- What’s your ENow AppGov Score? Free Microsoft Entra ID app security assessment - Thu, Nov 30 2023
- Docker logs tail: Troubleshoot Docker containers with real-time logging - Wed, Sep 13 2023
- dsregcmd: Troubleshoot and manage Azure Active Directory (Microsoft Entra ID) joined devices - Thu, Aug 31 2023
Two-factor authentication is an important measure for organizations to ensure that business-critical data is safe. Physical smart cards have long been used as a way to increase logon security in the enterprise. Virtual smart cards (VSC) are a Microsoft solution that provide many of the same benefits with lower costs to organizations.
After provisioning virtual smart cards, users only have to enter a PIN to sign in. So, you might ask yourself how this can be two-factor authentication if users only provide this password equivalent as the "know" factor. The "have" factor seems to be missing.
Microsoft argues that using a virtual smart card to access the system proves to the domain that the user requesting authentication owns the personal computer to which the card has been provisioned. Because this request could not have originated from a different system, the PC serves as the "have" factor. Unlike the AD password, the PIN is valid only on this device.
Virtual smart cards appear in Windows as smart cards that are always inserted. The operating system presents a virtual smart card reader and virtual smart card to applications with the same interface as physical smart cards, but messages to and from the virtual smart card are translated into TPM commands.
How to use virtual smart cards in Windows 10
Virtual smart cards can be used in domain-joined Windows 10 devices equipped with a TPM (version 1.2 or version 2.0). In addition, they require an accessible PKI infrastructure in the environment, such as Microsoft Certificate Services. The basic process of using virtual smart cards involves three steps:
- Create the certificate template needed for virtual smart card enrollment.
- Create the virtual smart card powered by the TPM.
- Enroll for the TPM virtual smart card certificate
- To verify that you have a TPM installed, run tpm.msc. Note the following information:
Create the certificate template
I will be using Microsoft Certificate Services as the PKI infrastructure in the Windows domain in this lab. So, the first thing we need to do is create a certificate template to enroll the TPM-backed virtual smart card. To get to the certificate template management console quickly, you can type certtmpl.msc at a run or search menu.
Customize the name and validity period of the certificate template.
Set the purpose of the new certificate template to Signature and smartcard logon. Select Prompt user during enrollment.
Make sure the key size is set to 2048 bits. Select Requests must use one of the following providers and then select Microsoft Base Smart Card Crypto Provider.
On the Security tab, define who is allowed to enroll. If you want everyone to have this capability, select Authenticated users, and then select Enroll.
The new virtual smart card logon certificate template is created successfully.
Now, open the Certification Authority console, right-click Certificate Templates, and select New > Certificate Template to issue.
Select the name of the certificate template you created earlier and click OK.
The Certificate Template was issued successfully. Now, make sure you stop and start certificate services on your CA before moving on.
Create the virtual smart card powered by the TPM
To create the virtual smart card, run the following command on the Windows 10 client:
tpmvscmgr.exe create /name VSCtest /pin prompt /adminkey random /generate`
Using the prompt switch prompts you for the PIN to enter. If you use the generate switch, it will generate the PIN.
After running the command, you will be prompted for your PIN. Enter and confirm the PIN. The virtual smart card is then generated successfully.
Enroll for the TPM Virtual Smart Card certificate
After creating the virtual smart card on the Windows 10 client, we can enroll for the certificate needed to complete the process. First, on the Windows 10 client, open the certificate manager for the user's personal store with certmgr.msc. Next, right-click the Personal folder and select All Tasks > Request New Certificate.
This starts the Certificate Enrollment wizard. Click Next.
Click Next on the Select Certificate Enrollment Policy screen.
Now, select the name of the certificate template you created, and then click Enroll.
Enter the PIN you used to create the virtual smart card.
Enrollment is successful.
Now, sign out, and you will have a new option to sign in with the security device, the virtual smart card. Enter the PIN you used to create the virtual smart card to sign in.
Virtual smart cards with Windows 10 are a great way to increase sign-in security without additional costs and extra hardware attached to end user PCs. If you have a TPM installed and your machine is encrypted, it simply involves creating the certificate template, creating the virtual smart card, and then issuing the VSC template to the end user. After a VSC is issued, you will see the new option for a security device when signing in that uses the PIN code configured when creating the virtual smart card.
Subscribe to 4sysops newsletter!
Provisioning virtual smart cards in large environments requires additional tools to avoid personalization of smart cards on an individual basis when creating them with the Tpmvscmgr. In addition, third-party management solutions might be needed to renew or revoke the certificates. If a virtual smart card is compromised and the admin wants to revoke the associated credentials, this requires a record of which credentials match which user and computer. This functionality isn't present in Windows.