Enroll smart cards for non-administrators
If a user isn’t a local administrator on their computer, they won’t be able to enroll a smart card on their own machines by default. The following procedure enables you to work around this limitation.
Enabling smart card renewal for non-admins in MIM 2016 Certificate Manager
Unpack the appx file
Obtain a signing certificate. Follow the steps to Sign Windows 8 applications using an internal PKI. Stop when you get to “Sign the Application”. Name the exported pfx file. Export to a .cer file as well, and import it to the client using the cer file of the new signing certificate.
Run the following to unpack the appx file:
makeappx unpack /l /p <app package name>.appx /d ./appx
ren <app package name>.appx <app package name>.appx.old
cd appx
Modify the configuration file
Rename the file named
CustomDataExample.xml custom.data
. The CM app will look for this file name.Edit the custom.data file and modify the following:
In the <NonAdmin> element, change the value of the Value attribute to "True"
Save the file and exit editor
Delete the file named AppxSignature.p7x
Edit the file named AppxManifest.xml
In the <Identity> element modify the value of the Publisher attribute to the subject of your signing certificate, e.g. "CN=ABCD"
The subject here should be the same as the subject in the signing certificate you’re using to sign the app.
Save the file and exit editor.
Re-pack and sign the app package (appx file)
Run the following to pack and sign the the appx file:
cd ..
makeappx pack /l /d .\appx /p <app package name>.appx
signtool sign /f <path\>mysign.pfx /p <pfx password> /fd "sha256" <app package name>.appx
Duplicate the profile template and adding the initial admin key to configure the MIM server:
Log into the CM portal as a user with administrative privileges.
Go to Administration > Manage Profile templates and make sure that the box is checked next to profile template you created, then click on Copy a selected profile template.
Type the name of the profile template, add “nonAdmin” and click OK.
When the profile template general settings appear, scroll down all the way and under Smart card Configuration, click Change Settings.
Under Admin key initial value (hex) enter the default admin key: "010203040506070801020304050607080102030405060708"
Scroll down and click OK.
Create a non-admin account on the client machine
Non-admin users can't create the virtual smart card on the TPM, so you have to create it for them.
Create a virtual smart card using TpmVscMgr
Perform the following (still as the admin) to create an empty virtual smart card on a machine. This can be done through Intune, SCCM or group policies.
TpmVscMgr create /name MyVSC /pin default /adminkey default /generate
Install the CM app in the non-admin account
Launch the CM app and enrolling for a virtual smart card
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for