YubiKey Minidriver Features

On the Windows operating system, the Windows Inbox Smart Card Minidriver, msclmd.inf, enables base functionality for using PIV smart cards such as YubiKeys that have been already provisioned with at least one credential.

The YubiKey Minidriver (YKMD) provides additional features beyond the base Microsoft support: managing certificates and PINs on a YubiKey via the native Windows GUI and/or APIs and support for ECC cryptographic algorithms. This includes:

Certificate Enrollment Options

The YubiKey Minidriver adds the following certificate enrollment/deployment options:

• Automatic certificate enrollment, enabling users to register their YubiKey directly through the Windows built-in certificate provisioning process.
• Certificate Enrollment-on-behalf-of: enabling administrators to enroll on behalf of other users through the Microsoft Management Console (MMC) on Windows Server.
• Automatic re-enrollment.

Import certificate chains for user certificates

When User Certificates are added to a smart card via Microsoft auto-enrollment or through Windows MMC, the intermediate certificates and root certificate (also known as the certificate chain) are not added to the smart card. If adding the complete certificate chain is required, the YubiKey Minidriver enables root and intermediate certificates to be imported through the Microsoft Certutil.exe command line utility.

Support for multiple authentication certificates/credentials on a single YubiKey

Use the the YubiKey Minidriver to view all user authentication certificates on the smart card. They are displayed for use by applications based on the certificates’ Key Usage Extension and Extended Key Usage Extension.

Certificate Key Algorithms Support

Elliptic-Curve (ECC) (Windows 10 and Windows 11)

• RSA 2048-bit keys
• Elliptic Curve Cryptography (ECC)
  • ECDH/ECDSA-P256 keys
  • ECC ECDH/ECDSA-P384 keys

We also support 3k/4k and Ed25519/(X25519); however, since the release of Minidriver 4.6.3.252 and the 5.7 firmware on YubiKeys, please note that while Ed25519 certificates will be listed, the private key cannot be used due to limitations of the Windows BaseCSP, which does not support this algorithm.

Set and change smartcard PIN via Windows GUI

This feature provides the ability to set and change the PIN directly through the Windows interface (press Ctrl + Alt + Del > [Change a password]) without the need to install any additional third-party applications.

Unblock a blocked PIN

Utilize the Integrated Unblocking Screen.

Set policy for touch

This allows private key use.

Note

For information on how to use these features, see our Support article, Deploying the YubiKey Minidriver to Workstations and Servers.

YubiKey Minidriver version 5.0 Features

YubiKey FIPS Over NFC

Adds support for the Secure Channel Protocol (SCP11b) that protects wireless communication with YubiKey 5 FIPS Series.

Yubico Minidriver supports connections with all YubiKeys that have the PIV application enabled, via both USB and NFC, including the YubiKey FIPS series.

Compressed Certificates

Adds support for compressed certificates out of the box - no matter if the certificate you’re working with is compressed or not, we ensure a seamless experience.

Citrix VDI Integrations

YubiKey Minidriver works with Citrix VDI.

Important Update to Operating System Support

We are ending full feature support for Windows 8, Windows Server 2012, (and earlier versions). The new secure NFC functionality (SCP11b) requires cryptographic components that are not available in older operating systems. To ensure access to all new features and the highest level of security, we recommend upgrading to a current version of Windows.

YubiKey Minidriver supports, was tested and certified on: Windows 10, Windows 11, Windows Server 2022, Windows Server 2025.