Enable Azure AD Application Proxies. Created a smartcard login template for. The customer will receive a refund of $35. . The Yubikey device shows in the Device Manger of the host but does not show in the guest. As for your second question it could be any number of reasons. The YubiKey 5 Series supports most modern and legacy authentication standards. Right. The YubiKey is a hardware-based authentication solution that provides superior defense against phishing, eliminates account takeovers, addresses compliance, and enables strong two-factor, multi-factor, and passwordless authentication. Windows cannot write credentials to the YubiKey without the. YubiKey 5 Series. Click Browse, select the user you want to enroll, and then click OK. This section helps you determine the next steps in your YubiKey smart card deployment process using the YubiKey Minidriver. With the latest update to Windows 10 (version 1809) and existing native support in Edge, all. Select Smart Cards and click Next. We would like to show you a description here but the site won’t allow us. Compare the models of our most popular Series, side-by-side. 2. If the command succeeds, Windows considers the card to be a PIV. msc”. Click Import and browse to and select the bitlocker-certificate. First of all, if you call the Recover method for a YubiKey that has not been configured for PIN-only, the return will likely be None. Generate 2-step verification codes on a mobile or desktop device and apply cross platform. kevinds. Warning: Enforcing smart card may lock you out from your machine if done incorrectly. Yubikeys are a type of security key manufactured by Yubico. It does not ask for a Yubikey PIN and it just completes the setup wizard. It's also passwordless MFA so you don't have to deal with carrying around a yubikey or using a password. Solutions. Multi-protocol support allows for strong security for legacy and modern environments. You should now see “Other supported RemoteFX USB devices. The integration of FIDO2-based YubiKeys and Azure Active Directory (Azure AD) is a game changer. SafeNet Minidriver manages Thales extensive SafeNet portfolio of certificate-based authenticators, including eTokens, SafeNet IDPrime smart cards, SafeNet IDPrime Virtual and combined PKI/FIDO devices. It is detected as a smart card on the guest because the login screen shows sign-in options to sign in with smart card. This allows for an easy to use, easy to deploy scalable implementation of strong multi-factor authentication across an entire organization utilizing the native Windows tools and the. SafeNet Minidriver manages Thales extensive SafeNet portfolio of certificate-based authenticators, including eTokens, SafeNet IDPrime smart cards, SafeNet IDPrime Virtual and combined PKI/FIDO devices. Hopefully that will change soon since Microsoft is putting out ARM-based devices now. Cheers. Next, go to the command line and let’s confirm that we can see it as a smart card. The Yubico Login for Windows application (formerly Windows Logon Tool) provides a simple and secure way for YubiKey users to securely access their local acco. Step 2: Select the Scan option to scan the QR code, getting displayed on the screen. If you have a Security Key, right-click on the Security Key by Yubico device and select Remove device. 210-x64. msc and press Enter. Due to the open source software status of the libykpiv library, there might be other users of this library. When a smart card is inserted into the reader and the Base CSP/KSP calls CardAcquireContext, the class minidriver performs the following discovery process to mark the associated card as either PIV- or GIDS-compliant: A SELECT command is issued to locate the PIV AID. h. But, using Yubikey Manager qt version 1. But, using Yubikey Manager qt version 1. Block re-installation from Windows Update. 2. usb. Both of these readers also work well with other manufacturer’s keys like the YubiKey 5 NFC to read the x. Combined with leading password managers, social login and enterprise single sign on. 1 or 1. Run the HID Global Crescendo 2300 Minidriver 1. Username and password entered (1), YubiKey is activated to generate the OTP which is appended to the password, separated by a comma (2) 3 + 4. Locate and select the smart card template you created for enroll on behalf of, and then click Next. Identify what type of YubiKey you have (USB or NFC) and select Next. Please try again. 2. Select Yubico from the Manufacturer section, YubiKey Smart Card Minidriver from the Model section, and click Next. In the Azure and Microsoft ecosystem, for both on-premises and cloud environments, a combination of FIDO2 and certificate-based authentication can be leveraged to solve many of your password concerns by allowing an organization to go passwordless in a way that is also highly resistant to phishing in many. Read the YubiKey 5 FIPS Series product brief >. 1. You might need to scroll horizontally to see the entire command. This topic for the IT professional describes the system architecture that supports smart cards in the Windows operating system, including credential provider architecture and the smart card subsystem architecture. TIP: This period must be longer than what you set for the smart card login certificate. OTP: FIPS 140-2 with YubiKey 5 FIPS Series. Reboot your computer into safe mode, delete the yubico for windows login tool, restart the computer. Open the YubiKey Manager app. Instead of a code being texted to you, or generated by an app on your phone, you press a button on your YubiKey. Don’t see your YubiKey here? Identify your YubiKey. Windows Sleep/Resume Note gpg-agent. It also supports multiple accounts so your admins can use the same method to access privileged accounts as well as their normal user accounts really easily. jrandomdude. Interface. msc and check the Smart card readers section . ; Select the validity period for the Certification Authority certificate, and click Next. Administrative Template (ADMX) for YubiKey Smart Card Minidriver Introduction. This application provides a PIV compatible smart card. Go to the startmenu and press the windows key -> Start > type devmgmt. works, however the said Auto-Enrollmeent prompt is not showing up – already followed the. Verify that the certificate template used to issue the certificate allows for smartcard logon and has the appropriate settings (e. If prompted to elevate permissions, select Yes. Superior and cost effective protection - The YubiHSM 2 is a dedicated hardware security module (HSM) that offers superior protection for private keys against theft and misuse. The YubiKey 5 FIPS Series is IP68 rated, crush resistant, no batteries required, and no moving parts. It is detected as a smart card on the guest because the login screen shows sign-in options to sign in with smart card. These credentials, which are protected by a PIN, enable passwordless login, where the YubiKey, unlocked by a PIN and authorized by touch, can log you in to your accounts without entering a username or. Multiple form factors with support for USB-A, USB-C, NFC and Lightning. Posted: Thu Oct 19, 2017 6:49 pm. Click Import and browse to and select the bitlocker-certificate. )?YubiKey manager is uses to pair PIV card software functionality of the YubiKey since well as other usage. ) YubiKey-PIV可以用在哪些地方? 涉及到证书 私钥之类的东西,PIV就能排上用场了. Under System variables, select Path and click Edit…. Yubico Login for Windows is only compatible with machines built on the x86 architecture. Discover the. Use the YubiKey Manager for Windows, which includes both a Graphical User Interface and a Command Line Tool to create PIN Unlock Keys (PUK)s on YubiKey devices for. I have found several tutorials on youtube how to do that . Click Yes to enable YubiKey Windows login for your computer. Most recently, we have simplified smart card deployment with the introduction of a YubiKey smart card minidriver. Upgrade the on-premises applications to use modern authentication protocols. The smart card certificate uses ECC. This article provides technical information on security protocol support on Android. Note: Yubico Login for Windows secures Windows 10 and 11 if not managed by AAD or AD. Securely log in to your local Linux machine using Yubico OTP (One Time Password), PIV-compatible Smart Card, or Universal 2nd Factor (U2F) with the multi-protocol YubiKey. I went through this article - 360015654560-Deploying-the-YubiKey-Minidriver-to-Workstations-and-Servers and this article 360013780779-Troubleshooting-No-Valid-Certificates-Were-Found-on-This-Smart-Card-but with no success. 1 order per person. , key usage, enhanced key usage). The Security Key by Yubico delivers FIDO2 and FIDO U2F in a single device, supporting existing U2F two-factor authentication (2FA) as well as FIDO2 implementations. YubiKey 5 CSPN Series. If you enable this policy setting, one of the following touch policies will be configured on new keys generated or imported through the minidriver:The YubiKey Smart Card Minidriver is not supported on Windows Server Core, either for remote or local login, as the underlying USBCCID filter driver is not present which is required. What threw me for a loop was the normal MSI they give you does not install the right driver! You need to call the MSI with an extra option. A YubiKey is a small USB and NFC based device, a so called hardware security token, with modules for many security related use-cases. Since that feature was removed, users have found it more challenging to. Right-click the Windows Start button and select Run. Setting up Smart Card Login for Enroll on Behalf of. Sadly, this is the only port where it would be easy for me to touch the YubiKey for authentication. Enroll for a certificate using a YubiKey; Check Issued Certificate on Yubikey via PKI Client Agent; Detailed Configuration Steps. Make sure the service has support for security keys. After Contacting Yubico Support it was discovered that this was caused by changing the Management Key. On Windows 10, setting the system path is done by following these steps: Open the Control Panel and select System and Security → System → Advanced System Settings. For typical usage, you will want to memorize the PIN, and keep a copy of the PUK and Management keys in a secure location. Note the bold part. whoever will have to work a yubikey 5 in piv on a server rds. To do this. pfx file. Related YubiKey Security token Peripheral Computer hardware Computer Information & communications technology Technology forward back. To launch ykman in GUI mode or CLI mode from the command line, select and run the command for one of the options listed below: Launch ykman CLI, ( 32-bit) C: >"C:Program Files (x86)YubicoYubiKey Managerykman. I also added Yubikey on user account: There is nor on-prem active directory, it is pure Azure AD with free licence. Single sign-on to applications in Azure Active Directory. introduce 最初yubikeyが認識されなくてつまずきました。 Authentticatorアプリや、yubikey managerなどおいてあるアプリは全部インストールしてみてもダメ。NFCにかざすと反応はするので、壊れてはないよねえと思いつつ。 全然認識されないので、スマートカードを使うためにminidriverというドライバを. HYPR. To use the PUK, it must be first set with the YubiKey Manager before using the YubiKey Minidriver to load or modify certificates on the YubiKey PIV Applet. This is the only way to ensure the YubiKey smart card minidriver is involved in the import and can properly maintain the container map file on the YubiKey. If not already done so, please insert your YubiKey in the computer via a USB port. Digital Signature shows as 9c and Card Authentication. VAT. Product documentation. It is not compatible with Windows on Arm (ARM32, ARM64) based. The first certificate shows as 9a under Authentication and the second certificate shows under Key Management 9d. The Enroll certificate wizard creates and issues the certificate to MMC --> Console Root --> Certificates - Current User --> Personal --> Certificates. Open Control Panel. Further, duplicate the QR code and store it to use it as a backup. Figure 2. The driver indeed wasn't installed properly. The YubiKey Minidriver will block the PUK if it is set to the factory default value. That's it. 3. 0-rc2. For each service you set up, have your spare YubiKey ready and add it right after the first one before moving to the next. Product documentation. Posts: 2. The FIDO2 application allows for secure single and multi-factor authentication, and can store up to 25 resident credentials. The customer will receive a refund of $35. We are using virtual Cirix access to get the cert (manual steps for user that requires pin/login pwd). Accept the terms in License Agreement and click Next. Here is how according to Yubico: Open the Local Group Policy Editor. If you are using Remote Desktop Connection (RDP), the YubiKey Minidriver must be installed on both the source and the destination computers according to "when I use Yubikey Smart Card Authentication to a remote System". The Yubico Minidriver expects the management Key to be the default and it protects it with the PIN. I've contacted their support about this previously and they don't. This attestation statement is provided in the form of an X. Click Browse, choose your enrollment agent certificate from the Security Pop-up screen, and then click Next. msc and press Enter . msc on the server. Choose to reboot now or after associating the YubiKey with a user. It may be represented in some form to the user in the UI, but otherwise is used only for comparison to a reference value to establish the identity of a card. Yubico SCP03 Developer Guidance. This option reduces calls to the Service Desk and allows workers to remain productive. Ensure the following prerequisites are met: The imported certificate must be in . It usually requires knowing your login details. Go to Device manager. This makes it possible to use a YubiKey with PIV support for all authentication on macOS, including computer login. User Account Control (UAC) is displayed, click Yes. The first time the YubiKey is plugged into a PC running Windows 10 Creators Update or above, Windows will automatically download and install the YubiKey Minidriver via Windows Update. I did notice that also the Microsoft USbccid smartcard read was added to the device manager when the Yubikey was connected. In the tree view on the left, navigate to Certificates (Local Computer) >. Deploying the YubiKey Minidriver to Workstations and Servers. YubiKeyの機能. To reiterate, the MSI package only updates the NIST driver when a smart card is attached to the local USB port. YubiKey 5 NFC not detected when connected to PC case front I/O USB. Windows 11 Install With Yubikey Authentication. When the YubiKey Minidriver is installed, the YubiKey will show up under the Smart Cards section as a. Note: This article lists the technical specifications of the YubiKey 5C FIPS. For convenience, I name my keys containing the YubiKey number and creation date. Official subreddit. Spare YubiKeys. The smart card certificate uses ECC. | Yubico (Nasdaq First North Growth Market Stockholm: YUBICO), the inventor of the YubiKey, offers. Next, go to the command line and let’s confirm that we can see it as a smart card. 3. Change the Interface to "CCID - Custom Reader" and pick a reader from the Connected Readers drop down. If you are on Windows 10 Pro or Enterprise, you can modify the system to allow companion devices for Windows Hello. 0 interface as well as an NFC. When the YubiKey Minidriver is installed, the YubiKey will show up under the Smart Cards. yubikey-minidriver-tool is a C library typically used in Security, Authentication applications. pfx file using the YubiKey Manager. exe". Works with YubiKey. The YubiKey was enrolled outside Windows' native enrollment tools and the computer has the YubiKey Smart Card Minidriver installed. Yubico | 23,019 followers on LinkedIn. The YubiKey is a device that makes two-factor authentication as simple as possible. With a YubiKey, you simply register it to your account, then when you log in, you must input your login credentials (username+password) and use your YubiKey (plug into USB-port or scan via NFC). Download and install YubiKey Manager. Industries. You can set it with the YubiKey Manager while you create the private key with the --touch-policy flag . OV and EV code signing certificates should not be installed manually on your computer, which may cause configuration issues. Common name and Distinguished name will be automatically populated. FIPS 140-2 validated. Minidriver compatibility. generic. In the tree view on the left side, navigate to Personal > Certificates. msi INSTALL_LEGACY_NODE=1 /quiet. I think PIV/Smart card touch policy is defined on the YubiKey itself. The Yubico minidriver will configure a YubiKey to PIN-protected mode. Open Control Panel. With a YubiKey, you simply register it to your account, then when you log in, you must input your login credentials (username+password) and use your YubiKey (plug into USB-port or scan via NFC). All reactions. On Windows, the smart card functionality can be enhanced with the YubiKey Smart Card Minidriver. Install the YubiKey Smart Card Minidriver if you do not have it already. Discover the simplest method to secure logins today. YubiKey VerificationYubikey as SmartCard in Domain Recently tried rolling out Yubikeys as SmartCards for Login using the SmartCard Deployment Guide aiming for Auto-Enrollment to Enroll Users. NET 6 console application project; Download the latest yubico-piv-tool and run this command from the folder you extracted the PFX to. 509 certificates on it as well as use it for a pure FIDO2 contactless login by just laying the key on top of the reader. The YubiKey C FIPS (4 Series) is a FIPS 140-2 certified (Overall Level 2, Physical Security Level 3) device based on the YubiKey 4C. YubiKey 5 NFC (Normally $45 each) = $90 $80. In Yubikey Manager, under Certificates, it has 4 tabs ( authentication, digital signature, key management and card authentication). It allows for multiple 9a certs (for authentication) for example. Single sign-on to applications in Azure Active Directory. Note: Some software such as GPG can lock the CCID USB interface,. Click Browse, select the user you want to enroll, and then click OK. GNU/Linux tutorialsThe YubiKey 5 FIPS Series offers a choice of keys designed for USB-A, USB-C, NFC and Lightning. Step 2: Select the Scan option to scan the QR code, getting displayed on the screen. Over the past six months, we’ve received valuable feedback from many of our public preview users, and. Disabled - Do not allow supported Plug and Play device redirection . That's it. Resolution 2:If you need to maintain cross-platform compliance, you can manually remove the YubiKey Smart Card Minidriver. Download the Yubico Authenticator App. msi file by using command prompt, running: msiexec /i YubiKey-Minidriver-4. You should now see “Other supported RemoteFX USB devices. YubiKey Smart Card Deployment Considerations YubiKey Minidriver environmental and system requirements and compatibility, as well as items to consider prior to setup. To utilize YubiKey for authentication, follow the below steps: Step 1: Access the Yubico Authenticator App and click on Control. Yubikey 5 NFC , firmware version 5. Computer login tools; Software Development Toolkits; YubiCloud; Discover the YubiKey. Go to Personal > Certificates in the left-side tree view. Person B would then be able to login to Person A's account on phone B. exe -t ecdsa-sk -C "username-$ ( (Get-Date). msc under PersonalCertificates: Right click > All Tasks > Advanced Operations, then select Enroll on Behalf of. These credentials, which are protected by a PIN, enable passwordless login, where the YubiKey, unlocked by a PIN and authorized by touch, can log you in to your accounts without entering a username or password. As the title says, I have this issue where my YubiKey is not detected by the system when connected to my PC's front I/O panel. Solution: When deploying the Minidriver to remote servers where the YubiKey cannot be physically inserted (such as an RDP connection), a legacy node must be created to load the minidriver. Next, you can configure the Code Signing certificate on the YubiKey device for better security. YubiHSM 2 FIPS. 2. msc and press Enter . ” If you install the mini driver, a few changes in the registry will be enough to code sign with YubiKey. If You Know the Management Key. Smart Card Login for User Self-EnrollmentThe previous 2 certificates are still there. Authentication will be to the local Active Directory first followed by secondary authentication via the Yubico OTP. Once the PUK is blocked, it cannot be used unless the PIV applet is reset. 4 Yubikey minidriver 4. I installed the minidriver on the Hyper-host and the Windows 10 virtual machine. I did notice that also the Microsoft USbccid smartcard read was added to the device manager when the Yubikey was connected. msi version of their driver which can be distributed via group policy Advanced enrollment: Use the YubiKey Manager command line. Open the configuration file with a text editor. yubico-piv-tool. S. 4 Yubikey minidriver 4. Depending on the model, it can: Act as a smartcard (using the CCID protocol) - allowing storage of both PGP and PIV secret keys. It combines the ubiquity of Azure AD, the usability of YubiKey, and the security of both solutions to put us on the path to eliminate passwords in the enterprise. 2. On the login screen of computers that have the YubiKey Smart Card Minidriver installed, the user enters the PUK code that allows a new PIN code to be set. Click Yes in the User Account Control window. Date: 22 September 2017 Size: 1 MB INF file: ykmd. Smart cards are designed to have a static code specifically to unlock and reset the user’s PIN. Go to Device Manager, right-click on Smart Cards -> Identity Device (NIST SP800-73 [PIV]), click Update Driver and point it to the folder containing the driver you downloaded. 2 (i do not have this issue with 1. When this option is selected, all other methods of authentication are blocked. Insert your YubiKey. If you have a YubiKey, right-click on the YubiKey device, and select Remove device. If the eject mode is enabled, there isn't such issue. This video shows the versatility of Yubikey and how you can use your Micrsoft 365 account with Yubikey to login to Windows. Smart Card Minidrivers. AnyConnect does not work if more than one YubiKey is connected (tested with three). Do you know why it depend on miniDriver only in this situation?These curves can be used for Signature, Authentication and Decipher keys. The Yubico minidriver will configure a YubiKey to PIN-protected mode. The YubiKey 5 Series supports most modern and legacy authentication standards. Once we’ve done all of the setup the only thing left to do is to start a remote desktop session with device redirection enabled. Cause: The YubiKey Smart Card Minidriver treats the YubiKey as a GIDS-compatible smart card (as opposed to PIV), meaning it does not write a Key History Object. Thnak you for the quick reply, will spend more time with the piv tool - any current plans to provide a miniport driver able to write. 7 release and updating to this version will resolve the issue. Disabled - Do not allow supported Plug and Play device redirection . txt","path":"src/CMakeLists. Go to: Applications -> PIV -> Configure Certificates -> Card Authentication. msi and click Next. Supported Algorithms: RSA 1024; RSA 2048;. Go to the “Local Resources” tab of the RDP client settings and click “More…” under “Local devices and resources”. If you are using Remote Desktop Connection (RDP), the YubiKey Minidriver must be installed on both the source and the destination computers according to "when I use Yubikey Smart Card Authentication to a remote System". The customer returns one of the YubiKeys which was part of the special bundled offer. I can install a PIV certificate on my windows machine (p12/pfx format) I can install the certificate on any slot of the Yubikey using yubico-piv-tool 2. This applies to: Pre-built packages from platform package managers. In "Manage Bitlocker" - add this pin to system drive. Refer to the third party provider for installation instructions. Maybe we need to impoert the certificate to smart card according to "The requested key container does not. Yea, my whole aim is to use the PivApplet for OS login (since it is supposed to be supported by Windows, MacOS) without the need to install any more drivers and libraries. YubiKey Bioシリーズはセキュアでシームレスなパスワードレスログインのために、指紋を利用した生体認証をサポートします。. 2) open; Open up Windows Device ManagerInstall YubiKey Minidriver. {"payload":{"allShortcutsEnabled":false,"fileTree":{"src":{"items":[{"name":"CMakeLists. Yubico Login for Windows supports local authentication scenarios; it secures the local login process for local accounts on Windows computers. Enter the PIN for the smart. I'd love to be able to use my M1 Mac for work, but I can't with this limitation. Setup YubiKey with iPads; Use OATH with the YubiKey; WebAuthn Compatibility; Using MFA Authenticator Codes with your YubiKey on Desktops; Using MFA Authenticator Codes with your Yubikey on Mobile Devices; Using YubiKeys with Azure MFA OATH-TOTP; Log on to your MFA Account with Yubico Authenticator; OATH Functionality with. 3. Now that you have to enter a Microsoft account when installing, does the installer recognise a Yubikey? I know this is a very specific question, but I hope someone has an answer. If your smart card login works normally when you are physically at a workstation, but you receive the "The requested key container is not available on the. 0. The FIDO2 application allows for secure single and multi-factor authentication, and can store up to 25 resident credentials. It can also be used on standalone computers to unlock some features of the YubiKey Minidriver that are. 16. Step 2: The User Account Control dialog appears. Multi-protocol support allows for strong security for legacy and modern environments. When prompted, press Enter to confirm adding the PPA. Built on the C ykpiv library, the PIV-Tool provides a CLI to access all of the functionality supported on the PIV function of the YubiKey. Click Yes when prompted. YubiKey 5 FIPS Series Specifics. Hence, if you know that your application will be running alongside Microsoft Windows machines using the YubiKey Minidriver, you should strongly consider adding support for setting YubiKeys to PIN-protected mode. Also in certmgr. Authentication is a process for verifying the identity of an object or person. Press Win+R to enter the execute menu and execute “ certmgr. ago povlhp Smartcard login to server 2022 not working I have smartcard login to older Windows servers working with Minidriver. The first certificate shows as 9a under Authentication and the second certificate shows under Key Management 9d. The driver is on MS update catalog Yubico Login for Windows 10 (32 bit) Yubico Login for Windows Configuration Guide. Certificates shipped on YubiKeys from SSL. r/ProtonPass. msc. Secure your accounts and protect your data with the Yubico Authenticator App. If you're looking for a usage guide, refer to this article. To install Minidriver, I found that weirdly, I had to first install the MSI, and then connect the YubiKey and open “Add Hardware Wizard”, click till you can. Updated the Registry with the Class GUID of the Yubikey (Series 5 NFC) - [HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NTTerminal ServicesClientUsbSelectDeviceByInterfaces] Remote Windows Server. Hello, on Windows 10 CU (creators update) 1703 an auto update of the smart card minidriver has replaced the "Identity Device (NIST SP 800-73 [PIV])" with a "Yubikey smart card" breaking the smart card PIV functionality. 2 and above only) secp256r1. Optional: Yubico makes a . You can also use the tool to check the type and firmware of a YubiKey, or to perform batch programming of a large number of YubiKeys. he plugs it into his home PC and runs the setup for his home PC via yubi login configuration for non-AD joined WIndows 10. Now that you have to enter a Microsoft account when installing, does the installer recognise a Yubikey? I know this is a very specific question, but I hope someone has an answer. msc and check the Smart card readers section . Version: 3. YubiKeys support multiple authentication protocols so you are able to use them across any tech stack, legacy or modern. 210. Request for proposal, suggestions and good ideas. Confirm the values match the server name and domain name, and click Next. 450. I don't know the details to be honest, but we aren't using a specific software I don't think, and I don't know about smart card. The card minidriver should be written as a generalized interface layer. If your user account is managed by Azure Active Directory (AAD), you can secure your computer with passwordless login with a YubiKey without needing to install any. 2. Minidriver compatibility. It’s important to note that Firefox’s support is still evolving. The driver is on MS update catalog. I went through this article - 360015654560-Deploying-the-YubiKey-Minidriver-to-Workstations-and-Servers and this article 360013780779-Troubleshooting-No-Valid-Certificates-Were-Found-on-This-Smart-Card-but with no. This ADMX administrative template allows administrators to easily deploy configuration of the YubiKey Smart Card Minidriver through Active Directory Group Policy. 3. 其实没那么复杂, 简单来说,我们需要的操作即: 满足条件的yubikey + 满足条件的windows配置 + 对磁盘开启bitlocker. Enable Azure AD Hybrid features. 1 + 2. 1.