Home » IT - Microsoft » Certificate Manager for Non-Administrators

Certificate Manager for Non-Administrators

Escribe tu dirección de correo electrónico para suscribirte a este blog, y recibir notificaciones de nuevos mensajes por correo.

Join 5 other followers

March 2016
« Feb   May »



All messages posted to this blog are provided "AS IS" with no warranties, and confer no rights. The content of this site are personal opinions and might not represent the Microsoft Corporation view. Regarding any sample code that we provide: This Sample Code is provided for the purpose of illustration only and is not intended to be used in a production environment. THIS SAMPLE CODE AND ANY RELATED INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. This blog serves 2 purposes. Firstly, I want to share information with other IT pros about the technologies we work with and how to solve problems we often face. Secondly, I use my blog as a notebook. There's so much to learn and remember in our jobs that it's impossible to keep up. By blogging, I have a notebook that I can access from anywhere. Anything you do to your IT infrastructure, applications, services, computer or anything else is 100% down to your own responsibility and liability. Mcselles bears no responsibility or liability for anything you do. Please independently confirm anything you read on this blog before doing whatever you decide to do.

If a user isn’t a local administrator on their computer, they won’t be able to enroll a smartcard on their own machines by default. The following procedure enables you to work around this limitation.

Enabling smartcard renewal for non-admins in MIM 2016 Certificate Manager

  1. Unpack the appx file

    Obtain a signing certificate. You can follow the steps to create one using AD CS here. Stop when you get to “Sign the Application”. Name the exported pfx file. Export to a .cer file as well, and import it to the client using the cer file of the new signing certificate.

    Run the following to unpack the appx file:

    makeappx unpack /l /p <app package name>.appx /d ./appx

    ren <app package name>.appx <app package name>.appx.old

    cd appx

  2. Modify the configuration file

    Rename the file named CustomDataExample.xml custom.data. The CM app will look for this file name.

    Edit the custom.data file and modify the following:

    1. In the <NonAdmin> element, change the value of the Value attribute to "True"

    2. Save the file and exit editor

    3. Delete the file named AppxSignature.p7x

    4. Edit the file named AppxManifest.xml

    5. In the <Identity> element modify the value of the Publisher attribute to the subject of your signing certificate, e.g. "CN=ABCD"

      The subject here should be the same as the subject in the signing certificate you’re using to sign the app.

    6. Save the file and exit editor.

  3. Re-pack and sign the app package (appx file)

    Run the following to pack and sign the the appx file:

    cd ..

    makeappx pack /l /d .\appx /p <app package name>.appx

    signtool sign /f <path\>mysign.pfx /p <pfx password> /fd "sha256" <app package name>.appx

  4. Duplicate the profile template and adding the initial admin key to configure the MIM server:

    1. Log into the CM portal as a user with administrative privileges.

    2. Go to Administration > Manage Profile templates and make sure that the box is checked next to profile template you created, then click on Copy a selected profile template.

    3. Type the name of the profile template, add “nonAdmin” and click OK.

    4. When the profile template general settings appear, scroll down all the way and under Smartcard Configuration, click Change Settings.

    5. Under Admin key initial value (hex) enter the default admin key: "010203040506070801020304050607080102030405060708"

    6. Scroll down and click OK.

  5. Create a non-admin account on the client machine

    Non-admin users can’t create the virtual smart card on the TPM, so you have to create it for them.

  6. Create a virtual smartcard using TpmVscMgr

    Perform the following (still as the admin) to create an empty virtual smartcard on a machine. This can be done through Intune, SCCM or group policies.

    TpmVscMgr create /name MyVSC /pin default /adminkey default /generate

  7. Install the CM app in the non-admin account

  8. Launch the CM app and enrolling for a virtual smartcard


Source: https://technet.microsoft.com/en-us/library/mt150260.aspx


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Microsoft on the Issues

News and perspectives on legal, public policy and citizenship topics

Mike Crowley's Whiteboard

“There are no limits to what you can accomplish when you are supposed to be doing something else."


There Be Dragons

Ken Cenerelli

My life in software development

VMware, Windows, Virtualization (Servers & Desktops)

VMware, Windows, Virtualization (Servers & Desktops)

Just a random "Microsoft Server / Client Tech" info..

"Feeding Your Training and Technology Obsessions"


WordPress.com is the best place for your personal blog or business site.


Documentación técnica, notas y apuntes sobre Administración de Sistemas, Servidores, Redes y más

Microsoft Taste

Mary's Blog

%d bloggers like this: