This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 31%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
Hello,
As we know, we can do windows device logon with "Certificate based authentication" Microsoft Entra users can authenticate using X.509 certificates on their smart cards directly against Microsoft Entra ID at Windows sign-in.
To be precise about above statement
Does that mean that I have to use only physical smart-cards (CAC, PIV, yubikey) for windows logon ??
OR
Can the virtual smart-card (cert in TPM, cert in user's personal file store ) be also usable for windows logon ??
Thanks.
@Fabio Andrade Any update ?? is this possible ?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 96%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFA%3C/text%3E%3C/svg%3E)
Hi @testuser7
I just wanted to check in and see if you had any other questions or if you were able to resolve your issue.
If you have any other questions, please let me know.
Thanks,
Fabio
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(208, 84%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECG%3C/text%3E%3C/svg%3E)
Hello @Fabio Andrade , it was a detailed response. However, I am unable to get the "smart card icon" at the login screen. I do see the Security Key icon, clicking on which prompts to insert the Security key in the USB slot. I am trying to login via virtual smart card (certificate stored in the user key store in the device). I ensured the user was enabled for CBA and verified it by logging in myapps.microsoft.com using certificate.
What configuration do I need to enable to get this smart card icon on the login screen?
Thanks in advance. Regards.
Hi @testuser7
Thanks for reaching out to Microsoft Q&A.
You can use either virtual or physical smart cards, there's no limitation on this regard.
The documentation below has more details about Windows smart card sign-in using Microsoft Entra certificate-based authentication and it also has information about the user experience, prerequisites and caveats:
Let me know if you have further questions.
Thanks,
Fabio
Thanks @Fabio Andrade
So as you said, we can use virtual smart-card (cert in TPM, cert in user's personal file store ) for Windows logon.
So let's say there is AAD-joined windows laptop where previously two AAD-users had logged in and managed to obtain and store their own personal-certs in their respective personal file store.
Let's say user1 got Certs C1 & C2 and user2 got Certs C3 & C4
Now if I reboot the machine and from the lock-screen when I click smart-card icon, I believe I will be shown following certificate-picker to pick one of the certs and enter its PIN to unlock the device.
My question is, how is it decided which user's personal certificates to be shown ??
Remember there is NO need to put any UPN.
Thanks.
Hi @testuser7
The Windows OS will exhibit a list of client sign in certificates available on the device. The document below explains how it works on the Windows side:
Just remember that the users must be in the scope of Cert Based Authentication on Entra ID and also, even though the user is required to type its UPN at windows sign in page, UPN is the attribute to be sent to Entra ID, so it must be in the certificate like the document below states, otherwise the user might be prompted to provide an UPN:
Let me know if you have further questions.
Thanks,
Fabio