break signing
Windows 11 feature updates (23H2 in late 2023, 24H2 in 2024) reset several PKI-relevant settings: Smart Card and Certificate Propagation services return to Manual, third-party CSPs occasionally lose their registry registration, and the WUDF driver host is reinstalled which can re-claim USB CCID devices from vendor middleware.
Windows vs macOS — what differs
Windows 10 / 11
- Run the SCardSvr / CertPropSvc check first — it resolves 30%+ of post-update cases.
- Re-run the vendor middleware installer 'Repair' option — fastest way to re-register CSP/KSP after an update.
- Check for stuck WUDF instances: Device Manager → View → Devices by connection → look for duplicate Usbccid entries.
macOS Sonoma / Sequoia
- Sonoma 14.4 and Sequoia introduced stricter SmartCard pairing — first insertion after update prompts for pairing approval that must not be dismissed.
- Run 'sc_auth list' to confirm pairings; re-pair with 'sc_auth pair' if missing.
Browser-specific behaviour
Chrome
After Windows feature update, restart Chrome fully (chrome://restart) before concluding the token is broken — Chrome caches the CAPI enumeration.
Edge
Same — Edge caches as well. Restart fully, not just close-and-reopen the tab.
Firefox
Windows update can remove the previously-loaded PKCS#11 module from Firefox's Security Devices list. Re-load manually.
Diagnostic sequence
Run each step in order. Stop at the first failing expectation — that's where the root cause lives.
1. Confirm services
Get-Service SCardSvr,CertPropSvc | Format-Table Name,Status,StartType
Expected: Both Running, both Automatic.
2. Confirm middleware tray
Expected: Vendor middleware (SAC, IDPrime, ePass) shows token as Inserted / Logged In.
3. Confirm CAPI enumeration
certutil -scinfo
Expected: Reader, token serial, and certificate(s) listed.
4. Confirm app-layer visibility
Expected: Open DocuSign signing panel or Acrobat → Sign with Certificate → certificate appears in the chooser.
5. If app blind but CAPI sees it — restart the browser/app fully
Expected: Re-enumeration triggers on next launch.
6. Confirm clock
w32tm /query /status
Expected: Last successful sync within last 24h, offset < 5s.
Frequently asked questions
Should I roll back the Windows 11 feature update?
Almost never necessary. The service + middleware repair flow above resolves the vast majority of post-update signing regressions in under 15 minutes.
Does Windows 11 Pro vs Home matter for signing?
Functionally no for signing itself; Pro adds Group Policy controls that can either help (deploying root CAs fleet-wide) or hurt (blocking the DocuSign extension via Managed Extensions).
Why does my coworker's identical setup work?
Usually one of: their middleware was reinstalled after the feature update and yours wasn't, their CurrentUser\My has the certificate and your install put it in Local Machine, or their browser was restarted post-update and yours wasn't.
Is there a single command that 'fixes' Windows 11 signing?
No. There are 6–8 independent layers (USB → service → middleware → CSP → CAPI store → app enumeration → browser cache → clock); a real diagnostic walks each. Anyone offering a one-line registry fix should be treated with suspicion.
Related services
Explore the consulting hub for this issue, or review session pricing.
Still seeing this error?
If these steps don't isolate the root cause inside your environment, an independent consultant can run a structured PKI diagnostic with you over a screen-shared session and deliver a written report identifying root cause, remediation, and — where relevant — the next responsible party (CA, internal IT, or software vendor).
Book a $49 Zoom diagnostic →Includes a written diagnostic summary. Independent consulting engagement — not affiliated with DocuSign, Adobe, or Microsoft.