Creating virtual smart cards with attestations

Question

At some point in the past few weeks, the following command has started failing when creating virtual smart cards on a Surface Pro device:

 tpmvscmgr create /generate /adminKey random /pin default /name Example /attestation AIK_AND_CERT

Requests fail with (0x80190190) Bad Request (400).

It is possible to create a virtual smart card without the /attestation flag (which is what I have typically done in the past). However virtual smart cards created this way fail when attempting to generate a certificate request including an attestation. Specifically, attempts to generate a certificate request using a CertificateRequestProperties structure with the AttestationCredentialCertificate field set fail with 0x80100022 - This smart card does not support the requested feature.

These errors occur on devices that previously worked. Any ideas why the behavior has changed or if it is temporary?

Answer 1

The issue was resolved by applying firmware patches to the Surface Pro 3 and Surface Pro 4 devices. The firmware update tool for Surface Pro 3 is here: https://www.microsoft.com/en-us/download/details.aspx?id=38826. The update for Surface Pro 4 is here: https://www.microsoft.com/en-us/download/details.aspx?id=49498. After updating the firmware, tpmvcsmgr was able to create virtual smart cards using the AIK_AND_CERT parameter and the UWP APIs to include attestations in CSRs worked. It seems like the 1803 update included a change that requires these firmware patches.