|
Fun with Virtual Smart Cards! |
Outline:
Steps on how to enable a virtual smart card.
Assumptions:
Virtual smart cards require a computer with an initialized TPM. N.B., Windows 10 initializes the TPM by default.
Virtual Smart Card Configuration:
tpmvscmgr.exe create /name VSC /pin prompt /puk prompt /adminkey random /generate
Reset the Virtual Smart Card:
tpmvscmgr.exe destroy /instance root\smartcardreader\0000
PINs, PUKs, and Keys:
- Smart Card Personal Identity Number (PIN). The PIN is essentially a password. The PIN can be changed by the end user from any domain computer:
CRTL-ALT-Delete → Change Password → Change PIN.
- Smart Card Personal Unlock Key (PUK). Windows locks the PIN after three unsuccessful attempts. End users can use their PUK to unblock their PIN:
CRTL-ALT-Delete → Change Password → Unblock Smart Card.
The PUK is optional but I recommend it. It's simply too easy to lock the PIN!
The PUK changes the PIN. Keep the PUK safe and only use it when its absolutely necessary.
In addition, Windows does not include native tools to change the PUK. In order to choose a new PUK, the virtual smart card must first be deleted (i.e., destroyed) and then recreated. Of course, this process deletes all certificates on the smart card.
- Admin Key. The key benefit to the admin key is that it allows Administrators to generate certificate keys for enrolling-on-the-behalf of others. Organizations that do not use enrollment stations should simply generate a random admin key.
References:
https://docs.microsoft.com/en-us/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started