title | description | keywords | author | ms.author | manager | ms.date | ms.topic | ms.service | ms.assetid | ms.reviewer | ms.suite |
---|---|---|---|---|---|---|---|---|---|---|---|
Microsoft Identity Manager Self-service smart card renewal without Administrator access | Microsoft Docs |
Learn how to enroll smart cards for users without administrator access to their machines so they can use Certificate Manager. |
billmath |
billmath |
amycolannino |
09/14/2023 |
article |
microsoft-identity-manager |
bfabc562-a2f0-4cff-ac31-36927f41e102 |
mwahl |
ems |
If a user isn’t a local administrator on their computer, they won’t be able to enroll a smart card on their own machines by default. The following procedure enables you to work around this limitation.
-
Unpack the appx file
Obtain a signing certificate. Follow the steps to Sign Windows 8 applications using an internal PKI. Stop when you get to “Sign the Application”. Name the exported pfx file. Export to a .cer file as well, and import it to the client using the cer file of the new signing certificate.
Run the following to unpack the appx file:
makeappx unpack /l /p <app package name>.appx /d ./appx
ren <app package name>.appx <app package name>.appx.old
cd appx
-
Modify the configuration file
Rename the file named
CustomDataExample.xml custom.data
. The CM app will look for this file name.Edit the custom.data file and modify the following:
-
In the <NonAdmin> element, change the value of the Value attribute to "True"
-
Save the file and exit editor
-
Delete the file named AppxSignature.p7x
-
Edit the file named AppxManifest.xml
-
In the <Identity> element modify the value of the Publisher attribute to the subject of your signing certificate, e.g. "CN=ABCD"
The subject here should be the same as the subject in the signing certificate you’re using to sign the app.
-
Save the file and exit editor.
-
-
Re-pack and sign the app package (appx file)
Run the following to pack and sign the the appx file:
cd ..
makeappx pack /l /d .\appx /p <app package name>.appx
signtool sign /f <path\>mysign.pfx /p <pfx password> /fd "sha256" <app package name>.appx
-
Duplicate the profile template and adding the initial admin key to configure the MIM server:
-
Log into the CM portal as a user with administrative privileges.
-
Go to Administration > Manage Profile templates and make sure that the box is checked next to profile template you created, then click on Copy a selected profile template.
-
Type the name of the profile template, add “nonAdmin” and click OK.
-
When the profile template general settings appear, scroll down all the way and under Smart card Configuration, click Change Settings.
-
Under Admin key initial value (hex) enter the default admin key: "010203040506070801020304050607080102030405060708"
-
Scroll down and click OK.
-
-
Create a non-admin account on the client machine
Non-admin users can't create the virtual smart card on the TPM, so you have to create it for them.
-
Create a virtual smart card using TpmVscMgr
Perform the following (still as the admin) to create an empty virtual smart card on a machine. This can be done through Intune, SCCM or group policies.
TpmVscMgr create /name MyVSC /pin default /adminkey default /generate
-
Install the CM app in the non-admin account
-
Launch the CM app and enrolling for a virtual smart card