YKMD Installation
The YKMD must be installed on all machines where the YubiKey is used as a smart card for access. These include servers to which users remotely connect, as well as the connecting PC. The YKMD can be downloaded directly from the Yubico website at Smart card drivers and tools. Scroll down the page to YubiKey Smart Card Minidriver (Windows).
Note
The YKMD is no longer available through Microsoft Windows Update.
When installing the YKMD, there are two options.
- MSI installer
Using either the Windows GUI or Command line
We recommend using the MSI installer through the Windows command line for local installations and remote computers and Servers. See Automated Installation.
If the MSI installers are blocked, use the CAB installation method.
- CAB file
For large enterprise deployments, Yubico recommends using the CAB file in conjunction with a Group Policy Object Endpoint Configuration utility. This allows installing on to domain-connected machines. See Automated Installation.
Yubico recommends using any software management platform already in place to deploy the YKMD to an enterprise environment.
To deploy the YKMD with specific settings, such as with legacy_nodes and silent_install, requires an
.mst
file to enable these options in addition to the GPO.
For information on setting up a Windows Certification Authority for smart card authentication or enabling enroll on behalf of permissions for administrators, see the Manual Installation.
When using existing keys, the YKMD updates YubiKeys PIV containers to allow Windows to access credentials already present on the YubiKey for slots containing RSA and ECC keys with corresponding valid certificates if the keys and certificates are added manually through other tools. This function is blocked if the management key is manually changed using another tool.
Note
We recommend not provisioning credentials on the YubiKey using the Windows certificate enrollment dialogs (enabled by the YubkiKey Minidriver) in parallel with other tools such as the YubiKey Manager or Yubico Authenticator. If your environment uses Mac OS and Linux in conjunction with Windows PCs, use the YubiKey Manager instead of the YubiKey Minidriver and native Windows components. See the YubiKey Manager (ykman) CLI and GUI Guide.