Configuring the YubiKey Minidriver Registry
The YubiKey Minidriver can be configured for non-default behavior through the registry keys.
To configure the YubiKey Minidriver registry entries:
- As administrator, open the Registry Editor.
- Create the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Yubico\ykmd. - Refer to the table below to add key value(s) as applicable.
- Close the registry editor and reboot the machine.
YubiKey Minidriver Registry Key Reference
Important
Always thoroughly test configuration prior to implementation. Furthermore, to mitigate risks, we recommend that all testing be conducted in a controlled test environment. Finally, note that unless you use the latest version, not all of the settings are necessarily available in your YubiKey Minidriver. You should therefore use the latest version.
| Setting | Type | Values | Description |
|---|---|---|---|
| AutoFingerprint | DWORD | 1 (0) | Controls the biometric authentication dialog for the
YubiKey Bio Multi-protocol Edition.
The YubiKey Minidriver immediately asks for
fingerprint verification if a fingerprint is enrolled
on the device AND is not blocked.
Default
1. |
BlockPUKOnMGM
Upgrade
|
DWORD | 0 (1) | Controls availability of PUK when the YubiKey is
configured with known values. Default
1.The YubiKey Minidriver restricts PUK access when
the YubiKey value, is at factory value,
12345678.Set to
0, the PUK functionality is not restricted,regardless if the YubiKey factory value is unchanged.
Note: Allowing unblock (PUK) with a known factory
value can be a concern.
|
| DebugOn | DWORD | 0 (1) | (Optional) Activates creating a debug log.
Set value to
1 to enable.The registry key value triggers generating a debug
log major security that is saved to:
C:\Logs |
| DebugVerbosity | DWORD | 0 (1-3) | Requires
DebugOn set to a non-zero value.Sets logging level used by the YubiKey Minidriver and
its dependencies.
Valid values are none,
0 - 3Values set the APDU level verbosity.
|
ExternalPinCache
Policy
|
DWORD | 2 (1-4) | Overrides the
PIN_CACHE_POLICY_TYPE for theexternal PIN_ID in the YubiKey Minidriver. This tells
the to YubiKey accept any valid
PIN_CACHE_POLICY_TYPE numeric value.See Note 1.
Controls how the YUbiKey Bio PIN (fingerprint) is
cached.
Default is
0 (PinCacheNormal). |
| ManageCSPCache | DWORD | 1 (0) | Determines if by clearing its cached data, the
container map synchronization check compels the
BaseCSP to retrieve the container map and certificate
details from the YubiKey Minidriver.
When disabled,
0, this feature prevents certaincard modifications from being reflected in the
BaseCSP.
Note: Deactivating,
0, this feature can enhancethe certificate enumeration performance.
|
NewKeyTouch
Policy
|
DWORD | 1 (2,3) | (Optional) Enables the touch policy for PIV.
Default
1, touch input is not mandatory for PIVoperations.
Set to
2, touch input is enforced at all times(similar to FIDO2).
Set to
3, touch input activated, with cache touchinput for a limited duration with less frequent
requirements.
Notes:
- While improving security, configuring touch for PIV
can have an adverse effect on usability.
- This configuration does not impact already
configured YubiKeys. The setting must be present at
the time of enrollment.
|
| PinCacheTimeout | DWORD | 60 | Requires either
UserPinCachePolicy orExternalPinCachePolicy set to timed (1).Sets the number of seconds for which the BaseCSP
caches the PIN.
This is only a recommendation to the BaseCSP and is
not implemented by the YubiKey Minidriver.
|
| ProtectManagement | DWORD | 1 (0) | Governs the creation and storage of the PIV card
management key within a secure object to enable write
access for PIV functionality.
Default
1. The YubiKey Minidriver generates anew card management key and stores it in a
PIN-protected object (in the YubiKey PIV application)
when the factory value is present during PIN entry
(such as during enrollment).
Set to
0. Disables feature.Third party solutions (such as CMS products), while
managing YubiKeys may optionally disable this setting
and assume ownership of this feature and dependant
processes (such as enrollment).
|
| RefreshDeviceKeys | DWORD | 1 (0) | Controls the behavior of container map synchronization
that happens based on the timeout defined by
RefreshWindow.Default,
1, The YubiKey Minidriver (YKMD) checksthat the container map stored in the mscmap PIV
object matches the container map in the SCardCache.
Additionally, the YKMD enumerates all keys and
certificates in the PIV application the and then
updates map accordingly.
Set to
0, disables feature. This can improveperformance, especially over RDP. However,
certificates enrolled outside of the YubiKey
Minidriver might not be present in the container map
as reported to theBaseCSP(!)
|
| RefreshWindow | DWORD | 300 | Sets the time interval (in seconds) for how often the
YubiKey Minidriver (YKMD) synchronizes the container
map reported to the BaseCSP.
By default the YubiKey Minidriver (YKMD) performs
synchronization when the time difference between the
last call from the BaseCSP and current time exceeds
300 seconds.
During synchronization the YKMD:
1. Clears the BaseCSP cache, depending on setting of
ManageCSPCache.
2. Enumerates the certificates and keys in the PIV
application, depending on setting of
RefreshDeviceKeys.
3. Ensures the currently cached container map
contains the same information as the on-card container
map and the list of newly enumerated certificates.
Note: Setting a higher value than default may have a
positive impact on performance without using the
heavier-handed settings of RefreshDeviceKeys and
ManageCSPCache
|
| SupportAlwaysPin | DWORD | 1 (0) | Enables and disables support for the
Always Prompt PIN_ID in the YubiKey Minidriver.Applies to devices that support slot metadata.
Requires:
Always Prompt PIN_ID, PIN_CACHE_POLICY_TYPE:- Are set to
PinCacheAlwaysPrompt.- Are assigned as the PIN for key containers that
map to PIV slots.
The PIV slots have the
PIN_ALWAYS pin policy inthe YubiKey PIV application, such as, slot 9c.
Requires YubiKey 5.2.7+ firmware.
|
| UserPinCache Policy | DWORD | 0 (1-4) | This setting overrides the
PIN_CACHE_POLICY_TYPEfor the user PIN_ID in the YubiKey Minidriver.
Default is
0 (PinCacheNormal).This key accepts any valid
PIN_CACHE_POLICY_TYPEnumeric value. See Note 1.
|
Note 1 - For valid
PIN_CACHE_POLICY_TYPE numeric values, see https://learn.microsoft.com/en-us/windows-hardware/drivers/smartcard/.