The TPM chip is a crypto-processor available in Windows workstation to achieve actions, such as generating, storing, and limiting the use of cryptographic keys. Device Authentication supports authentication to Windows workstation and makes use of information available in the chip to authenticate users.
NOTE:Advanced Authentication cannot manage the TPM management. It is possible to manage the TPM virtual smart card and unlocking the same with the tpmsvcmgr command. For more information, see Tpmvscmgr
NOTE:The Virtual Smartcard Module that is part of the operating system manages the lock status of the virtual smart card. With the below pre-conditions if the virtual smart card in the Advanced Authentication Windows Client gets locked after six failed attempts, you can use the tpmvscmgr command to destroy the instance to remove the virtual smart card from the system:
The Lockout Options policy is not configured in the Advanced Authentication Server.
The Standard User Individual Lockout Threshold policy is not configured in Windows TPM.
Syntax: tpmvscmgr.exe destroy /instance <instance ID>
Example: tpmvscmgr.exe destroy /instance ROOT\SMARTCARDREADER\0004
Destroying the instance does not delete the enrolled Device Authentication method. However, users are required to re-enroll the Device Authentication method.
Before you configure the Device Authentication method, ensure that user’s system is Windows 10 machine with fully functional TPM as a prerequisite.
To set up a Windows workstation for using the TPM virtual smart card, refer to the Microsoft Walkthrough guide and perform the following tasks:
Create the certificate template
Create the TPM virtual smart card
Enroll the certificate on the TPM virtual smart card
NOTE:In the pre-configuration tasks, creation of certificate template and enrollment the certificate are not required when you allow users to enroll and authenticate with the Device Authentication method through the key pair generation.