MSIX blocks TPM

%3CLINGO-SUB%20id%3D%22lingo-sub-281776%22%20slang%3D%22en-US%22%3EMSIX%20blocks%20TPM%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-281776%22%20slang%3D%22en-US%22%3E%3CP%3EAppears%20when%20you%20package%20an%20application%20that%20either%20writes%20to%20TPM%20or%20even%20more%20importantly%20READS%20from%20TPM%20MSIX%20is%20blocking%20access.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20thoughts%20about%20adding%20support%20%2F%20pass%20through%20to%20access%20TPM%20%3F%3F%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-282379%22%20slang%3D%22en-US%22%3ERe%3A%20MSIX%20blocks%20TPM%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-282379%22%20slang%3D%22en-US%22%3E%3CP%3EIts%20great%20feedback%20and%20we%20will%20look%20to%20add%20it%20to%20the%20backlog.%26nbsp%3B%20You%20can%20also%20add%20it%20to%20the%20public%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Faka.ms%2FmsixIdeas%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Eideas%3C%2FA%3E%20section%20and%20we%20can%20update%20the%20progress%2C%20as%20well%20as%20other%20folks%20can%20chime%20in.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EJohn.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-281936%22%20slang%3D%22en-US%22%3ERe%3A%20MSIX%20blocks%20TPM%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-281936%22%20slang%3D%22en-US%22%3E%3CP%3ECouple%20of%20Examples%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20If%20you%20were%20to%20package%20a%20browser%20with%20MSIX%20and%20your%20organization%20uses%20virtual%20smartcard%2C%20X.509%20certificates%2C%20etc.%20that%20are%20stored%20in%20TPM%20for%20authenticating%20to%20Web%20Sites%20or%20SaaS%20applications%20...%20the%20Browser%20which%20has%20been%20packaged%20as%20an%20MSIX%20cannot%20access%20the%20certificate%20stored%20in%20TPM%20...%20making%20authentication%20with%20a%20certificate%20impossible.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2.%20If%20an%20organization%20asks%20a%20user%20to%20present%20strong%20credentials%20..%20like%20a%20virtual%20smartcard%2C%20X.509%20certificate%2C%20etc.%20that%20is%20stored%20in%20TPM%20to%20change%20their%20password%20...%20the%20application%20fails%20when%20attempting%20to%20read%20the%20Certificate%20stored%20in%20TPM.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E3.%20If%20you%20package%20an%20application%20which%20helps%20users%20to%20acquired%20a%20certificate%20that%20is%20stored%20in%20TPM%26nbsp%3B%20-%20Virtual%20Smartcard%2C%20X.509%2C%20etc.%20the%20application%20will%20FAIL%20when%20writing%20to%20TPM.%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Appears when you package an application that either writes to TPM or even more importantly READS from TPM MSIX is blocking access.

 

Any thoughts about adding support / pass through to access TPM ???

 

 

 

2 Replies

Couple of Examples

 

1. If you were to package a browser with MSIX and your organization uses virtual smartcard, X.509 certificates, etc. that are stored in TPM for authenticating to Web Sites or SaaS applications ... the Browser which has been packaged as an MSIX cannot access the certificate stored in TPM ... making authentication with a certificate impossible.

 

2. If an organization asks a user to present strong credentials .. like a virtual smartcard, X.509 certificate, etc. that is stored in TPM to change their password ... the application fails when attempting to read the Certificate stored in TPM.

 

3. If you package an application which helps users to acquired a certificate that is stored in TPM  - Virtual Smartcard, X.509, etc. the application will FAIL when writing to TPM.

Its great feedback and we will look to add it to the backlog.  You can also add it to the public ideas section and we can update the progress, as well as other folks can chime in.

 

John.