Initialize TPM virtual smart card in Google Cloud VM running Windows Server

After setting up a Windows Server with a vTPM (see https://cloud.google.com/blog/products/gcp/security-in-plaintext-use-shielded-vms-to-harden-your-gcp-workloads) in Google Cloud VM and accesing to it through Remote Desktop Services (RDS), when trying to initialize the TPM virtual smart card with a command like the following:

Tpmvscmgr.exe create /name "TestVirtualSC" /pin prompt /adminkey default /generate

The following error is produced:

Creating TPM Smart Card...
TPM Virtual Smart Card management cannot be used within a Terminal Services session.
    (0x800704d3) The request was aborted.

So, is there any way to initialize the TPM virtual smart card through a remote RDS session?, or alternatively, is there any other way to initialize it in a Google Cloud VM running Windows Server?.

You can use the Emergency Management Services (EMS) console which once connected, will present you with a Command Prompt.

1. From your terminal or in Cloud Shell, enable connections to the serial ports on your VM:

gcloud compute instances add-metadata <VM-NAME> --metadata=serial-port-enable=1

Replacing <VM-NAME> with the name of the VM on which to enable the serial ports.

2. Connect to the EMS console on serial port 2 of your VM:

gcloud compute connect-to-serial-port <VM-NAME> --port 2

Replacing <VM-NAME> with the name of the VM with the serial port to connect to.

3. Verify that you see output similar to the following:

Computer is booting, SAC started and initialized.

Use the "ch -?" command for information about using channels.
Use the "?" command for general help.

SAC>
EVENT: The CMD command is now available.
SAC>

4. Create a new command prompt session by using the cmd command and verify output similar to the following:

The Command Prompt session was successfully launched.
SAC>
EVENT:   A new channel has been created.  Use "ch -?" for channel help.
Channel: Cmd0001
SAC>

5. Connect to the new command prompt session by using the ch -si 1 command and verify output similar to the following:

Name:                  Cmd0001
Description:           Command
Type:                  VT-UTF8
Channel GUID:          28de7392-5413-11ea-bb03-c9656a2ed613
Application Type GUID: 63d02271-8aa4-11d5-bccf-00b0d014a2d0

Press <esc><tab> for next channel.
Press <esc><tab>0 to return to the SAC channel.
Use any other key to view this channel.

6. Press Enter to connect to the session.

7. Sign in to the session by entering your login credentials for this VM, after which the EMS console opens in the C:\Windows\system32 directory. Type help for a list of available commands in the EMS console.

Links:

• https://cloud.google.com/compute/docs/troubleshooting/troubleshooting-windows#ems-console
• https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc736319(v=ws.10) (Note: It says it applies to WS 2003, however it applies to all versions of Windows since 2003.