- Create, use, and manage Windows Passkeys - Thu, Apr 11 2024
- Proxmox backup with NAKIVO Backup and Replication v10.11 - Tue, Apr 9 2024
- NetCrunch 14: Monitoring for your entire IT infrastructure - Tue, Mar 26 2024
Two-factor authentication is an important measure for organizations to ensure that business-critical data is safe. Physical smart cards have long been used as a way to increase logon security in the enterprise. Virtual smart cards (VSC) are a Microsoft solution that provide many of the same benefits with lower costs to organizations.
After provisioning virtual smart cards, users only have to enter a PIN to sign in. So, you might ask yourself how this can be two-factor authentication if users only provide this password equivalent as the "know" factor. The "have" factor seems to be missing.
Microsoft argues that using a virtual smart card to access the system proves to the domain that the user requesting authentication owns the personal computer to which the card has been provisioned. Because this request could not have originated from a different system, the PC serves as the "have" factor. Unlike the AD password, the PIN is valid only on this device.
Virtual smart cards appear in Windows as smart cards that are always inserted. The operating system presents a virtual smart card reader and virtual smart card to applications with the same interface as physical smart cards, but messages to and from the virtual smart card are translated into TPM commands.
How to use virtual smart cards in Windows 10
Virtual smart cards can be used in domain-joined Windows 10 devices equipped with a TPM (version 1.2 or version 2.0). In addition, they require an accessible PKI infrastructure in the environment, such as Microsoft Certificate Services. The basic process of using virtual smart cards involves three steps:
- Create the certificate template needed for virtual smart card enrollment.
- Create the virtual smart card powered by the TPM.
- Enroll for the TPM virtual smart card certificate
- To verify that you have a TPM installed, run tpm.msc. Note the following information:
Verify you have a TPM installed in your computer
Create the certificate template
I will be using Microsoft Certificate Services as the PKI infrastructure in the Windows domain in this lab. So, the first thing we need to do is create a certificate template to enroll the TPM-backed virtual smart card. To get to the certificate template management console quickly, you can type certtmpl.msc at a run or search menu.
Duplicate the Smartcard logon template
Customize the name and validity period of the certificate template.
Set the name and validity period
Set the purpose of the new certificate template to Signature and smartcard logon. Select Prompt user during enrollment.
Setting the template purpose and user enrollment
Make sure the key size is set to 2048 bits. Select Requests must use one of the following providers and then select Microsoft Base Smart Card Crypto Provider.
Smart card cryptography settings
On the Security tab, define who is allowed to enroll. If you want everyone to have this capability, select Authenticated users, and then select Enroll.
Configure the user group to be enrolled
The new virtual smart card logon certificate template is created successfully.
The new virtual smart card template is created successfully
Now, open the Certification Authority console, right-click Certificate Templates, and select New > Certificate Template to issue.
Issue the certificate template
Select the name of the certificate template you created earlier and click OK.
Select the virtual smart card template created
The Certificate Template was issued successfully. Now, make sure you stop and start certificate services on your CA before moving on.
The Certificate template is issued successfully
Create the virtual smart card powered by the TPM
To create the virtual smart card, run the following command on the Windows 10 client:
tpmvscmgr.exe create /name VSCtest /pin prompt /adminkey random /generate`
Using the prompt switch prompts you for the PIN to enter. If you use the generate switch, it will generate the PIN.
Running the tpmvscmgr command
After running the command, you will be prompted for your PIN. Enter and confirm the PIN. The virtual smart card is then generated successfully.
The virtual smart card is generated successfully
Enroll for the TPM Virtual Smart Card certificate
After creating the virtual smart card on the Windows 10 client, we can enroll for the certificate needed to complete the process. First, on the Windows 10 client, open the certificate manager for the user's personal store with certmgr.msc. Next, right-click the Personal folder and select All Tasks > Request New Certificate.
Requesting a new certificate for the virtual smart card
This starts the Certificate Enrollment wizard. Click Next.
Starting enrollment
Click Next on the Select Certificate Enrollment Policy screen.
Select the certificate enrollment policy
Now, select the name of the certificate template you created, and then click Enroll.
Select your Virtual Smart Card Logon policy
Enter the PIN you used to create the virtual smart card.
Enter your Virtual Smart Card PIN
Enrollment is successful.
Enrollment for the virtual smart card certificate is successful
Now, sign out, and you will have a new option to sign in with the security device, the virtual smart card. Enter the PIN you used to create the virtual smart card to sign in.
New option for security device sign in
Conclusion
Virtual smart cards with Windows 10 are a great way to increase sign-in security without additional costs and extra hardware attached to end user PCs. If you have a TPM installed and your machine is encrypted, it simply involves creating the certificate template, creating the virtual smart card, and then issuing the VSC template to the end user. After a VSC is issued, you will see the new option for a security device when signing in that uses the PIN code configured when creating the virtual smart card.
Subscribe to 4sysops newsletter!
Provisioning virtual smart cards in large environments requires additional tools to avoid personalization of smart cards on an individual basis when creating them with the Tpmvscmgr. In addition, third-party management solutions might be needed to renew or revoke the certificates. If a virtual smart card is compromised and the admin wants to revoke the associated credentials, this requires a record of which credentials match which user and computer. This functionality isn't present in Windows.
IT Administration News
Join our IT community and read articles without ads!
Do you want to write for 4sysops? We are looking for new authors.
-vulnerability-480x270.png)
Hi Brandon, all.
If you would like to see true 2-factor-auth with TPMVSC, here’s an enhancement that I have invented. See my article at EE: https://www.experts-exchange.com/articles/35652/SmartCard-2-factor-domain-authentication-for-free.html (sorry, wasn’t registered here already at that time).