Making (virtual) smartcard available to system service

I have a VM running Windows Server 2019 Datacenter Core, which is running a Jenkins build agent as a noninteractive service with its own local user account (.\build).

Now I'd like to add code signing. To have at least a semblance of security, I want to use a virtual smartcard that is based on crypto operations on the host, so an attacker who is interested in copying key material would need to break out of the VM.

I have configured a virtual USB CCID reader with a card permanently inserted, and it shows up in Windows:

PS> Get-PnpDevice
...
Error      SmartCardReader Microsoft Usbccid Smartcard Reader (WUDF)                                        USB\VID_08E6...
...

First, the Error state is concerning. I have applied this fix, which seems to have improved things a bit (the card shows up OK right after boot), but that doesn't seem permanent.

The problem where I'm truly stuck however is the security model for smartcard access. Most documentation I could find concerns using the smartcard for logon, for which the policy is simple: the logon UI has access to the card to verify credentials, then passes on this access to the user session.

In my case however, I have a noninteractive logon that isn't associated with a desktop. When I manually start the SCardSvr and ScDeviceEnum services, I cannot access the card even as Administrator when logged in via SSH:

The Microsoft Smart Card Resource Manager is not running.
SCardAccessStartedEvent: Service is in an unknown state.
CertUtil: -SCInfo command FAILED: 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
CertUtil: Access is denied.

which makes sense, and from the local console, as Administrator, I get

PS> certutil -scinfo
The Microsoft Smart Card Resource Manager is running.
Current reader/card status:
SCardEstablishContext: The Smart Card Resource Manager is not running. 0x8010001d (-2146435043 SCARD_E_NO_SERVICE)
SCardEstablishContext failed for user scope.

The two services also terminate by themselves after two minutes.

Questions:

• How can I verify that the emulated smartcard is seen as inserted and possibly list the contained certificates?
• How can I give permission to a user to access the smartcard (certutil -scinfo would probably show that)?
• How can I import a certificate that already exists on the smartcard into the local user's key store? Do I need the original P7 certificate, or can I pull that from the card itself?
• Do I need to do anything to keep the service running continuously, or will resolving the access problems also allow it to demand-start?

I think I may have a solution for you: Windows seems to select the wrong device driver on Windows Server. On Windows Server the device shows up as "Microsoft Usbccid Smartcard Reader (UMDF2)", whereas on a desktop windows it shows up as "Microsoft Usbccid Smartcard Reader (WUDF)"

I do not know why this happens, but the following worked for me:

1. Open Device Manager
2. Right click the smart card reader device that shows a problem -> Update Driver
3. Browse my computer for drivers
4. Let me pick from a list of available drivers on my computer
5. Select Microsoft Usbccid Smartcard Reader (WUDF) instead of the UMDF2 version.
6. Click next to complete the driver change

What is a bit annoying about this is if you plug in the device on a different USB port, then you have to do the same again.

So if anybody knows how to make this permanent I'd be very happy to hear about it. It probably involves modifying the inf files a bit?

• For the broken UMDF2 driver it uses this inf file: C:\Windows\System32\DriverStore\FileRepository\usbcciddriver.inf_amd64_d3361c9b119e0de8
• For the working WUDF driver it uses C:\Windows\System32\DriverStore\FileRepository\wudfusbcciddriver.inf_amd64_a32870cf151b98c5

(the hash parts of the file name might differ a bit depending on the windows version)