Automated Installation

This section provides configuration requirements and guidance for deploying YKMD in an enterprise environment. The steps provided allow YKMD to be pushed out to all workstations from a central repository, without requiring administrative rights on the local workstation.

There are two ways to automate installing YKMD:

Method 1

Auto-install using a Startup Script. This is recommended for most environments. Create a startup script that can be pushed out via Group Policy Object (GPO). This automatically installs YKMD on ALL devices in the computer object OU that the GPO is linked to.

Method 2

End user install using Device Manager. This is recommended when YKMD needs to be available to a large number of users but only installed on an as-needed basis: Create a registry entry on all client workstations with a GPO setting allowing standard users to update the inbox drivers to YKMD, without requiring an admin to physically touch or access the machine for the install. This way, the users can insert the YubiKey, launch the Device Manager, and automatically update the smart card driver to the latest version of YKMD.

Note

The version number shown below (4.6.3.252) is only an example. The actual number changes as downloads are updated.

Installing via Group Policy Object

For large deployments, YKMD can be centrally installed via Group Policy Objects. By leveraging a PowerShell script for the necessary commands and a shared network drive accessible from every client station to distribute the YKMD files, an Administrator can automate the installation. When creating an installation script, an Administrator needs to ensure they define registry entries for the PUK Policy, the Touch Policy and the Debug Log Policy, as well as installing the INF file directly.

Preparing the Deployment Environment

The process for deploying the YKMD .cab file requires every endpoint to be connected to the enterprise GPO domain and to have access to a shared directory. For machines where this is not an option, such as those on isolated networks, YKMD needs to be installed manually.

Creating the Driver Store

The first step to deploying YKMD is creating a network shared directory for the YKMD .cab file. If you already have a network share for driver software, we recommend using the existing location. If not, you need to create a shared network folder, which is accessible with read and execute permissions for all users.

For this example, we create a new folder in the Z:\ drive.

1. Open File Explorer and browse to Z:\.

2. Create a new folder, such as: SoftwareShare.

   For example:

   

3. Inside this folder, create another folder, for example named YKMD. You can build this file structure per your standard naming convention.

4. Ensure the read, write, execute permissions on the folder are set as follows:

   • Read / Execute for Everyone or Authenticated Users
   • Read / Write / Execute for Administrators
   

   Share network path.

   

   Authenticated users permissions settings

   

   Administrators permission settings

Method 1 - Auto-Install via Startup Script

This process creates a PowerShell script for installing YKMD. This script is run with elevated permissions via GPO. It deploys YKMD upon startup, and continues to do so until the GPO object is disabled or removed.

Create the Minidriver Zip File

The PowerShell script deploys YKMD to the client machines as a zip file. Download the latest version of the YKMD and add it to a zip file named YKMD.zip.

Create the PowerShell Script

The PowerShell script used for the install script connects an endpoint to the shared network folder created previously. See Creating the Driver Store.

1. Copy the YKMD components to a local directory on the machine and install YKMD.

2. Create a PowerShell script with all the following items.

   1. Define the environmental variables at the start of the script.

   2. Copy the YKMD.zip to a shared folder which users have read permissions to replace the server with name of server that hosts the YKMD.zip.

      $server="Server"

   3. Replace folder_name with name of shared folder on the network.

      $shared_folder = "shared"

   4. Set temp folder location.

      $temp = "$env:windir\temp"

   5. Add file_name. The version number, 4.6.3.252, is an example. The actual number changes as downloads are updated.

      $YKMD = "YubiKey-Minidriver-4.6.3.252.cab.sha256"

   6. Add driver path.

      $DriverPath = "$env:windir\System32\DriverStore\FileRepository"

   7. Replace folder_name with folder name of destination.

      $destination = "YKMD"

   8. Set full path.

      $fullpath = $temp+"\"+$destination

   9. Add logging actions and create folder for logging and troubleshooting data.

      $logdir = "$temp\logs";

      $logfile = "yubikey.log"

      $logfullpath = $logdir+"\"+$logfile;

   10. Create folder to save logs.

       New-Item $logdir -ItemType Directory -force;

   11. Start recording logs. This doesn’t work if the script is run remotely.

       Start-Transcript -Path $logfullpath -force;

   12. Download YKMD from the shared folder and install.

       copy-item "\\$server\$shared_folder\YKMD.zip" -Destination $temp -force;

   13. Extract the contents of the zip folder.

       Expand-Archive -Path "$temp\YKMD.zip" -DestinationPath $fullpath -force;

   14. Extract the contents of the .cab file.

       cmd.exe /c expand $fullpath\$YKMD -F:* $fullpath | Out-Null

   15. Install the .inf driver.

       Get-ChildItem $fullpath -Recurse -Filter "*inf" | ForEach-Object { PNPUtil.exe /add-driver $_.FullName /install }

   16. Import the registry keys.

       rundll32.exe setupapi.dll,InstallHinfSection Yubico64_61_Install 132 $fullpath\YKMD.inf

   17. Remove the comment # from next line to create the device node or leave the comment to let Windows handle creating the device node when the YubiKey is inserted.

       #cmd.exe /c DrvInst.exe "5" "2" "$DriverPath\YKMD.inf_amd64_24989c5c4b9230ad\YKMD.inf" "0" "4e6904753" "0000000000000238" "WinSta0\Default"

   18. Enable the Smart Card Service.

       Get-Service -Name "Scardsvr" | Set-Service -StartupType Automatic

   19. Stop logging.

       Stop-Transcript

3. Save this PowerShell script (.ps1) on the Windows Server for deployment.

Configure the GPO

After the installation PowerShell script file is created, create the Group Policy Object to run the script. To do this, create a new GPO and link it to the location of the computer objects which require YubiKey Minidriver.

1. Click Start > Run > gpmc.msc.

2. Navigate to your domain and locate the OU for the computer objects.

3. Right-click and select Create a GPO in this domain and Link it here.

4. Create a descriptive name for this GPO, such as: YKMD Deploy.

   Example:

   

Edit YKMD Deploy GPO

1. Right-click the new YKMD Deploy GPO and select Edit.

2. Expand Computer Configuration > Policies > Windows Settings > Scripts (Startup/Shutdown).

3. Right-click Startup and select Properties.

   1. Select Add then Browse.

   2. Using another file explorer window, browse to your startup script (.ps1), then copy and paste the file into the File name field.

      

   3. Select the file, then select Open.

   4. With the script in the Script Name field, select OK.

      

4. Select OK once more to complete the GPO configuration.

Method 2 - Standard User Install (Manual Update)

This process configures endpoints to make YKMD available to install when the standard user is ready. This does not install YKMD until the user requests it via the Device Manager.

Preparing YKMD for Distribution

1. Download YKMD from the Yubico Support site.

   1. See Windows Smart Card Applications and Tools
   2. Scroll down the page to YubiKey Smart Card Minidriver (Windows).
   3. Download the latest release of the YubiKey Minidriver.

2. Extract the downloaded contents:

   
   1. Browse to your downloads directory.
   2. Double click the YKMD .cab file to open and view the contents.
   3. Select All.
   4. Right-click > Extract.
   5. Select either a local directory or extract directly to the fileshare created in previously. See Creating the Driver Store.

Configure the GPO

Confirm that the file share is configured and accessible to all client workstations, and that YKMD is extracted to that directory. Once this is accomplished, proceed to configure the GPO.

The Group Policy Object handles two things:

• Making the client workstations aware of the location of YKMD. This is accomplished via an updated Registry setting.
• Allowing standard users to install YKMD without requiring admin privileges. This is accomplished via whitelisting the GUID of YKMD.

Create a new GPO

In the location of the computer objects that require YKMD, create a new GPO and link it.

1. Click Start > Run > gpmc.msc.

2. Navigate to your Domain and locate the OU for the computer objects.

3. Right-click and select Create a GPO in this domain and Link it here.

4. Create a descriptive name for this GPO, such as: YKMD Deploy.

   For example:

   

5. Edit this GPO to complete the configuration. Complete the steps in the following sections.

Client Registry Setting

Update device path

Update the existing Device Path registry setting to reference the newly created driver store.

1. Right-click the new YKMD Deploy GPO and select Edit.

2. Expand Computer Configuration > Preferences > Windows Settings > Registry.

3. Right-click Registry and select New > Registry Wizard.

   

Create new Registry

The Registry wizard walks you through creating the new Registry setting for your client machines.

1. When the registry browser comes up, browse to Another Computer or use the Local Computer since this registry setting should be the same on both. For this example, we are using Local Computer.

2. Select Local Computer, then click Next.

3. Browse to: HKLM > Software > Microsoft > Windows > CurrentVersion.

4. From the CurrentVersion panel, in the bottom window, scroll down and select DevicePath.

   For example:

   

5. Click Finish.

Update New Registry

Update this new Registry value to append the newly created file share to its search locations. You can append any number of fileshare locations, just separate them with a semicolon.

1. Select the Registry Wizard Values created in Create new Registry and rename it to something more descriptive. For example, YKMD Deploy.

2. Fully expand the new registry value.

3. Double-click the Device Path so you can edit the contents.

   

4. Update the last field, Value Data.

   To update, add the following to the existing value:

   ;\\<servername>\<filepath>\<driverstore>

   Note the semicolon at the beginning of the string.

   For example:

   %SystemRoot%\inf;\\<servername>\SoftwareShare\YKMD

   The final value should resemble the following:

   

5. Click Apply. Then click OK to save your settings.

Whitelisting the YKMD GUID

This step allows a silent install that does not require the user to elevate to an admin account.

Locate the GUID of YKMD

1. Browse to the extracted contents of the YKMD .cab file.

2. Select the file YKMD.inf, right-click and open with a text editor.

3. Find the line ClassGuid=.

   For example:

   

4. Copy and paste the full content of that line after the =.

   For example:

   ClassGuid={990A2BD7-E738-46c7-B26F-1CF8FB9F1391}

   The GUID: {990A2BD7-E738-46c7-B26F-1CF8FB9F1391} brackets included, is what we are whitelisting.

Enable and Configure Group Policy

Enable and configure the Group Policy with the updated GUID value:

1. Select the Group Policy YKMD Deploy created earlier. See Configure the GPO.

2. Browse to: HKLM > Policies > System > Driver Installation.

3. Select Allow non-administrators to install drivers for these device setup classes.

4. Right-click, and select Edit.

   1. Select Enabled.

   2. Under Options on the bottom left, select Show.

   3. Add the GUID Value from Locate the GUID of YKMD into the next open line. If you have not used this before, this is the first line.

      For example:

      

   4. Select OK > Apply > OK.

Completing the Installation

Confirm the following installation steps are completed.

1. Creation of a network file share to host and distribute YKMD.

2. Download and extraction of YKMD.

3. GPO created and applied to the computer objects which require YKMD.

4. GPO configured based on Method 1 or Method 2 below:

   Method 1

   Push the PowerShell script file to auto-install YKMD.

   Method 2

   1. Client-side registry update.
   2. Whitelist of YKMD GUID for installation by non-admin users.

   Important

   If any of the above is not completed, review the instructions in this chapter, before proceeding.

Issue a Group Policy Update

This can be issued as soon as Method 1 or Method 2 tasks are completed. The version numbers shown are examples. The actual number changes as YKMD is updated.

1. Refresh the Group Policy for all clients and publish the new changes.

   From the command line, issue the command:

   gpupdate /force

   For example:

   

2. If the client computer does not have YKMD installed:

   Method 1

   The end-user must reboot their computer. YKMD is installed during the next reboot.

   Method 2

   The end-user updates YKMD through the Device Manager.

   1. Launch the Device Manager.
   2. Select YKMD.
   3. Select Update > Search automatically for updated driver software.

3. Confirm YKMD is successfully installed. Open Device Manager.