If the PUK has been set to a value other then the default, this will cause a failed attempt to decrement the PUK retry counters by one. To prevent the YubiKey Minidriver from being reinstalled after removal, it can be blocked via the Windows Group Policy. For Provider category , click the arrow and select Key Storage Provider from the dropdown. For example, if a file is written to the smart card, the CSP cache becomes out-of-date for the files, and other processes read the smart card at least once to refresh their CSP cache. The following figure shows the interfaces between card minidrivers and CAPI2-based applications.

Uploader: Tojashura
Date Added: 11 May 2007
File Size: 13.56 Mb
Operating Systems: Windows NT/2000/XP/2003/2003/7/8/10 MacOS 10/X
Downloads: 22436
Price: Free* [*Free Regsitration Required]

The microdoft interacts with a tile to supply the proper credentials. The YubiKey Minidriver can be downloaded directly from the Yubico website and be distributed and installed manually by anyone with administrator rights on the computer.

Smart Card Architecture (Windows 10) | Microsoft Docs

Product feedback Sign in to give minidruver feedback. If you would prefer this microsot in PDF format, click the following link to download it: On the Security tab, make sure the user or group designated as an Enrollment Agent has Read and Enroll permissions on the template, and then click OK.

For Request hashclick the arrow and select SHA from the list displayed. If adding the complete certificate chain is required, the YubiKey Minidriver enables root and intermediate certificates to be imported through the MS Certutil command line utility. An Error is logged for all failed RSA key generation events on vulnerable YubiKey 4 that were blocked based on a user or admin configuration option.


If the system attempts to create a new container, if the specified container already exists on this smart card, the process fails. Choose the type you’d like to provide: Choose the type you’d like to provide: It also uses the Smart Card Resource Manager to access the card directly. Common situations covered are: Call CryptGenKey to create the key.

Credential providers are also designed to support application-specific credential gathering, and microskft can be used for authentication to network resources, joining computers to a domain, or to provide administrator consent for User Account Control UAC.

Following taking ownership of the directory, grant full control access to the directory and the files within with the icalcs command. If the PUK has been set to a value other then the default, this will cause a failed attempt to decrement the PUK retry counters by one.

For type I and type II container specification levels, the smart card selection process is less complex because only the smart card in the named minudriver can be considered a match. Three types of objects or data are cached by the CSP: This is the expected behavior for USB and smart card combination devices. We recommend that a qualified domain administrator be placed in charge of the process and that you use these instructions as a guideline for deployment. Data caching Each CSP implements the mjnidriver smart card data cache separately.

Smart Card Minidriver Certification Test | Microsoft Docs

This section helps you determine the next steps in your YubiKey smart card deployment process using the YubiKey Minidriver. Permissions for [group name]: If it cannot be found, the process fails. The default value is “True”.


Allow Active Directory to update. When the Minidriver first accesses the YubiKey, it will check if the PUK is set to the default value – for PUKs with user supplied values, this will cause the retry counter to decrement by one. Auto-enrollment, enabling users to register their YubiKey directly through the Windows built-in certificate provisioning process. For example, use the directory from step 3, the command would be:. Component Description Winlogon Provides an interactive sign-in infrastructure.

This is where the PIN cache is used to minimize exclusive use of the smart card without forcing the user to enter a PIN multiple times.

Otherwise, use the first available smart card that meets the above criteria for the container creation.

Smart Card Minidriver Versions

For more information, see the command line description later in this document. By granting enrollment agent permissions to one or more users or groups, your administrators or help desk accounts with elevated permissions can enroll certificates on behalf of other users through the Microsoft Management Console.

If a matching smart card is not found in the CSP cache, make a call to microsoct smart card subsystem. Up to twelve 12 certificates can be stored concurrently.