Q: How can I create a Virtual Smart Card (VSC) on my Windows 8 computer?

A: To allow users to create and delete VSCs, Microsoft included the tpmvscmgr.exe command-line utility in Windows 8. To create a VSC, users must run tpmvscmgr.exe with local administrator privileges. For example, to create a VSC named testvsc you would type:

tpmvscmgr.exe  create /name testvsc /pin prompt /puk prompt /adminkey random /generate

After you run this command, you will be prompted to enter a PIN and a PIN Unlock Key (PUK). The PUK is used to unlock the VSC so the user can reset the PIN if he forgets it. You must enter a PIN and PUK that are at least 8 characters long. Upon successful completion, tpmvscmgr.exe will notify you of the device instance ID for the testvsc. You must know this ID if you want to use the tpmvscmgr command with the /destroy switch to delete a VSC from your computer.

Note in the command syntax above that tpmvscmgr.exe also allows you to configure an admin key. The admin key provides an additional layer of authentication for unlocking the card for a PIN reset. In this example, tpmvscmgr will generate a random 48-hexadecimal digit admin key.

After the VSC is created, to effectively enable a user to leverage a VSC for smart card logon to his Windows 8 system you will also need to provision the VSC with a smart card logon certificate. Such a certificate can be obtained from a Windows Certification Authority (CA) that can issue TPM-based VSC logon certificates. For detailed information about how to set up your Windows CA to enable it to issue TPM VSC logon certificates, see the"Understanding and Evaluating Virtual Smart Cards" white paper.