Fix for SecureToken / SmartCard devices not mounting correctly on first try (Windows)

Submitted by 9081160 on #1

I want to share a solution that finally fixed my issue with SecureToken / Avtor smart card devices not mounting correctly on Windows via VirtualHere.

Problem:

  • VirtualHere successfully mounted the USB devices
  • But Windows sometimes failed to initialize the smart card/token drivers
  • Tokens were not detected on the first mount attempt
  • Replug/remount sometimes helped, sometimes not

After debugging, I found that Windows was leaving broken PnP/SmartCard devices in a bad state. Especially devices like:

  • SCFILTER
  • SCDEVICEENUM
  • SecureToken
  • Avtor devices

These failed devices remained in Device Manager with non-OK status and interfered with the next mount attempt.

I solved it by automatically removing all failed token-related devices before the next mount operation.

Сode:

 ps = r"""

$devices = Get-PnpDevice |

Where-Object {

    (

        $_.InstanceId -like "USB\VID_15CF&PID_0019*" -or

        $_.InstanceId -like "*SCFILTER*" -or

        $_.InstanceId -like "SWD\SCDEVICEENUM*" -or

        $_.FriendlyName -like "*Avtor*" -or

        $_.FriendlyName -like "*SecureToken*" -or

        $_.FriendlyName -like "*Microsoft Usbccid Smartcard Reader*"

    ) -and (

        $_.Status -ne "OK" -or

        $_.Present -eq $false -or

        $_.Problem -ne 0 -or

        $_.ConfigManagerErrorCode -ne 0

    )

}

 

$count = 0

foreach ($dev in $devices) {

    pnputil /remove-device "$($dev.InstanceId)" | Out-Null

    $count++

}

Write-Output $count

"""

After adding this cleanup step:

  • Tokens mount successfully much more often on the first try
  • Windows no longer keeps corrupted SmartCard device states
  • Remount logic became stable
  • No more random “device exists but token unavailable” situations

Maybe this helps someone else working with smart cards over VirtualHere on Windows Server / Windows 11.

 

    Additionally, I started using PowerShell device enumeration before and after VirtualHere mount operations to diagnose what Windows was actually doing with the smart card devices.

This helped a lot because VirtualHere may report the USB device as mounted successfully, while Windows still fails to initialize the SmartCard subsystem correctly.

Сode:

ps = """ Get-PnpDevice -PresentOnly |

Select-Object FriendlyName,InstanceId,Class,Status |

ConvertTo-Json -Depth 3 """

This allows my application to:

  • detect whether SecureToken devices really appeared in Windows
  • monitor SmartCard-related device states
  • identify failed or ghost devices
  • compare device states before/after remount
  • automatically trigger cleanup/remount logic if required

In my case, this was much more reliable than checking only VirtualHere client output.

Especially useful for:

  • smart card middleware
  • SecureToken 
  • unstable SmartCard driver initialization after remote USB attach

Maybe useful for anyone building automation around VirtualHere and smart card devices.

Submitted by Michael on Thu, 2026/05/07 - 06:38

#2

Thanks!