23/02/2023 12:23 Deploying the YubiKey Minidriver to Workstations and Servers – Yubico

 Why Yubico  Products  Solutions 

Resources 
Yubico › Phishing-resistant MFA › Smart Card Deployment
Company  Support  Store

Type your question here... Contact sales Resellers

Home

Individuals

Business

Device Specifications

Ecommerce Orders and Shipping

Phishing-resistant MFA

Getting Started

Microsoft Azure AD and Smart Cards

Microsoft On-Prem and Smart Cards

Microsoft Hybrid and Smart Cards

Microsoft Azure

Smart Card Deployment

Pre-provisioning a YubiKey for use with the YubiKey Smart Card Minidriver

Enabling Smart Card in Firefox on Windows

YubiKey: Deployment Considerations for Call Centers

https://support.yubico.com/hc/en-us/articles/360015654560-Deploying-the-YubiKey-Minidriver-to-Workstations-and-Servers 1/8
23/02/2023 12:23 Deploying the YubiKey Minidriver to Workstations and Servers – Yubico

Smart Card PIN Unlock/Reset - Operational Approaches

macOS Native
Smart Card Support Why Yubico
 for Logon with
 Windows Server
Products Solutions
Deploying the YubiKey Minidriver to Workstations and Servers

Resources
Setting up Windows Server for Company
 YubiKey PIV Authentication
 Support  Store
Setting up Smart Card Login for Enroll on Behalf of

Contact sales
Setting up Smart Card Login for User Self-Enrollment Resellers
YubiKey Smart Card Deployment Considerations

YubiKey PIN and PUK User Management on Windows

Smart Card Deployment: Manually Importing User Certificates

YubiKey Minidriver Features

Deploying the YubiKey Minidriver to Workstations and

Servers
David Maples
Reading time 9 min(s)
 Created August 3, 2020 - Updated 3 months ago

Compatible devices

✅ Compatible ⛔ Incompatible
YubiKey 5 FIPS Series  YubiKey Bio Series 

⛔ Incompatible
⛔ Incompatible ✅ Compatible
YubiKey
Security Key Series  YubiKey
C Bio - 5 Series

FIDO
✅ Compatible ⛔ Incompatible
Edition
YubiKey FIPS (4 Series)  YubiHSM Series 
⛔ Incompatible
YubiKey
🤔 Mixed compatibility ✅ Compatible
Bio -
Legacy Devices  YubiKey
FIDO 4 Series 
Edition
Main Page: YubiKey Smart Card Deployment Guide
Previous: Smart Card Deployment: Manually Importing User Certificates

TABLE OF CONTENTS

https://support.yubico.com/hc/en-us/articles/360015654560-Deploying-the-YubiKey-Minidriver-to-Workstations-and-Servers 2/8
23/02/2023 12:23 Deploying the YubiKey Minidriver to Workstations and Servers – Yubico

YubiKey Minidriver Installation

Manual Install
 Why Yubico  Products  Solutions 
MSI File install

CAB File install Resources  Company  Support  Store

Command Line Install

Installing via Group Policy Object Contact sales Resellers

Setting PIN Unblock Code (PUK)

Setting Touch Policy

Logging Minidriver Behavior

YubiKey Minidriver Installation
The Minidriver must be installed on all machines where the YubiKey will be used as a smart
card to access. These include servers which users remotely connect to, as well as the
connecting PC. The YubiKey Minidriver is available to be downloaded directly from the
Yubico website at https://www.yubico.com/products/services-software/download/smart-
card-drivers-tools/.
When installing the YubiKey Minidriver, users have the option of using an MSI installer via
the Windows GUI or Command line, and a CAB file. It is recommended to use the MSI
Installer for local installations, the MSI Installer via command line for remote computers
and Servers, and the CAB file for large Enterprise deployments in conjunction with a Group
Policy Object Endpoint Configuration utility.

Manual Install

The YubiKey Minidriver can be downloaded directly from the Yubico website and be
distributed and installed manually by anyone with administrator rights on the computer.
The Minidriver software is available as both an MSI installer for 32 and 64 bit systems, as
well as a CAB file.

MSI File install

The MSI Installer is the preferred method of manually installing the YubiKey Minidriver.
1. Download the YubiKey Minidriver, available at
https://www.yubico.com/products/services-software/download/smart-card-drivers-tools/
as a MSI file. Select the 32 or 64 bit installer as appropriate for the environment it will be
installed on.

2. Locate and double-click on YubiKey-Minidriver MSI Windows Installer.

https://support.yubico.com/hc/en-us/articles/360015654560-Deploying-the-YubiKey-Minidriver-to-Workstations-and-Servers 3/8
23/02/2023 12:23 Deploying the YubiKey Minidriver to Workstations and Servers – Yubico

3. Follow the prompts to install the driver. If prompted, restart your computer.

Note that the MSI  Why Yubico  Products  Solutions 

installer will automatically look for, and uninstall, previously installed
YubiKey Smart Card driver versions from both CAB, Windows Update, and an earlier
Windows installer package.
Resources  Company  Support  Store
CAB File install
Contact sales Resellers
Installing the YubiKey Minidriver via CAB file is suggested in cases where installing via the
MSI installer is prohibited. It is recommended to remove previous version of the Yubico
Minidriver prior to installing the latest version via the CAB file.
1. Download the YubiKey Minidriver, available at
https://www.yubico.com/products/services-software/download/smart-card-drivers-tools/
as a CAB file.

2. Extract the downloaded CAB file to your preferred location. This can simply be done via
the command line interface using the Expand command. For example, to extract the
contents to the C:\ykmd directory, use the command:
expand.exe yubikey-minidriver-4.1.1.210.cab -F:* C:\ykmd

3. Ensure no YubiKey is currently connected to your computer.

4. Locate and right-click on ykmd.inf and select Install.

5. Follow the prompts to install the driver. If prompted, restart your computer.

Note that earlier versions of the minidriver will not be automatically removed when
installing via the CAB file.

Command Line Install

The YubiKey Minidriver MSI can also be installed via command line using the msiexec
command. The basic command line install command is:

msiexec /i YubiKey-Minidriver-4.1.1.210-x64.msi

To install in unattended mode with no user interaction required, include the /passive flag:

msiexec /i YubiKey-Minidriver-4.1.1.210-x64.msi /passive

To install in quiet mode with no user interaction or dialog, use the /quiet flag:

msiexec /i YubiKey-Minidriver-4.1.1.210-x64.msi /quiet

When deploying the Minidriver to remote servers where the YubiKey cannot be
physically inserted, a legacy node must be created to load the minidriver. To do so,
install the minidriver with the INSTALL_LEGACY_NODE=1 option set:
https://support.yubico.com/hc/en-us/articles/360015654560-Deploying-the-YubiKey-Minidriver-to-Workstations-and-Servers 4/8
23/02/2023 12:23 Deploying the YubiKey Minidriver to Workstations and Servers – Yubico

msiexec /i YubiKey-Minidriver-4.1.1.210-x64.msi INSTALL_LEGACY_NODE=1 /quiet

Installing the MSI with the Legacy Node option enabled on servers will prevent the Smart
Why Yubico  Products 
 Fails with "Requested Key Container is not Available" error.
Card Logon Over RDP Solutions 

Installing via Group

ResourcesPolicy Object
 Company  Support  Store
For large deployments, the YubiKey Minidriver can be centrally installed via Group Policy

Contact sales Resellers

Objects. By leveraging a powershell script for the necessary commands and a shared
network drive accessible from every client station to distribute the YubiKey Minidriver files,
an Administrator can automate the installation. When creating an installation script, an
Administrator will need to ensure they define registry entries for the PUK Policy, the Touch
Policy and the Debug Log Policy, as well as installing the INF file directly.

Installation verification

Following is a PowerShell script that can be used to verify proper installation of the YubiKey
Smart Card Minidriver. This script needs to be run in a PowerShell window with elevated
permissions:

Get-WindowsDriver -Online | where {($_.ProviderName -like "Yubico") -and ($_.C

Setting PIN Unblock Code (PUK)

When a YubiKey is used with the YubiKey Minidriver for the first time, the YubiKey
Minidriver checks to ensure default values are not being used for the management key and
the PIN Unblock Code (PUK). If the default values are in use, the YubiKey Minidriver will
upgrade the Management key to a protected value and block the PUK. A blocked PUK will
prevent the PIN Unblock function from being active.
To prevent the PUK from being blocked, the local registry must be configured prior to
setting up keys.
Key: HKLM\Software\Yubico\ykmd

Value: BlockPUKOnMGMUpgrade (DWORD) - 0 turns off the PUK block feature, any
other value enables it

The YubiKey Minidriver supports unlocking a blocked PIN using the built-in Windows UI. To
enable this function, you need to enable the Allow Integrated Unblock screen to be
displayed at the time of logon in Windows Group Policy. This configuration setting is
located in: Computer Configuration->Administrative Templates->Windows
Components->Smart Card
For the PUK to remain unblocked, YubiKey Manager or the Yubico PIV Tool must be used to
set a non-default PUK prior to using the Windows interface to load or access certificates
stored on the YubiKey. When the Minidriver first accesses the YubiKey, it will check if the
https://support.yubico.com/hc/en-us/articles/360015654560-Deploying-the-YubiKey-Minidriver-to-Workstations-and-Servers 5/8
23/02/2023 12:23 Deploying the YubiKey Minidriver to Workstations and Servers – Yubico

PUK is set to the default value - for PUKs with user supplied values, this will cause the retry
counter to decrement by one. This can be reset by entering the correct PUK via the
Why Yubico 
Windows interface,but requires changing the PIV PIN.
Products  Solutions 
Setting the PUK can be accomplished in YubiKey Manager by navigating to Applications >
PIV > Configure PINs > Change PUK.
Resources  Company 
For using the command-line version of YubiKey Manager (ykman), see the section ykman
Support  Store
piv change-puk on https://support.yubico.com/support/solutions/articles/15000012643-
yubikey-manager-cli-ykman-user-manual.
Contact sales
For using Yubico PIV tool, refer to the documentation on
Resellers
https://developers.yubico.com/yubico-piv-tool/.

Setting Touch Policy

The YubiKey can be set to require a physical touch to confirm any cryptographic operations.
This is an optional feature to increase security, ensuring that any authentication operation
must be carried out in person. The YubiKey Minidriver sets the touch policy when a key is
first imported or generated. Once set for a key on the YubiKey, the policies cannot be
changed.
By default, the touch policy for keys imported/generated through the minidriver is created
with the default setting of the touch policy disabled.
To alter the policy behavior, the registry must be configured prior to setting up keys, either
on the station enrolling the keys or pushed out to all machines using Group Policy Objects.
Key: HKLM\Software\Yubico\ykmd

Value: NewKeyTouchPolicy (DWORD) - sets the touch policy on new keys

generated/imported through the minidriver. Accepted values are

1 <Never> - Default policy of never requiring a user touch.

2 <Always> - Policy is set to require a user touch to confirm each and every
cryptographic operation. Yubico does not recommend using this setting, as some
Windows services, such as login, may require multiple cryptographic operations in a
short time span.

3 <Cached> - Policy is set to require physical touch once, then allow for cryptographic
operations in a small time window afterwards. For using the physical touch option
with Windows Smart Card Logon, this option is required.

Note: Due to OS limitations, there is no visual prompt on the screen when touch is
required in this scenario (Microsoft's minidriver specification that ykmd is based off
of has no concept of touch requirement).
Logging Minidriver Behavior
Should errors occur in the use of the YubiKey as a PIV Smart Card with the YubiKey
Minidriver, error logging can be enabled on the local computer using the registry. Once
https://support.yubico.com/hc/en-us/articles/360015654560-Deploying-the-YubiKey-Minidriver-to-Workstations-and-Servers 6/8
23/02/2023 12:23 Deploying the YubiKey Minidriver to Workstations and Servers – Yubico

enabled, log files will be created per running process in C:\Logs. See here for additional
troubleshooting steps.

Key: HKLM\Software\Yubico\ykmd
Why Yubico  Products  Solutions 
Value: DebugOn (DWORD) - 1 enables error logging.
Resources  Company  Support  Store
Next: YubiKey PIN and PUK User Management on Windows

Contact sales Resellers

Was this article helpful?

 

8 out of 25 found this helpful

Send us feedback on this article

Prev Next

Can't find what you are looking for?

Contact Customer Support

Find
Product finder quiz
Set up
Find set-up guides
Buy
https://support.yubico.com/hc/en-us/articles/360015654560-Deploying-the-YubiKey-Minidriver-to-Workstations-and-Servers 7/8
23/02/2023 12:23 Deploying the YubiKey Minidriver to Workstations and Servers – Yubico

Buy online
 Why Yubico  Products  Solutions 
Why Yubico 

Products Resources  Company  Support  Store



Solutions
Contact sales Resellers 

Resources 

Company 

Support 

Yubico © 2023. All Rights Reserved.

Sitemap
Cookies
Legal
Privacy
Terms of use
Trust

https://support.yubico.com/hc/en-us/articles/360015654560-Deploying-the-YubiKey-Minidriver-to-Workstations-and-Servers 8/8