This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(265.6, 4%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EG%3C/text%3E%3C/svg%3E)
Latest FIPS 140-2 Level 3 and FIPS 140-3 have limited HASH algorithm to SHA256/384/512 and SHA-1 can not be used for security reasons. If I use a FIPS certified smart card to do certificate based smart card logon to Windows 10 and Windows 11 (Windows 10/11 has been on-prem Domain joined and has smart card logon certificate provisioned), the logon process will fail because the kerberos/PKINIT always uses SHA-1, even though I changed CSP/Minidriver to report only SHA256/384/512 algorithm support list to Windows, and I changed according to https://www.anoopcnair.com/configure-hash-algorithms-for-certificate-logon/ to disable SHA-1. I logged the process of lsass.exe calling CSP/Minidriver, it will create SHA-1 hash and then sign the SHA-1 digest later.
So how to use FIPS certified smart card (without SHA-1) to logon to windows 10/11?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 31%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAR%3C/text%3E%3C/svg%3E)
The latest security baseline for Windows Clients in Intune disables SHA1 for certificate-based authentication, as does the latest security baseline for Windows Server 2025. Even though our CA cert and the issued smartcard certificates use SHA256 hashing algorithm, login fails to the servers when SHA1 is disabled. This is the only post I'm finding where someone seems to be facing a similar issue.