updates

windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md

@@ -1,6 +1,6 @@
 ---
-ms.date: 11/06/2023
+ms.date: 11/07/2023
-title: Smart Card and Remote Desktop Services 
+title: Smart Card and Remote Desktop Services
 description: This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in.
 ms.topic: conceptual
 ---

windows/security/identity-protection/smart-cards/smart-card-architecture.md

@@ -248,8 +248,8 @@ For other operations, the caller may be able to acquire a *verify* context again
 
 1. If the specified container name is NULL, the default container is deleted. Deleting the default container causes a new default container to be selected arbitrarily. For this reason, this operation is not recommended
 1. For each smart card already known by the CSP, refresh the stored SCARDHANDLE and make the following checks:
-    1.  If the smart card does not have the named container, continue the search
+    1. If the smart card does not have the named container, continue the search
-    1.  If the smart card has the named container, but the smart card handle is no longer valid, store the serial number of the matching smart card and pass it to SCardUI
+    1. If the smart card has the named container, but the smart card handle is no longer valid, store the serial number of the matching smart card and pass it to SCardUI
 1. If a matching smart card is not found in the CSP cache, make a call to the smart card subsystem. The callback that is used to filter enumerated smart cards should verify that a candidate smart card has the named container. If a serial number was povided as a result of the previous cache search, the callback should filter enumerated smart cards on serial number rather than on container matches. If the context is non-silent and no suitable smart card is found, display UI that prompts the user to insert a smart card
 
 ### Base CSP and KSP-based architecture in Windows
@@ -265,11 +265,11 @@ The following diagram shows the Cryptography architecture that is used by the Wi
 
 | Property | Description |
 |--|--|
-| `PP_USER_CERTSTORE` | -   Used to return an `HCERTSTORE` that contains all user certificates on the smart card<br>- Read-only (used only by `CryptGetProvParam`)<br>- Caller responsible for closing the certificate store<br>- Certificate encoded using `PKCS_7_ASN_ENCODING` or `X509_ASN_ENCODING`<br>- CSP should set `KEY_PROV_INFO` on certificates<br>- Certificate store should be assumed to be an in-memory store<br>- Certificates should have a valid `CRYPT_KEY_PROV_INFO` as a property |
+| `PP_USER_CERTSTORE` | - Used to return an `HCERTSTORE` that contains all user certificates on the smart card<br>- Read-only (used only by `CryptGetProvParam`)<br>- Caller responsible for closing the certificate store<br>- Certificate encoded using `PKCS_7_ASN_ENCODING` or `X509_ASN_ENCODING`<br>- CSP should set `KEY_PROV_INFO` on certificates<br>- Certificate store should be assumed to be an in-memory store<br>- Certificates should have a valid `CRYPT_KEY_PROV_INFO` as a property |
-| `PP_ROOT_CERTSTORE` | -   Read and Write (used by `CryptGetProvParam` and `CryptSetProvParam`)<br>- Used to write a collection of root certificates to the smart card or return `HCERTSTORE`, which contains root certificates from the smart card<br>- Used primarily for joining a domain by using a smart card<br>- Caller responsible for closing the certificate store |
+| `PP_ROOT_CERTSTORE` | - Read and Write (used by `CryptGetProvParam` and `CryptSetProvParam`)<br>- Used to write a collection of root certificates to the smart card or return `HCERTSTORE`, which contains root certificates from the smart card<br>- Used primarily for joining a domain by using a smart card<br>- Caller responsible for closing the certificate store |
-| `PP_SMARTCARD_READER` | -   Read-only (used only by `CryptGetProvParam`)<br>- Returns the smart card reader name as an ANSI string that is used to construct a fully qualified container name (that is, a smart card reader plus a container) |
+| `PP_SMARTCARD_READER` | - Read-only (used only by `CryptGetProvParam`)<br>- Returns the smart card reader name as an ANSI string that is used to construct a fully qualified container name (that is, a smart card reader plus a container) |
-| `PP_SMARTCARD_GUID `| -   Return smart card GUID (also known as a serial number), which should be unique for each smart card<br>- Used by the certificate propagation service to track the source of a root certificate |
+| `PP_SMARTCARD_GUID` | - Return smart card GUID (also known as a serial number), which should be unique for each smart card<br>- Used by the certificate propagation service to track the source of a root certificate |
-| `PP_UI_PROMPT` | -   Used to set the search string for the `SCardUIDlgSelectCard` card insertion dialog box<br>- Persistent for the entire process when it is set<br>- Write-only (used only by `CryptSetProvParam`) |
+| `PP_UI_PROMPT` | - Used to set the search string for the `SCardUIDlgSelectCard` card insertion dialog box<br>- Persistent for the entire process when it is set<br>- Write-only (used only by `CryptSetProvParam`) |
 
 ### Implications for CSPs in Windows
 

windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md

@@ -21,8 +21,6 @@ The following figure shows the flow of the certificate propagation service. The
 1. The arrow labeled **2** indicates the certification to the reader
 1. The arrow labeled **3** indicates the access to the certificate store during the client session
 
-### Certificate propagation service
-
 ![Certificate propagation service.](images/sc-image302.gif)
 
 1. A signed-in user inserts a smart card
@@ -38,9 +36,9 @@ Properties of the certificate propagation service include:
 - If the certificate has the `CERT_ENROLLMENT_PROP_ID` property (as defined by `wincrypt.h`), it filters empty requests and places them in the current user's request store, but it does not propagate them to the user's Personal store
 - The service does not propagate any computer certificates to a user's Personal store or propagate user certificates to a computer store
 - The service propagates certificates according to Group Policy options that are set, which may include:
-    - **Turn on certificate propagation from the smart card** specifies whether a user's certificate should be propagated
+  - **Turn on certificate propagation from the smart card** specifies whether a user's certificate should be propagated
-    - **Turn on root certificate propagation from smart card** specifies whether root certificates should be propagated
+  - **Turn on root certificate propagation from smart card** specifies whether root certificates should be propagated
-    - **Configure root certificate cleanup** specifies how root certificates are removed
+  - **Configure root certificate cleanup** specifies how root certificates are removed
 
 ## Root certificate propagation service
 

windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md

@@ -15,7 +15,7 @@ When a smart card is inserted, the following steps are performed.
 > Unless otherwise mentioned, all operations are performed silently (CRYPT_SILENT is passed to CryptAcquireContext).
 
 1. The smart card resource manager database searches for the smart card's cryptographic service provider (CSP).
-1. A qualified container name is constructed by using the smart card reader name, and it is passed to the CSP. The format is *\\.<Reader name>\
+1. A qualified container name is constructed by using the smart card reader name, and it is passed to the CSP. The format is `\\.<Reader name>\`
 1. CryptAcquireContext is called to retrieve a context to the default container. If a failure occurs, the smart card will be unusable for smart card sign-in.
 1. The name of the container is retrieved by using the PP_CONTAINER parameter with CryptGetProvParam.
 1. Using the context acquired in Step 3, the CSP is queried for the PP_USER_CERTSTORE parameter (added in Windows Vista). For more information, see [Smart Card Architecture](smart-card-architecture.md). If the operation is successful, the name of a certificate store is returned, and the program flow skips to Step 8.
@@ -84,13 +84,13 @@ Following are the steps that are performed during a smart card sign-in:
 1. The KDC service retrieves user account information from AD DS. The KDC constructs a TGT, which is based on the user account information that it retrieves from AD DS. The TGT's authorization data fields include the user's security identifier (SID), the SIDs for universal and global domain groups to which the user belongs, and (in a multidomain environment) the SIDs for any universal groups of which the user is a member.
 1. The domain controller returns the TGT to the client as part of the KRB_AS_REP response.
 
-        > [!NOTE]
+    > [!NOTE]
-        > The KRB_AS_REP packet consists of:
+    > The KRB_AS_REP packet consists of:
-        > - Privilege attribute certificate (PAC)
+    > - Privilege attribute certificate (PAC)
-        > - User's SID
+    > - User's SID
-        > - SIDs of any groups of which the user is a member
+    > - SIDs of any groups of which the user is a member
-        > - A request for ticket-granting service (TGS)
+    > - A request for ticket-granting service (TGS)
-        > - Preauthentication data
+    > - Preauthentication data
 
     TGT is encrypted with the master key of the KDC, and the session key is encrypted with a temporary key. This temporary key is derived based on RFC 4556. Using CryptoAPI, the temporary key is decrypted. As part of the decryption process, if the private key is on a smart card, a call is made to the smart card subsystem by using the specified CSP to extract the certificate corresponding to the user's public key. (Programmatic calls for the certificate include CryptAcquireContext, CryptSetProvParam with the PIN, CryptgetUserKey, and CryptGetKeyParam.) After the temporary key is obtained, the Kerberos SSP decrypts the session key.
 
@@ -150,7 +150,7 @@ SSL/TLS can map certificates that do not have SAN, and the mapping is done by us
 
 ![Certificate revocation list distribution points.](images/sc-image403.png)
 
-####  UPN in Subject Alternative Name field
+#### UPN in Subject Alternative Name field
 
 ![UPN in Subject Alternative Name field.](images/sc-image404.png)
 

windows/security/identity-protection/smart-cards/smart-card-debugging-information.md

@@ -88,9 +88,7 @@ tracelog.exe -stop <*FriendlyName*>
 logman.exe -stop <*FriendlyName*> -ets
 ```
 
-#### Examples
+For example, to stop a trace:
-
-To stop a trace:
 
 ```cmd
 tracelog.exe -stop scardsvr
@@ -102,7 +100,7 @@ logman.exe -stop scardsvr -ets
 You can use these resources to troubleshoot these protocols and the KDC:
 
 - [Kerberos and LDAP Troubleshooting Tips](/previous-versions/tn-archive/bb463167(v=technet.10))
-- [Windows Driver Kit (WDK) and Debugging Tools for Windows (WinDbg)](https://developer.microsoft.com/en-us/windows/hardware/windows-driver-kit). You can use the trace log tool in this SDK to debug Kerberos authentication failures.
+- [Windows Driver Kit (WDK) and Debugging Tools for Windows (WinDbg)](https://developer.microsoft.com/windows/hardware/windows-driver-kit). You can use the trace log tool in this SDK to debug Kerberos authentication failures.
 
 To begin tracing, you can use `Tracelog`. Different components use different control GUIDs as explained in these examples. For more information, see [`Tracelog`](/windows-hardware/drivers/devtest/tracelog)
 

windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md

@@ -82,9 +82,9 @@ When this policy setting isn't turned on, only certificates that contain the sma
 
 ### Allow ECC certificates to be used for logon and authentication
 
-You can use this policy setting to control whether elliptic curve cryptography (ECC) certificates on a smart card can be used to sign in to a domain. 
+You can use this policy setting to control whether elliptic curve cryptography (ECC) certificates on a smart card can be used to sign in to a domain.
 
-When this setting is turned on, ECC certificates on a smart card can be used to sign in to a domain. 
+When this setting is turned on, ECC certificates on a smart card can be used to sign in to a domain.
 
 When this setting isn't turned on, ECC certificates on a smart card can't be used to sign in to a domain.
 
@@ -99,7 +99,7 @@ When this setting isn't turned on, ECC certificates on a smart card can't be use
 
 You can use this policy setting to determine whether the integrated unblock feature is available in the sign-in user interface (UI). The feature was introduced as a standard feature in the Credential Security Support Provider in Windows Vista.
 
-When this setting is turned on, the integrated unblock feature is available. 
+When this setting is turned on, the integrated unblock feature is available.
 
 When this setting isn't turned on, the feature is not available.
 
@@ -145,7 +145,7 @@ When this policy setting isn't turned on, certificates that are expired or not y
 
 You can use this policy setting to determine whether an optional field appears during sign-in and provides a subsequent elevation process where users can enter their username or username and domain, which associates a certificate with the user.
 
-When this policy setting is turned on, users see an optional field where they can enter their username or username and domain. 
+When this policy setting is turned on, users see an optional field where they can enter their username or username and domain.
 
 When this policy setting isn't turned on, users don't see this optional field.
 
@@ -177,7 +177,7 @@ When this policy setting isn't turned on, root certificates are automatically re
 
 You can use this policy setting to change the default message that a user sees if their smart card is blocked.
 
-When this policy setting is turned on, you can create and manage the displayed message that the user sees when a smart card is blocked. 
+When this policy setting is turned on, you can create and manage the displayed message that the user sees when a smart card is blocked.
 
 When this policy setting isn't turned on (and the integrated unblock feature is also enabled), the user sees the system's default message when the smart card is blocked.
 
@@ -189,14 +189,14 @@ When this policy setting isn't turned on (and the integrated unblock feature is
 
 ### Filter duplicate logon certificates
 
-You can use this policy setting to configure which valid sign-in certificates are displayed. 
+You can use this policy setting to configure which valid sign-in certificates are displayed.
 
 > [!NOTE]
 > During the certificate renewal period, a user's smart card can have multiple valid sign-in certificates issued from the same certificate template, which can cause confusion about which certificate to select. This behavior can occur when a certificate is renewed and the old certificate has not expired yet.
-> 
+>
 > If two certificates are issued from the same template with the same major version and they are for the same user (this is determined by their UPN), they are determined to be the same.  
 
-When this policy setting is turned on, filtering occurs so that the user can select from only the most current valid certificates. 
+When this policy setting is turned on, filtering occurs so that the user can select from only the most current valid certificates.
 
 If this policy setting isn't turned on, all the certificates are displayed to the user.
 
@@ -292,7 +292,7 @@ When this policy setting is turned off, certificate propagation doesn't occur, a
 
 ### Turn on root certificate propagation from smart card
 
-You can use this policy setting to manage the root certificate propagation that occurs when a smart card is inserted. 
+You can use this policy setting to manage the root certificate propagation that occurs when a smart card is inserted.
 
 > [!NOTE]
 > The certificate propagation service applies when a signed-in user inserts a smart card in a reader that is attached to the computer. This action causes the certificate to be read from the smart card. The certificates are then added to the user's Personal store.
@@ -344,7 +344,7 @@ The registry keys for the smart card KSP are in `HKEY_LOCAL_MACHINE\SYSTEM\Contr
 | **RequireOnCardPrivateKeyGen** | This key sets the flag that requires on-card private key generation (default). If this value is set, a key generated on a host can be imported into the smart card. This is used for smart cards that don't support on-card key generation or where key escrow is required.<br>Default value: 00000000 |
 | **TransactionTimeoutMilliseconds** | Default timeout values allow you to specify whether transactions that take an excessive amount of time will fail.<br>Default value: 000005dc<br>The default timeout for holding transactions to the smart card is 1.5 seconds. |
 
-**Additional registry keys for the smart card KSP**
+Additional registry keys for the smart card KSP:
 
 | Registry Key | Description |
 |--|--|
@@ -355,8 +355,6 @@ The registry keys for the smart card KSP are in `HKEY_LOCAL_MACHINE\SYSTEM\Contr
 
 The following table lists the keys and the corresponding values to turn off certificate revocation list (CRL) checking at the Key Distribution Center (KDC) or client. To manage CRL checking, you must configure settings for both the KDC and the client.
 
-### CRL checking registry keys
-
 | Registry Key | Details |
 |--|--|
 | `HKEY_LOCAL_MACHINE\SYSTEM\CCS\Services\Kdc\UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors` | Type = DWORD<br>Value = 1 |

windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md

@@ -16,4 +16,4 @@ This topic for IT professional provides links to resources about the implementat
 - [Certificate Propagation Service](smart-card-certificate-propagation-service.md): Learn about how the certificate propagation service works when a smart card is inserted into a computer
 - [Smart Card Removal Policy Service](smart-card-removal-policy-service.md): Learn about using Group Policy to control what happens when a user removes a smart card
 
-[!INCLUDE [smart-cards-for-windows-service](../../../../includes/licensing/smart-cards-for-windows-service.md)]
+[!INCLUDE [smart-cards-for-windows-service](../../../../includes/licensing/smart-cards-for-windows-service.md)]

windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md

@@ -11,19 +11,14 @@ This topic for the IT professional describes the role of the removal policy serv
 
 The smart card removal policy service is applicable when a user has signed in with a smart card and then removes that smart card from the reader. The action that is performed when the smart card is removed is controlled by Group Policy settings. For more information, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md).
 
-**Smart card removal policy service**
-
 ![Smart card removal policy service.](images/sc-image501.gif)
 
 The numbers in the previous figure represent the following actions:
 
-1.  Winlogon is not directly involved in monitoring for smart card removal events. The sequence of steps that are involved when a smart card is removed begins with the smart card credential provider in the sign-in UI process. When a user successfully signs in with a smart card, the smart card credential provider captures the reader name. This information is then stored in the registry with the session identifier where the sign-in was initiated.
+1. Winlogon is not directly involved in monitoring for smart card removal events. The sequence of steps that are involved when a smart card is removed begins with the smart card credential provider in the sign-in UI process. When a user successfully signs in with a smart card, the smart card credential provider captures the reader name. This information is then stored in the registry with the session identifier where the sign-in was initiated.
-
+1. The smart card resource manager service notifies the smart card removal policy service that a sign-in has occurred.
-2.  The smart card resource manager service notifies the smart card removal policy service that a sign-in has occurred.
+1. ScPolicySvc retrieves the smart card information that the smart card credential provider stored in the registry. This call is redirected if the user is in a remote session. If the smart card is removed, ScPolicySvc is notified.
-
+1. ScPolicySvc calls Remote Desktop Services to take the appropriate action if the request is to sign out the user or to disconnect the user's session, which might result in data loss. If the setting is configured to lock the computer when the smart card is removed, ScPolicySvc sends a message to Winlogon to lock the computer.
-3.  ScPolicySvc retrieves the smart card information that the smart card credential provider stored in the registry. This call is redirected if the user is in a remote session. If the smart card is removed, ScPolicySvc is notified.
-
-4.  ScPolicySvc calls Remote Desktop Services to take the appropriate action if the request is to sign out the user or to disconnect the user's session, which might result in data loss. If the setting is configured to lock the computer when the smart card is removed, ScPolicySvc sends a message to Winlogon to lock the computer.
 
 ## See also
 

windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md

@@ -28,7 +28,7 @@ Smart cards provide:
 
 Smart cards can be used to sign in to domain accounts only, not local accounts. When you use a password to sign in interactively to a domain account, Windows uses the Kerberos version 5 (v5) protocol for authentication. If you use a smart card, the operating system uses Kerberos v5 authentication with X.509 v3 certificates.
 
-**Virtual smart cards** were introduced in Windows Server 2012 and Windows 8 to alleviate the need for a physical smart card, the smart card reader, and the associated administration of that hardware.
+Virtual smart cards were introduced to alleviate the need for a physical smart card, the smart card reader, and the associated administration of that hardware.
 
 [!INCLUDE [virtual-smart-card-deprecation-notice](../../includes/virtual-smart-card-deprecation-notice.md)]
 

windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md

@@ -157,7 +157,7 @@ Similar to physical smart cards, virtual smart cards require certificate enrollm
 
 #### Certificate issuance
 
-Users can enroll for certificates from within a remote desktop session that is established to provision the card. This process can also be managed by the smart card management tool that the user runs through the remote desktop connection. This model works for deployments that require the user to sign a request for enrollment by using a physical smart card. The driver for the physical smart card doesn't need to be installed on the client computer if it's installed on the remote computer. This is made possible by smart card redirection functionality that was introduced in Windows Server 2003, which ensures that smart cards that are connected to the client computer are available for use during a remote session.
+Users can enroll for certificates from within a remote desktop session that is established to provision the card. This process can also be managed by the smart card management tool that the user runs through the remote desktop connection. This model works for deployments that require the user to sign a request for enrollment by using a physical smart card. The driver for the physical smart card doesn't need to be installed on the client computer if it's installed on the remote computer. This is made possible by smart card redirection functionality, which ensures that smart cards that are connected to the client computer are available for use during a remote session.
 
 Alternatively, without establishing a remote desktop connection, users can enroll for certificates from the Certificate Management console (certmgr.msc) on a client computer. Users can also create a request and submit it to a server from within a custom certificate enrollment application (for example, a registration authority) that has controlled access to the certification authority (CA). This requires specific enterprise configuration and deployments for Certificate Enrollment Policies (CEP) and Certificate Enrollment Services (CES).
 
@@ -211,9 +211,7 @@ For deployments that require users to use a physical smart card to sign the cert
 
 Another option to ensure that users are strongly authenticated before virtual smart card certificates are issued, is to send a user a one-time password through SMS, email, or phone. The user then types the one-time password during the certificate enrollment from an application or a script on a desktop that invokes built-in command-line tools.
 
-#### Certificate lifecycle management
+**Certificate lifecycle management**: certificate renewal can be done from the same tools that are used for the initial certificate enrollment. Certificate enrollment policies and certificate enrollment services can also be used to perform automatic renewal.
-
-Certificate renewal can be done from the same tools that are used for the initial certificate enrollment. Certificate enrollment policies and certificate enrollment services can also be used to perform automatic renewal.
 
 Certificate revocation requires careful planning. When information about the certificate to be revoked is reliably available, the specific certificate can be easily revoked. When information about the certificate to be revoked isn't easy to determine, all certificates issued to the user under the policy that was used to issue the certificate might need to be revoked. For example, if an employee reports a lost or compromised device, and information that associates the device with a certificate isn't available.
 

windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md

@@ -15,11 +15,9 @@ Virtual smart cards are a technology from Microsoft that offer comparable securi
 
 This step-by-step walkthrough shows you how to set up a basic test environment for using TPM virtual smart cards. After you complete this walkthrough, you will have a functional virtual smart card installed on the Windows computer.
 
-### Time requirements
-
 You should be able to complete this walkthrough in less than one hour, excluding installing software and setting up the test domain.
 
-### Walkthrough steps
+## Walkthrough steps
 
 - [Prerequisites](#prerequisites)
 - [Step 1: Create the certificate template](#step-1-create-the-certificate-template)
@@ -44,63 +42,41 @@ On your domain server, you need to create a template for the certificate that yo
 ### To create the certificate template
 
 1. On your server, open the Microsoft Management Console (MMC). One way to do this is to type **mmc.exe** from the **Start** menu, right-click **mmc.exe**, and click **Run as administrator**
-2. Select **File** > **Add/Remove Snap-in**
+1. Select **File** > **Add/Remove Snap-in**
-
    ![Add or remove snap-in.](images/vsc-02-mmc-add-snap-in.png)
-
+1. In the available snap-ins list, click **Certificate Templates**, and then click **Add**
-3. In the available snap-ins list, click **Certificate Templates**, and then click **Add**
-
    ![Add Certificate Templates snap-in.](images/vsc-03-add-certificate-templates-snap-in.png)
-
+1. Certificate Templates is now located under **Console Root** in the MMC. Double-click it to view all the available certificate templates.
-4. Certificate Templates is now located under **Console Root** in the MMC. Double-click it to view all the available certificate templates.
+1. Right-click the **Smartcard Logon** template, and click **Duplicate Template**.
-
-5. Right-click the **Smartcard Logon** template, and click **Duplicate Template**.
-
    ![Duplicating the Smartcard Logon template.](images/vsc-04-right-click-smartcard-logon-template.png)
-
+1. On the **Compatibility** tab, under **Certification Authority**, review the selection, and change it if needed.
-6. On the **Compatibility** tab, under **Certification Authority**, review the selection, and change it if needed.
-
    ![Compatibility tab, certification authority setting.](images/vsc-05-certificate-template-compatibility.png)
-
+1. On the **General** tab:
-7. On the **General** tab:
+    1. Specify a name, such as **TPM Virtual Smart Card Logon**.
-
+    1. Set the validity period to the desired value.
-   1.  Specify a name, such as **TPM Virtual Smart Card Logon**.
+1. On the **Request Handling** tab:
-   2.  Set the validity period to the desired value.
+    1. Set the **Purpose** to **Signature and smartcard logon**.
-
+    1. Click **Prompt the user during enrollment**.
-8. On the **Request Handling** tab:
+1. On the **Cryptography** tab:
-
+    1. Set the minimum key size to 2048.
-   1.  Set the **Purpose** to **Signature and smartcard logon**.
+    1. Click **Requests must use one of the following providers**, and then select **Microsoft Base Smart Card Crypto Provider**.
-   2.  Click **Prompt the user during enrollment**.
+1. On the **Security** tab, add the security group that you want to give **Enroll** access to. For example, if you want to give access to all users, select the **Authenticated users** group, and then select **Enroll** permissions for them.
-
+1. Click **OK** to finalize your changes and create the new template. Your new template should now appear in the list of Certificate Templates.
-9. On the **Cryptography** tab:
+1. Select **File**, then click **Add/Remove Snap-in** to add the Certification Authority snap-in to your MMC console. When asked which computer you want to manage, select the computer on which the CA is located, probably **Local Computer**.
-
-   1.  Set the minimum key size to 2048.
-   2.  Click **Requests must use one of the following providers**, and then select **Microsoft Base Smart Card Crypto Provider**.
-
-10. On the **Security** tab, add the security group that you want to give **Enroll** access to. For example, if you want to give access to all users, select the **Authenticated users** group, and then select **Enroll** permissions for them.
-
-11. Click **OK** to finalize your changes and create the new template. Your new template should now appear in the list of Certificate Templates.
-
-12. Select **File**, then click **Add/Remove Snap-in** to add the Certification Authority snap-in to your MMC console. When asked which computer you want to manage, select the computer on which the CA is located, probably **Local Computer**.
-
     ![Add Certification Authority snap-in.](images/vsc-06-add-certification-authority-snap-in.png)
-
+1. In the left pane of the MMC, expand **Certification Authority (Local)**, and then expand your CA within the Certification Authority list.
-13. In the left pane of the MMC, expand **Certification Authority (Local)**, and then expand your CA within the Certification Authority list.
+1. Right-click **Certificate Templates**, click **New**, and then click **Certificate Template to Issue**.
-
-14. Right-click **Certificate Templates**, click **New**, and then click **Certificate Template to Issue**.
-
     ![Right-click menu for Certificate Templates.](images/vsc-07-right-click-certificate-templates.png)
+1. From the list, select the new template that you just created (**TPM Virtual Smart Card Logon**), and then click **OK**.
 
-15. From the list, select the new template that you just created (**TPM Virtual Smart Card Logon**), and then click **OK**.
+  > [!NOTE]
+  > It can take some time for your template to replicate to all servers and become available in this list.
 
-    > [!NOTE]
+  ![Selecting a certificate template.](images/vsc-08-enable-certificate-template.png)
-> It can take some time for your template to replicate to all servers and become available in this list.
 
-    ![Selecting a certificate template.](images/vsc-08-enable-certificate-template.png)
+1. After the template replicates, in the MMC, right-click in the Certification Authority list, click **All Tasks**, and then click **Stop Service**. Then, right-click the name of the CA again, click **All Tasks**, and then click **Start Service**.
 
-16. After the template replicates, in the MMC, right-click in the Certification Authority list, click **All Tasks**, and then click **Stop Service**. Then, right-click the name of the CA again, click **All Tasks**, and then click **Start Service**.
+  ![Stopping and starting the service.](images/vsc-09-stop-service-start-service.png)
-
-    ![Stopping and starting the service.](images/vsc-09-stop-service-start-service.png)
 
 ## Step 2: Create the TPM virtual smart card
 
@@ -108,19 +84,16 @@ In this step, you will create the virtual smart card on the client computer by u
 
 ### To create the TPM virtual smart card
 
-1.  On a domain-joined computer, open a Command Prompt window with Administrative credentials.
+1. On a domain-joined computer, open a Command Prompt window with Administrative credentials.
-
     ![Cmd prompt, Run as administrator.](images/vsc-10-cmd-run-as-administrator.png)
+1. At the command prompt, type the following, and then press ENTER:
 
-2.  At the command prompt, type the following, and then press ENTER:
+  `tpmvscmgr.exe create /name TestVSC /pin default /adminkey random /generate`
 
-    `tpmvscmgr.exe create /name TestVSC /pin default /adminkey random /generate`
+  This will create a virtual smart card with the name **TestVSC**, omit the unlock key, and generate the file system on the card. The PIN will be set to the default, 12345678. To be prompted for a PIN, instead of **/pin default** you can type **/pin prompt**.\
+  For more information about the Tpmvscmgr command-line tool, see [Use Virtual Smart Cards](virtual-smart-card-use-virtual-smart-cards.md) and [Tpmvscmgr](virtual-smart-card-tpmvscmgr.md).
 
-    This will create a virtual smart card with the name **TestVSC**, omit the unlock key, and generate the file system on the card. The PIN will be set to the default, 12345678. To be prompted for a PIN, instead of **/pin default** you can type **/pin prompt**.
+1. Wait several seconds for the process to finish. Upon completion, Tpmvscmgr.exe will provide you with the device instance ID for the TPM Virtual Smart Card. Store this ID for later reference because you will need it to manage or remove the virtual smart card.
-
-    For more information about the Tpmvscmgr command-line tool, see [Use Virtual Smart Cards](virtual-smart-card-use-virtual-smart-cards.md) and [Tpmvscmgr](virtual-smart-card-tpmvscmgr.md).
-
-4.  Wait several seconds for the process to finish. Upon completion, Tpmvscmgr.exe will provide you with the device instance ID for the TPM Virtual Smart Card. Store this ID for later reference because you will need it to manage or remove the virtual smart card.
 
 ## Step 3: Enroll for the certificate on the TPM Virtual Smart Card
 
@@ -128,21 +101,14 @@ The virtual smart card must be provisioned with a sign-in certificate for it to
 
 ### To enroll the certificate
 
-1.  Open the Certificates console by typing **certmgr.msc** on the **Start** menu.
+1. Open the Certificates console by typing **certmgr.msc** on the **Start** menu
-
+1. Right-click **Personal**, click **All Tasks**, and then click **Request New Certificate**
-2.  Right-click **Personal**, click **All Tasks**, and then click **Request New Certificate**.
+  ![Request New Certificate.](images/vsc-11-certificates-request-new-certificate.png)
-
+1. Follow the prompts and when offered a list of templates, select the **TPM Virtual Smart Card Logon** check box (or whatever you named the template in Step 1)
-    ![Request New Certificate.](images/vsc-11-certificates-request-new-certificate.png)
+  ![Certificate enrollment, select certificate.](images/vsc-12-certificate-enrollment-select-certificate.png)
-
+1. If prompted for a device, select the Microsoft virtual smart card that corresponds to the one you created in the previous section. It displays as **Identity Device (Microsoft Profile)**
-3.  Follow the prompts and when offered a list of templates, select the **TPM Virtual Smart Card Logon** check box (or whatever you named the template in Step 1).
+1. Enter the PIN that was established when you created the TPM virtual smart card, and then click **OK**
-
+1. Wait for the enrollment to finish, and then click **Finish**
-    ![Certificate enrollment, select certificate.](images/vsc-12-certificate-enrollment-select-certificate.png)
-
-4.  If prompted for a device, select the Microsoft virtual smart card that corresponds to the one you created in the previous section. It displays as **Identity Device (Microsoft Profile)**.
-
-5.  Enter the PIN that was established when you created the TPM virtual smart card, and then click **OK**.
-
-6.  Wait for the enrollment to finish, and then click **Finish**.
 
 The virtual smart card can now be used as an alternative credential to sign in to your domain. To verify that your virtual smart card configuration and certificate enrollment were successful, sign out of your current session, and then sign in. When you sign in, you will see the icon for the new TPM virtual smart card on the Secure Desktop (sign in) screen or you will be automatically directed to the TPM smart card sign-in dialog box. Click the icon, enter your PIN (if necessary), and then click **OK**. You should be signed in to your domain account.
 

windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md

@@ -23,27 +23,27 @@ Virtual smart cards are functionally similar to physical smart cards, appearing
 
 ### Authentication use cases
 
-**Two-factor authentication‒based remote access**
+#### Two-factor authentication‒based remote access
 
 After a user has a fully functional TPM virtual smart card, provisioned with a sign-in certificate, the certificate is used to gain authenticated access to corporate resources. When the proper certificate is provisioned to the virtual card, the user need only provide the PIN for the virtual smart card, as if it was a physical smart card, to sign in to the domain.
 
 In practice, this is as easy as entering a password to access the system. Technically, it's far more secure. Using the virtual smart card to access the system proves to the domain that the user who is requesting authentication has possession of the personal computer upon which the card has been provisioned and knows the virtual smart card PIN. Because this request couldn't have possibly originated from a system other than the system certified by the domain for this user's access, and the user couldn't have initiated the request without knowing the PIN, a strong two-factor authentication is established.
 
-**Client authentication**
+#### Client authentication
 
 Virtual smart cards can also be used for client authentication by using TLS/SSL or a similar technology. Similar to domain access with a virtual smart card, an authentication certificate can be provisioned for the virtual smart card, provided to a remote service, as requested in the client authentication process. This adheres to the principles of two-factor authentication because the certificate is only accessible from the computer that hosts the virtual smart card, and the user is required to enter the PIN for initial access to the card.
 
-**Virtual smart card redirection for remote desktop connections**
+#### Virtual smart card redirection for remote desktop connections
 
 The concept of two-factor authentication associated with virtual smart cards relies on the proximity of users to the devices that they use to access domain. When you connect to a device that is hosting virtual smart cards, you can't use the virtual smart cards located on the remote device during the remote session. However, you can access the virtual smart cards on the connecting device (which is under your physical control), which are loaded onto the remote device. You can use the virtual smart cards as if they were installed by using the remote devices' TPM, extending your privileges to the remote device, while maintaining the principles of two-factor authentication.
 
 ### Confidentiality use cases
 
-**S/MIME email encryption**
+#### S/MIME email encryption
 
 Physical smart cards are designed to hold private keys. You can use the private keys for email encryption and decryption. The same functionality exists in virtual smart cards. By using S/MIME with a user's public key to encrypt email, the sender of an email is assured that only the person with the corresponding private key can decrypt the email. This assurance is a result of the non-exportability of the private key. It never exists within reach of malicious software, and it remains protected by the TPM—even during decryption.
 
-**BitLocker for data volumes**
+#### BitLocker for data volumes
 
 BitLocker Drive Encryption technology makes use of symmetric-key encryption to protect the content of a user's hard drive. BitLocker ensures that if the physical ownership of a hard drive is compromised, an adversary won't be able to read data off the drive. The key used to encrypt the drive can be stored in a virtual smart card, which necessitates knowledge of the virtual smart card PIN to access the drive, and possession of the device that is hosting the TPM virtual smart card. If the drive is obtained without access to the TPM that hosts the virtual smart card, any brute force attack will be difficult.
 
@@ -51,7 +51,7 @@ You can use BitLocker to encrypt portable drives, storing keys in virtual smart
 
 ### Data integrity use case
 
-**Signing data**
+#### Signing data
 
 To verify authorship of data, a user can sign it by using a private key stored in the virtual smart card. Digital signatures confirm the integrity and origin of the data.
 

windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md

@@ -84,4 +84,4 @@ The following command will create a TPM virtual smart card with the default valu
 
 ```console
 tpmvscmgr.exe create /name "VirtualSmartCardForCorpAccess" /PIN PROMPT /pinpolicy minlen 4 maxlen 8 /AdminKey DEFAULT /attestation AIK_AND_CERT /generate
-```
+```

windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md

@@ -17,10 +17,10 @@ Virtual smart cards are functionally similar to physical smart cards. They appea
 
 This topic contains the following sections:
 
--   [Comparing virtual smart cards with physical smart cards](#comparing-virtual-smart-cards-with-physical-smart-cards):
+- [Comparing virtual smart cards with physical smart cards](#comparing-virtual-smart-cards-with-physical-smart-cards):
     Compares properties, functional aspects, security, and cost.
 
--   [Authentication design options](#authentication-design-options):
+- [Authentication design options](#authentication-design-options):
     Describes how passwords, smart cards, and virtual smart cards can be used to reach authentication goals in your organization.
 
 ## Comparing virtual smart cards with physical smart cards
@@ -33,17 +33,17 @@ All cryptographic operations occur in the secure, isolated environment of the TP
 
 Virtual smart cards maintain the three key properties of physical smart cards:
 
--   **Non-exportability**: Because all private information on the virtual smart card is encrypted by using the TPM on the host computer, it can't be used on a different computer with a different TPM. Additionally, TPMs are designed to be tamper-resistant and non-exportable, so a malicious user can't reverse engineer an identical TPM or install the same TPM on a different computer.
+- **Non-exportability**: Because all private information on the virtual smart card is encrypted by using the TPM on the host computer, it can't be used on a different computer with a different TPM. Additionally, TPMs are designed to be tamper-resistant and non-exportable, so a malicious user can't reverse engineer an identical TPM or install the same TPM on a different computer.
     For more information, see [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md).
 
--   **Isolated cryptography**: TPMs provide the same properties of isolated cryptography that are offered by physical smart cards, and this is utilized by virtual smart cards. Unencrypted copies of private keys are loaded only within the TPM and never into memory that is accessible by the operating system. All cryptographic operations with these private keys occur inside the TPM.
+- **Isolated cryptography**: TPMs provide the same properties of isolated cryptography that are offered by physical smart cards, and this is utilized by virtual smart cards. Unencrypted copies of private keys are loaded only within the TPM and never into memory that is accessible by the operating system. All cryptographic operations with these private keys occur inside the TPM.
 
--   **Anti-hammering**: If a user enters a PIN incorrectly, the virtual smart card responds by using the anti-hammering logic of the TPM, which rejects further attempts for a period of time instead of blocking the card. This is also known as lockout.
+- **Anti-hammering**: If a user enters a PIN incorrectly, the virtual smart card responds by using the anti-hammering logic of the TPM, which rejects further attempts for a period of time instead of blocking the card. This is also known as lockout.
     For more information, see [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md).
 
 The following subsections compare the functionality, security, and cost of virtual smart cards and physical smart cards.
 
-**Functionality**
+### Functionality
 
 The virtual smart card system that was designed by Microsoft closely mimics the functionality of conventional smart cards. The most striking difference to the end user is that the virtual smart card is essentially a smart card that is always inserted into the computer. There's no method to export the user's virtual smart card for use on other computers, which adds to the security of virtual smart cards. If a user requires access to network resources on multiple computers, multiple virtual smart cards can be issued for that user. Additionally, a computer that is shared among multiple users can host multiple virtual smart cards for different users.
 
@@ -51,7 +51,7 @@ The basic user experience for a virtual smart card is as simple as using a passw
 
 Additionally, although the anti-hammering functionality of the virtual smart card is equally secure to that of a physical smart card, virtual smart card users are never required to contact an administrator to unblock the card. Instead, they simply wait a period of time (depending on the TPM specifications) before they reattempt to enter the PIN. Alternatively, the administrator can reset the lockout by providing owner authentication data to the TPM on the host computer.
 
-**Security**
+### Security
 
 Physical smart cards and virtual smart cards offer comparable levels of security. They both implement two-factor authentication for using network resources. However, they differ in certain aspects, including physical security and the practicality of an attack. Due to their compact and portable design, conventional smart cards are most frequently kept close to their intended user. They offer little opportunity for acquisition by a potential adversary, so any sort of interaction with the card is difficult without committing some variety of theft.
 
@@ -59,13 +59,13 @@ TPM virtual smart cards, however, reside on a user's computer that may frequentl
 
 However, there are several advantages provided by virtual smart cards to mitigate these slight security deficits. Most importantly, a virtual smart card is much less likely to be lost. Virtual smart cards are integrated into computers and devices that the user already owns for other purposes and has incentive to keep safe. If the computer or device that hosts the virtual smart card is lost or stolen, a user will more immediately notice its loss than the loss of a physical smart card. When a computer or device is identified as lost, the user can notify the administrator of the system, who can revoke the certificate that is associated with the virtual smart card on that device. This precludes any future unauthorized access on that computer or device if the PIN for the virtual smart card is compromised.
 
-**Cost**
+### Cost
 
 If a company wants to deploy physical smart cards, they need to purchase smart cards and smart card readers for all employees. Although relatively inexpensive options can be found, options that ensure the three key properties of smart card security (most notably, non-exportability) are more expensive. If employees have computers with a built-in TPM, virtual smart cards can be deployed with no additional material costs. These computers and devices are relatively common in the market.
 
 The maintenance cost of virtual smart cards is less than that for physical smart cards, which are easily lost, stolen, or broken from normal wear. TPM virtual smart cards are only lost or broken if the host computer or device is lost or broken, which in most cases is much less frequently.
 
-**Comparison summary**
+### Comparison summary
 
 | Physical Smart Cards                        | TPM virtual smart cards           |
 |---------------------|-------------------|
@@ -87,17 +87,17 @@ The maintenance cost of virtual smart cards is less than that for physical smart
 
 The following section presents several commonly used options and their respective strengths and weaknesses, which organizations can consider for authentication.
 
-**Passwords**
+### Passwords
 
 A password is a secret string of characters that is tied to the identification credentials for a user's account. This establishes the user's identity. Although passwords are the most commonly used form of authentication, they're also the weakest. In a system where passwords are used as the sole method of user authentication, only individuals who know their passwords are considered valid users.
 
 Password authentication places a great deal of responsibility on the user. Passwords must be sufficiently complex so they can't be easily guessed, but they must be simple enough to be committed to memory and not stored in a physical location. Even if this balance is successfully achieved, a wide variety of attacks exist (such as brute force attacks, eavesdropping, and social engineering tactics) where a malicious user can acquire a user's password and impersonate that person's identity. A user often won't realize that the password is compromised, which makes it's easy for a malicious user to maintain access to a system if a valid password has been obtained.
 
-**One-time passwords**
+### One-time passwords
 
 A one-time password (OTP) is similar to a traditional password, but it's more secure in that it can be used only once to authenticate a user. The method for determining each new password varies by implementation. Assuming a secure deployment of each new password, OTPs have several advantages over the classic password model of authentication. Most importantly, if a given OTP token is intercepted in transmission between the user and the system, the interceptor can't use it for any future transactions. Similarly, if a malicious user obtains a valid user's OTP, the interceptor will have limited access to the system (only one session).
 
-**Smart cards**
+### Smart cards
 
 Smart cards are physical authentication devices, which improve on the concept of a password by requiring that users actually have their smart card device with them to access the system, in addition to knowing the PIN that provides access to the smart card. Smart cards have three key properties that help maintain their security:
 
@@ -111,7 +111,7 @@ Additional security is achieved by the singular nature of the card because only
 
 The additional security comes with added material and support costs. Traditional smart cards are expensive to purchase (cards and card readers must be supplied to employees), and users can misplace or lose them.
 
-**Virtual smart cards**
+### Virtual smart cards
 
 Virtual smart cards emulate the functionality of traditional smart cards. Instead of requiring the purchase of additional hardware, virtual smart cards utilize technology that users already own and are more likely to always have with them. Theoretically, any device that can provide the three key properties of smart cards (non-exportability, isolated cryptography, and anti-hammering) can be commissioned as a virtual smart card. The virtual smart card platform is limited to the use of the Trusted Platform Module (TPM) chip, which is on most modern devices.
 

windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md

@@ -29,35 +29,31 @@ To create and delete TPM virtual smart cards for end users, the Tpmvscmgr comman
 
 Virtual smart cards can also be created and deleted by using APIs. For more information, see the following classes and interfaces:
 
--   [TpmVirtualSmartCardManager](/previous-versions/windows/desktop/legacy/hh707171(v=vs.85))
+- [TpmVirtualSmartCardManager](/previous-versions/windows/desktop/legacy/hh707171(v=vs.85))
-
+- [RemoteTpmVirtualSmartCardManager](/previous-versions/windows/desktop/legacy/hh707166(v=vs.85))
--   [RemoteTpmVirtualSmartCardManager](/previous-versions/windows/desktop/legacy/hh707166(v=vs.85))
+- [ITpmVirtualSmartCardManager](/windows/win32/api/tpmvscmgr/nn-tpmvscmgr-itpmvirtualsmartcardmanager)
-
+- [ITPMVirtualSmartCardManagerStatusCallBack](/windows/win32/api/tpmvscmgr/nn-tpmvscmgr-itpmvirtualsmartcardmanagerstatuscallback)
--   [ITpmVirtualSmartCardManager](/windows/win32/api/tpmvscmgr/nn-tpmvscmgr-itpmvirtualsmartcardmanager)
-
--   [ITPMVirtualSmartCardManagerStatusCallBack](/windows/win32/api/tpmvscmgr/nn-tpmvscmgr-itpmvirtualsmartcardmanagerstatuscallback)
 
 You can use APIs that were introduced in the Windows.Device.SmartCards namespace in Windows Server 2012 R2 and Windows 8.1 to build Microsoft Store apps to manage the full lifecycle of virtual smart cards. For information about how to build an app to do this, see [Strong Authentication: Building Apps That Leverage Virtual Smart Cards in Enterprise, BYOD, and Consumer Environments | Build 2013 | Channel 9](https://channel9.msdn.com/events/build/2013/2-041).
 
 The following table describes the features that can be developed in a Microsoft Store app:
 
-| Feature                                      | Physical Smart Card | Virtual Smart Card |
+| Feature | Physical Smart Card | Virtual Smart Card |
-|----------------------------------------------|---------------------|--------------------|
+|--|--|--|
-| Query and monitor smart card readers              | Yes                      | Yes                     |
+| Query and monitor smart card readers | Yes | Yes |
-| List available smart cards in a reader, and retrieve the card name and card ID                 | Yes           | Yes        |
+| List available smart cards in a reader, and retrieve the card name and card ID | Yes | Yes |
-| Verify if the administrative key of a card is correct      | Yes                      | Yes                     |
+| Verify if the administrative key of a card is correct | Yes | Yes |
-| Provision (or reformat) a card with a given card ID        | Yes                      | Yes                     |
+| Provision (or reformat) a card with a given card ID | Yes | Yes |
-| Change the PIN by entering the old PIN and specifying a new PIN      | Yes                      | Yes                     |
+| Change the PIN by entering the old PIN and specifying a new PIN | Yes | Yes |
-| Change the administrative key, reset the PIN, or unblock the smart card by using a challenge/response method | Yes     | Yes      |
+| Change the administrative key, reset the PIN, or unblock the smart card by using a challenge/response method | Yes | Yes |
-| Create a virtual smart card                       | Not applicable           | Yes                     |
+| Create a virtual smart card | Not applicable | Yes |
-| Delete a virtual smart card                       | Not applicable           | Yes                     |
+| Delete a virtual smart card | Not applicable | Yes |
-| Set PIN policies                                  | No                       | Yes                     |
+| Set PIN policies | No | Yes |
 
 For more information about these Windows APIs, see:
 
--   [Windows.Devices.SmartCards namespace (Windows)](/uwp/api/Windows.Devices.SmartCards)
+- [Windows.Devices.SmartCards namespace (Windows)](/uwp/api/Windows.Devices.SmartCards)
-
+- [Windows.Security.Cryptography.Certificates namespace (Windows)](/uwp/api/Windows.Security.Cryptography.Certificates)
--   [Windows.Security.Cryptography.Certificates namespace (Windows)](/uwp/api/Windows.Security.Cryptography.Certificates)
 
 ## Distinguishing TPM-based virtual smart cards from physical smart cards
 
@@ -70,11 +66,13 @@ A TPM-based virtual smart card is labeled **Security Device** in the user interf
 ## Changing the PIN
 
 The PIN for a virtual smart card can be changed by following these steps:
-- Sign in with the old PIN or password.
+
-- Press Ctrl+Alt+Del and choose **Change a password**.
+- Sign in with the old PIN or password
-- Select **Sign-in Options**.
+- Press Ctrl+Alt+Del and choose **Change a password**
-- Select the virtual smart card icon.
+- Select **Sign-in Options**
-- Enter and confirm the new PIN.
+- Select the virtual smart card icon
+- Enter and confirm the new PIN
+
 ## Resolving issues
 
 ### TPM not provisioned