YKMD Features

On the Windows operating system, the Windows Inbox Smart Card Minidriver, msclmd.inf, enables base functionality for using PIV smart cards such as YubiKeys that have been already provisioned with at least one credential.

The YubiKey Minidriver provides additional features beyond the base Microsoft support: managing certificates and PINs on a YubiKey via the native Windows GUI and/or APIs and support for ECC cryptographic algorithms. This includes:

Certificate Enrollment Options

The YKMD adds the following certificate enrollment/deployment options:

  • Auto-enrollment, enabling users to register their YubiKey directly through the Windows built-in certificate provisioning process.
  • Enrollment-on-behalf-of: enabling administrators to enroll on behalf of other users through the Microsoft Management Console (MMC) on Windows Server.
  • Automatic re-enrollment
Import certificate chains for user certificates
When User Certificates are added to a smart card via Microsoft auto-enrollment or through Windows MMC, the intermediate certificates and root certificate (also known as the certificate chain) are not added to the smart card. If adding the complete certificate chain is required, the YKMD enables root and intermediate certificates to be imported through the Microsoft Certutil.exe command line utility.
Support for multiple authentication certificates/credentials on a single YubiKey.
Use the YKMD to view all user authentication certificates on the smart card. They are displayed for use by applications based on the certificates’ Key Usage Extension and Extended Key Usage Extension.
Certificate Key Algorithms Support

Elliptic-Curve (ECC) (Windows 10 and Windows 11)

  • RSA 2048-bit keys
  • Elliptic Curve Cryptography (ECC)
    • ECDH/ECDSA-P256 keys
    • ECC ECDH/ECDSA-P384 keys

We also support 3k/4k and Ed25519/(X25519); however, since the release of Minidriver 4.6.3.252 and the 5.7 firmware on YubiKeys, please note that while Ed25519 certificates will be listed, the private key cannot be used due to limitations of the Windows BaseCSP, which does not support this algorithm.

Set and change smartcard PIN via Windows GUI.
This feature provides the ability to set and change the PIN directly through the Windows interface (press Ctrl + Alt + Del > [Change a password]) without the need to install any additional third-party applications.
Unblock a blocked PIN
Utilize the Integrated Unblocking Screen.
Set policy for touch
This allows private key use.

Note

For information on how to use these features, see our Support article, Deploying the YubiKey Minidriver to Workstations and Servers.