How to unblock the smart card PIN ?

Windows Vista / 7 / 10 / 11 — Server 2008 to 2022
Step 1 — Enable the integrated unblock screen

The integrated unblock screen is disabled by default. Enable it via Group Policy:

Computer Configuration → Administrative Templates → Windows Components → Smart Card → Allow Integrated Unblock screen to be displayed at the time of logon

Reference: TechNet — Smart Card Group Policy Settings

Integrated unblock screen Group Policy setting
Enabling the integrated unblock screen via GPO
Step 2 — Navigate to the unblock screen
1

Press Ctrl+Alt+Del on an active session → click Change a password

Ctrl+Alt+Del screen
2

Click Other Credentials

Other Credentials
3

Select the smart card reader

Select smart card reader
4

Check Unblock smart card. If this checkbox is not shown, the integrated unblock screen is not active — verify step 1.

Unblock smart card checkbox
5

Note the challenge displayed on screen (e.g. 1603 EBDF 1C8A 2E72)

Challenge displayed
Step 3 — Compute the response

Download the Response Calculator from Gemalto (compatible with all minidrivers). Enter the challenge and the admin PIN:

Response Calculator
Gemalto Response Calculator
Step 4 — Enter the response and new PIN
Enter response and new PIN
PIN unblock confirmed
Windows XP / Windows Server 2003

Windows XP does not support minidrivers by default. Install the Base CSP component first, otherwise your card may use a legacy CSP and this procedure may not apply.

Press Win+R and type pintool, then switch to the Unblock tab and follow the same challenge/response steps as above.

Pintool on Windows XP
PIN tool unblock tab on Windows XP

Knowledge Base articles

← Security Expertise