Virtual smart cards offer businesses the same benefits as physical smart cards at a lower cost. You can create your virtual smart card in many ways. I will bring you the most cost-effective option below. You can use Tpmvscmgr.exe to create the cards individually on your Windows computer.

What is Virtual Smart Card?

Virtual Smart Card is Microsoft‘s Trusted Platform Module (TPM)-based solution. It is designed to protect hardware by generating encryption keys and storing part of the key information in the TPM. It provides certificates against Active Directory to authenticate devices and users.

After configuring the virtual smart card, you also need to enter a PIN on the device to use it
After configuring the virtual smart card, you also need to enter a PIN on the device to use it

Virtual smart cards work similarly to most traditional smart cards but are more efficient. Traditional smart cards use encryption or chips. A virtual smart card stores the key information directly in the device. It enables two-factor authentication (2FA) on the user’s device without additional hardware. Virtual smart cards can protect a company’s IT systems from external threats. These external threats include hacker attacks or unauthorized access from other external devices.

After configuring the virtual smart card, you can enter the correct PIN on the device to log in properly. It will always appear as an inserted smart card in Windows. The operating system provides the virtual smart reader and virtual smart card to the application when you need to use it. The application has the same interface as a physical smart card. So you can log in to a given system more quickly.

The virtual smart card is virtual, so it costs less to use it. You can save on the cost of purchasing additional smart card hardware.

The following types of smart cards are available for virtual smart card functionality.

  • Universal ISO – 7816 smart cards
  • German electronic ID cards (NPA) with EAC support (PACE, TA, CA)
  • BAC-enabled ePassport (ePass/MRTD)
  • Cryptoflex smart cards

How Do I Use Virtual Smart Cards in Windows 10?

The virtual smart card is available for devices equipped with TPM (version 1.2 or 2.0) that have been added to Windows 10. Also, having an accessible KPI infrastructure working environment is crucial. For example, the more common Microsoft Certificate Services.

Next, we divided the whole process into three steps:

  • Create a certificate template (that meets the requirements for virtual smart card registration)
  • Creating a virtual smart card (supported by TPM)
  • Registering a TPM virtual smart card certificate

In addition, you will need to verify that your device has TPM installed. You can run tpm. msc to try this.

Creating a Certificate Template

The first step we need to take is to create a certificate template that matches the requirements of the virtual smart card. Let’s do the following using Microsoft Certificate Services as an example of a PKI infrastructure in a Windows domain.

  1. Open the Microsoft Management Console (MMC).
  2. Click on File and click on Add/Remove Management Units.
  3. Click on Certificate Templates in the list of available management units
  4. Click Add File.
  5. Double-click to view all certificate templates located in the root directory of the MMC console.
  6. Right-click on the smart card login template.
  7. Click Copy Template.
  8. View the Certification Authority on the Compatibility tab and change it as required.
  9. Specify the name on the General tab and set the valid value to the desired value. Specify a name for the TPM Virtual Smart Card Logon.
  10. On the Request tab, set Usage to Signature and smartcard logon. Then click Prompt user on registration.
  11. On the Cryptography tab, set the Minimum key size to 2048. select Requests must use one of the following providers. Select Microsoft Base Smart Card Crypto Provider.
  12. Add the security group to which you want to grant registration access. This selection is visible on the Security tab.
  13. Click Confirm to complete the changes to create a new template. At this time, your new template will appear in the list of certificate templates.
  14. Select File and click Add/Remove Snap-in. to add the Certification Authority management unit to your MMC console. Then select the computer the system asks to manage as the computer where the CA is located.
  15. Next, expand Certification Authority (Local) in the left pane of the MMC. You can then expand your CA in the Certification Authority list.
  16. Right-click on the certificate template. Then click on New and click on the certificate template you want to issue.
  17. Then You will need to select the new template you just created from the list and click Confirm.
  18. Stop and start the certificate service on the CA before proceeding. It is done by going back to the MMC after the template has been copied successfully. Right-click on the list of Certificate Scheme Authorities. Select All Tasks and click Stop Services. Right-click on the CA’s name again. Click All Tasks and then click Start Service.

You can grant access to all users when you add a security group. You need to click to select the authenticated user groups. Then just register permissions for them. You must know that your newly created template may take some time to replicate on all your servers. You can use it in this list only after successfully replicated.

Creating a TPM Virtual Smart Card

In this step, you will use the command-line tool Tpmvscmgr.exe. It ensures that you can successfully create virtual smart cards on client computers. It is done as follows:

  • Open the command prompt and switch on the joined computer using the administrative credentials.
  • Type and run this command at the command prompt:
tpmvscmgr.exe create /name TestVSC /pin default /admin key random /generate
  • It will then create a virtual smart card. This virtual smart card will allow you to omit the unlock key and generate the file system on the card.
  • Wait a few seconds for the process to complete. tpmvscmgr.exe will provide you with the device instance ID of the TPM virtual smart card when it is done. This ID will help you manage or delete all your virtual smart cards.

Note that you must set the PIN default when running the above command. You need to type /pin default instead of /pin default when prompted to enter the PIN.

Registering the TPM Virtual Smart Card Certificate

After doing this, you will also need to equip it with the login credentials needed to complete the process. It will only be fully functional if you have the appropriate login credentials.

  • Type certmgr.MSC in the Start menu on the Windows 10 client. This command will help you to open the Certificate Console quickly.
  • Then right-click on the certificate manager for your storage. Right-click on the individual, select All Tasks and choose to Apply for New Certificate. This step will help you start the Certificate Enrollment Wizard.
  • Then click Next. Continue to click Next on the Select Certificate Enrollment Policy display screen.
  • Select the name of the certificate template you created in the previous step. Then click Enroll.
  • Next, enter the PIN password you created when creating the TPM virtual smart card and click OK.
  • Wait for the previous registration to complete, and then click Finish.

The prompt to enter the device appears in the Register TPM Virtual Smart Card certificate session above. Then, you must select the corresponding Microsoft Virtual Smart Card you used in the previous steps. It is usually shown as the identity device, i.e., the Microsoft profile.

Once all the above processes are finished, the installation of the virtual smart card windows 10 is complete. Your computer has a new option to log in as a secure device.

Suppose you want to verify that your virtual smart card is equipped and that the certificate registration was successful. You can log out of the current session and log in again. You can see a new TPM Virtual Smart Card icon on the desktop login screen. You will be redirected to the TPM Smart Card login dialog if the previous action fails.

Click on this new smart card icon displayed on the login screen. Then enter your PIN password. Click OK again, and you will quickly log into your domain account.

Where can I Use My Virtual Smart Card?

The virtual smart card is used in some places where it is important. You can use it to authenticate users to external resources. You can also use it to protect data through secure encryption. Many businesses also use it to provide reliable signatures for their integrity. You can easily deploy virtual smart card authentication in-house or by purchasing a solution. It is an extremely strong authentication method and is suitable for any size of business. The following are three common virtual smart card applications in life.

Authentication-based Use Cases

  • Remote Access Via Two-factor Authentication
  • Client-side Authentication
  • Virtual Smart Card Redirection for Remote Desktop Connection
  • Virtual Smart Cards with Windows To Go

Confidentiality Use Cases

  • S/MIME email encryption
  • BitLocker for Data Volumes

Data Integrity Use Case

  • Signed Data

A virtual smart card is arguably a stronger version of a physical smart card. It makes authentication much easier. It is also well-suited to our various authentication needs. Examples include wireless networks, desktop logins, and VPN services.

0 Comment
Inline Feedbacks
View all comments