-->
The RemoteTpmVirtualSmartCardManager class manages TPM virtual smart cards on remote computers. This COM server is only available to remote callers with local administrator credentials.
- Even you uninstall Microsoft IT Virtual Smart Card Manager in Control Panel and remove invalid keys in the registry, there are still some folders left in hard drive. To completely remove Microsoft IT Virtual Smart Card Manager from your system, you can go to the following locations to delete the folders of Microsoft IT Virtual Smart Card Manager.
- Nov 12, 2015 This document presents an overview of TPM virtual smart cards as an option for strong authentication. It provides a means for evaluating virtual smart card use in an enterprise deployment, in addition to providing information necessary for deploying and managing virtual smart cards. Supported Operating System.
Remarks
Virtual Smart Cards (VSC) creates a software construct that emulates and is represented to the operating system as a smart card, much like a virtual machine emulates a separate computer and OS instance. However, there is a hardware element involved: the TPM. So you still have two factor authentication (TPM plus PIN).
Virtual Smart Card Manager Download
Managing TPM virtual smart cards remotely requires that the client can provide an administrator credential on the target computer. To communicate with the remote TPM virtual smart card manager COM server, the client needs to correctly initialize the COM security layer.
The remote TPM virtual smart card manager COM server requires the COM authentication level to be RPC_C_AUTHN_LEVEL_PKT_PRIVACY to ensure the communications between the client and the server are encrypted and signed because sensitive data such as admin key and PIN are sent across the network.
The remote TPM virtual smart card manager COM server requires the COM impersonation level to be RPC_C_IMP_LEVEL_IMPERSONATE so that it can impersonate the client and manager TPM virtual smart cards on the target computer as an administrator. The client should only conduct remote TPM virtual smart card management on trusted computers. Only the impersonate level is required.
For security reasons, the client should never grant RPC_C_IMP_LEVEL_DELEGATE.
The client also needs to determine what authentication and authorization services can be used. Kerberos is recommended, while NTLM is also supported by DCOM. Optionally, if the client implements the status callback interface and wants to receive progress and error callback, the client needs to configure its local access permission to allow the server's machine account. And lastly, Windows Firewall needs to be configured properly to allow DCOM traffic.
Examples
The following example code uses CoInitializeSecurity to configure a process-wide COM security layer to activate a remote TPM virtual smart card server using its launching credential and receive callbacks. The example will only work in domain scenarios.
Microsoft Virtual Smart Card Setup
Requirements
Microsoft Virtual Smart Card
Minimum supported client | Windows 8 [desktop apps only] |
Minimum supported server | Windows Server 2012 [desktop apps only] |
Header | Tpmvscmgr.h |
IDL | Tpmvscmgr.idl |
Library | Vscmgr.lib |