At some point in the past few weeks, the following command has started failing when creating virtual smart cards on a Surface Pro device:
tpmvscmgr create /generate /adminKey random /pin default /name Example /attestation AIK_AND_CERT
Requests fail with (0x80190190) Bad Request (400).
It is possible to create a virtual smart card without the /attestation flag (which is what I have typically done in the past). However virtual smart cards created this way fail when attempting to generate a certificate request including an attestation. Specifically, attempts to generate a certificate request using a CertificateRequestProperties structure with the AttestationCredentialCertificate field set fail with 0x80100022 - This smart card does not support the requested feature.
These errors occur on devices that previously worked. Any ideas why the behavior has changed or if it is temporary?
The issue was resolved by applying firmware patches to the Surface Pro 3 and Surface Pro 4 devices. The firmware update tool for Surface Pro 3 is here: https://www.microsoft.com/en-us/download/details.aspx?id=38826. The update for Surface Pro 4 is here: https://www.microsoft.com/en-us/download/details.aspx?id=49498. After updating the firmware, tpmvcsmgr was able to create virtual smart cards using the AIK_AND_CERT parameter and the UWP APIs to include attestations in CSRs worked. It seems like the 1803 update included a change that requires these firmware patches.