Virtual smart cards provide the benefits of physical smart cards without extra costs or hardware. They are based on a Trusted Platform Module (TPM) and authenticate users with a certificate against Active Directory, like a physical smart card.

Two-factor authentication is an important measure for organizations to ensure that business-critical data is safe. Physical smart cards have long been used as a way to increase logon security in the enterprise. Virtual smart cards (VSC) are a Microsoft solution that provide many of the same benefits with lower costs to organizations.

After provisioning virtual smart cards, users only have to enter a PIN to sign in. So, you might ask yourself how this can be two-factor authentication if users only provide this password equivalent as the "know" factor. The "have" factor seems to be missing.

Microsoft argues that using a virtual smart card to access the system proves to the domain that the user requesting authentication owns the personal computer to which the card has been provisioned. Because this request could not have originated from a different system, the PC serves as the "have" factor. Unlike the AD password, the PIN is valid only on this device.

Virtual smart cards appear in Windows as smart cards that are always inserted. The operating system presents a virtual smart card reader and virtual smart card to applications with the same interface as physical smart cards, but messages to and from the virtual smart card are translated into TPM commands.

How to use virtual smart cards in Windows 10 ^

Virtual smart cards can be used in domain-joined Windows 10 devices equipped with a TPM (version 1.2 or version 2.0). In addition, they require an accessible PKI infrastructure in the environment, such as Microsoft Certificate Services. The basic process of using virtual smart cards involves three steps:

  • Create the certificate template needed for virtual smart card enrollment.
  • Create the virtual smart card powered by the TPM.
  • Enroll for the TPM virtual smart card certificate
  • To verify that you have a TPM installed, run tpm.msc. Note the following information:
Verify you have a TPM installed in your computer

Verify you have a TPM installed in your computer

Create the certificate template ^

I will be using Microsoft Certificate Services as the PKI infrastructure in the Windows domain in this lab. So, the first thing we need to do is create a certificate template to enroll the TPM-backed virtual smart card. To get to the certificate template management console quickly, you can type certtmpl.msc at a run or search menu.

Duplicate the Smartcard logon template

Duplicate the Smartcard logon template

Customize the name and validity period of the certificate template.

Set the name and validity period

Set the name and validity period

Set the purpose of the new certificate template to Signature and smartcard logon. Select Prompt user during enrollment.

Setting the template purpose and user enrollment

Setting the template purpose and user enrollment

Make sure the key size is set to 2048 bits. Select Requests must use one of the following providers and then select Microsoft Base Smart Card Crypto Provider.

Smart card cryptography settings

Smart card cryptography settings

On the Security tab, define who is allowed to enroll. If you want everyone to have this capability, select Authenticated users, and then select Enroll.

Configure the user group to be enrolled

Configure the user group to be enrolled

The new virtual smart card logon certificate template is created successfully.

The new virtual smart card template is created successfully

The new virtual smart card template is created successfully

Now, open the Certification Authority console, right-click Certificate Templates, and select New > Certificate Template to issue.

Issue the certificate template

Issue the certificate template

Select the name of the certificate template you created earlier and click OK.

Select the virtual smart card template created

Select the virtual smart card template created

The Certificate Template was issued successfully. Now, make sure you stop and start certificate services on your CA before moving on.

The Certificate template is issued successfully

The Certificate template is issued successfully

Create the virtual smart card powered by the TPM ^

To create the virtual smart card, run the following command on the Windows 10 client:

tpmvscmgr.exe create /name VSCtest /pin prompt /adminkey random /generate`

Using the prompt switch prompts you for the PIN to enter. If you use the generate switch, it will generate the PIN.

Running the tpmvscmgr command

Running the tpmvscmgr command

After running the command, you will be prompted for your PIN. Enter and confirm the PIN. The virtual smart card is then generated successfully.

The virtual smart card is generated successfully

The virtual smart card is generated successfully

Enroll for the TPM Virtual Smart Card certificate ^

After creating the virtual smart card on the Windows 10 client, we can enroll for the certificate needed to complete the process. First, on the Windows 10 client, open the certificate manager for the user's personal store with certmgr.msc. Next, right-click the Personal folder and select All Tasks > Request New Certificate.

Requesting a new certificate for the virtual smart card

Requesting a new certificate for the virtual smart card

This starts the Certificate Enrollment wizard. Click Next.

Starting enrollment

Starting enrollment

Click Next on the Select Certificate Enrollment Policy screen.

Select the certificate enrollment policy

Select the certificate enrollment policy

Now, select the name of the certificate template you created, and then click Enroll.

Select your Virtual Smart Card Logon policy

Select your Virtual Smart Card Logon policy

Enter the PIN you used to create the virtual smart card.

Enter your Virtual Smart Card PIN

Enter your Virtual Smart Card PIN

Enrollment is successful.

Enrollment for the virtual smart card certificate is successful

Enrollment for the virtual smart card certificate is successful

Now, sign out, and you will have a new option to sign in with the security device, the virtual smart card. Enter the PIN you used to create the virtual smart card to sign in.

New option for security device sign in

New option for security device sign in

Conclusion ^

Virtual smart cards with Windows 10 are a great way to increase sign-in security without additional costs and extra hardware attached to end user PCs. If you have a TPM installed and your machine is encrypted, it simply involves creating the certificate template, creating the virtual smart card, and then issuing the VSC template to the end user. After a VSC is issued, you will see the new option for a security device when signing in that uses the PIN code configured when creating the virtual smart card.

Subscribe to 4sysops newsletter!

Provisioning virtual smart cards in large environments requires additional tools to avoid personalization of smart cards on an individual basis when creating them with the Tpmvscmgr. In addition, third-party management solutions might be needed to renew or revoke the certificates. If a virtual smart card is compromised and the admin wants to revoke the associated credentials, this requires a record of which credentials match which user and computer. This functionality isn't present in Windows.

+3
0 Comments

Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2021

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account