SafeNet Minidriver is a perfect solution for IT departments who need minimal administrative support and just need a lightweight software. First of all, if you call the Recover method for a YubiKey that has not been configured for PIN-only, the return will likely be None. I have an existing CA, I have published enrollment template. Please follow below steps to turn on 1)Shut down the virtual machine. The ability to use PIN and touch policies other than the default was not available prior to YubiKey 4. application provides a PIV compatible smart card. Shipping and Billing Information. The Minidriver supports various YubiKey models and key algorithms, including RSA 2048-bit and ECDH/ECDSA-P256/384. Installing the YubiKey Minidriver MSI via the command line tool also provides an option to create a legacy node, so that the YubiKey Minidriver is loaded on the system without the need to physically plug a YubiKey in to it. I've contacted their support about this previously and they don't. ; As always, if you have any questions about the new key size requirements or any other issue relating to SSL. First, we need to install Gpg4Win on the computer, and make sure it sees our Yubikey as a smart card. 67. x and Earlier; NFC ID Calculation for YubiKey v5. YubiKey users can generate a self-signed certificate, request a certificate from a CA, or import an. While the minidriver always asks for PIN, even if not required by YubiKey, slot 9e can still be used through PKCS11 without a PIN, so do not use it for stuff you want to keep secure. PKCS#11/MiniDriver/Tokend - OpenSC/OpenSC. ” device, it is not. If a YubiKey is connected to a computer when installing the YubiKey Minidriver, Windows may continue to use the native generic smart card minidriver. Learn how to install the YubiKey Minidriver on different devices and platforms, including servers, workstations, and legacy devices. If you try to sign with the Yubikey 5 connected using signtool, you'll get the error: SignTool Error: No certificates were found that met all the given criteria. Learn how you can set up your YubiKey and get started connecting to supported services and products. d. Why YubiKey. Several data objects (DOs) with variable length have had their maximum. If you let Windows have its way, you may end up getting the a message stating The smart card cannot perform the requested operation or the operation requires. This chapter. Click Install. 1. 0. I think you need to install the mini driver on the server with a specific switch. 2 does not support OpenPGP. 满足条件的yubikey: (1)配置YubiKey PIV的密码. I installed the yubikey minidriver and followed this tutorial. txt","path":"src/CMakeLists. The YubiKey 5 NFC has six distinct applications, which are all independent of each other and can be used simultaneously. Remove your YubiKey and plug it into the USB port. YubiKey provides baseline functionality to authenticate as a PIV-compliant smart card out-of-the-box on Microsoft Windows Server 2008 R2 and later servers, and Microsoft Windows 7 and later clients. 0. Works with YubiKey. The previous 2 certificates are still there. The first certificate shows as 9a under Authentication and the second certificate shows under Key Management 9d. txt with Visual Studio 2017+ or use a Visual Studio command prompt and generate the build files from your working directory as follows: HYPR. 其实没那么复杂, 简单来说,我们需要的操作即: 满足条件的yubikey + 满足条件的windows配置 + 对磁盘开启bitlocker. dll)I suspect that the key used for this authentication is Digital Signature key. To install Minidriver, I found that weirdly, I had to first install the MSI, and then connect the YubiKey and open “Add Hardware Wizard”, click till you can select device type “Smart card” and select the YubiKey, and finally choose the Minidriver from the available driver list. If you have more than one YubiKey to program, prior to selecting “Write Configuration”, Select “Program Multiple YubiKeys” In the image above, and also select “Automatically program YubiKeys when inserted”. An example install script for the Yubikey Smart Card Minidriver is below. Validating Yubikey OTPs using the AES key directly, typically only for server integration or disconnected use. pcsc. This allows for an easy to use, easy to deploy scalable implementation of strong multi-factor authentication across an entire organization utilizing the native Windows tools and the. Note: Some software such as GPG can lock the CCID USB interface, preventing another. 3. If you're looking for a usage guide, refer to this article. AnyConnect does not work if more than one YubiKey is connected (tested with three). If you're looking for a usage guide, refer to this article . Interface. The Yubikey minidriver is not currently offered for Windows ARM64, only Windows x86 and x64. If you're looking for deployment considerations, refer to this article. Configure your YubiKey for Smart Card applications. The YubiKey Minidriver extends the support of the YubiKey on Windows from just authentication to allowing Windows to load and directly manage certificates on it. ChrisHammond. For environments with just Windows PCs, the YubiKey Smart Card Minidriver and native Windows smart card. Deploy the Yubikey mini driver to your machines that need local (OR RDP) login via key; Follow through page 13-14 of the document to duplicate and modify the default Windows CA template for Smartcard Logon; For test optional - configure auto-enrolment for user certificates in group policy. 172-x64. Having this driver installed the behaviour changes to the following. If you have a YubiKey, right-click on the YubiKey device, and select Remove device. py", line 40, in __init__ raise EstablishContextException(hresult) smartcard. Yes, the minidriver used in windows is read-only, so it wont be able to enroll your PIV applet. Examples for interacting with the YubiKey Minidriver for Windows - Releases · YubicoLabs/yubikey-minidriver-toolRDP server is Server 2016 and client is Win10 20H2. Updated the Registry with the Class GUID of the Yubikey (Series 5 NFC) - [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client\UsbSelectDeviceByInterfaces] Remote Windows Server. The driver indeed wasn't installed properly. 3) NFC Reader: ACR1251 (ACR1251U-A1) Also, I installed the driver for this NFC reader and the Yubikey MiniDriver. 0 and the YubiKey Smart Card Minidriver to 4. Below is a list of all available downloads ordered by version, starting with the most recent version. As for your second question it could be any number of reasons. Version 4. Estimated shipping time by country and shipping option is noted on the ordering page. Go to the “Local Resources” tab of the RDP client settings and click “More…” under “Local devices and resources”. After setting it up, users can just insert their YubiKey and create a ADCS certificate request (using the “Manage User Certificates” MMC), and Windows will generate a certificate in the. The. Open Terminal. It has five distinct sub-modules, which are all independent of each other and can be used simultaneously. YubiKey Smart Card Minidriver (Windows) Download. Learn how to install the YubiKey Minidriver on different devices and platforms, including servers, workstations, and legacy devices. 509 certificates) that’s okay, it may take some time to get your org to fully move to FIDO2. YubiKey Smart Card. Downloads. To fix this, install the . Maybe we need to impoert the certificate to smart card according to "The requested key container does not. Step 3: You can give it any name like Yubikey and click on Okay. 6 (released 2021-09-08) Improve handling of YubiKey device reboots. That vmware VM (ESXs - vsphere) cannot detect the key. Download and install the latest version of the YubiKey Smart Card Minidriver. All NFC interfaces are turned on in the YubiKey Manager. NET SDK is usually not involved in any way once the certificate has been stored on the YubiKey. application provides a PIV compatible smart card. The YubiKey 5 FIPS Series is IP68 rated, crush resistant, no batteries required, and no moving parts. 3. I tried their minidriver it with Yubikey 5 NFC with self signed certificates but they expired in 2021. In this command, you need to fill in the management key (replace "MGM-KEY". If the smart card appears as “Yubico Yubikey,” it indicates that the driver is installed. 0. Windows Security window is displayed, click Install. Cheers. On Windows, the smart card functionality can be enhanced with the YubiKey Smart Card Minidriver. c. Advanced enrollment: Use the YubiKey Manager command line. Type certtmpl. There is nothing to recover and the management key will not be authenticated. However, they're no longer able to interface with the YubiKey PIV device after the xPass Smart Card driver is installed. Each subsequent version specification contains all the features and capabilities of the prior version. I have an x1 carbon gen 6 that yubikeys stopped working on. YubiKey for Door Access; NFC ID Calculation for YubiKey v5. I spoke with a YubiCo engineer today and it seems the easiest way on a Windows system is to use the mini driver. I can get YubiKey PIV Manager to recognize the key again if I follow these steps: Leave the YubiKey 4 inserted; Leave YubiKey PIV Manager (1. Smart card minidrivers contain the features specified for a version. The usage attributes on the certificate do not allow for smart card logon. On Windows, the smart card functionality can be extended with the YubiKey Smart Card Minidriver. The good news is that if you’re using a YubiKey as your FIDO2 token, you can use Yubico Authenticator for MacOS to set or change a PIN and view or delete the hardware-bound passkeys stored on your. In the details pane, double-click Windows Components, and then double-click Smart Card. Change the Interface to "CCID - Custom Reader" and pick a reader from the Connected Readers drop down. Most (> 90%) of our users use YubiKeys without using any of our client software. After setting it to the default, the minidriver will be able to authenticate to the YubiKey. The Windows registry keys AllowPrivateExchangeKeyImport and AllowPrivateSignatureKeyImport are not needed. The tool works with any currently supported YubiKey. Right-click the Windows Start button and select Run. 满足条件的windows配置:. Note: The YubiKey 5 FIPS Series with initial firmware release version 5. Yubico support had me remove their smart card minidriver and revert to the basic Windows smart card driver, but that doesn't seem to make a difference either (and I can't generate and install a certificate through. Support Services. Bugfix release: Fix broken naming for "YubiKey 4", and a small OATH issue with touch Steam credentials. allowHID = "TRUE". msi INSTALL_LEGACY_NODE=1. Windows users check Settings > Devices > Bluetooth & other devices. Multiple form factors with support for USB-A, USB-C, NFC and Lightning. Enabling and disabling primary authentication methods in ADFS 2019. No more reaching for your phone to open an app, or memorizing and typing in a code – simply touch the YubiKey to verify and you’re in. gz (2023-02-07) yubico. Discover the simplest method to secure logins today. Open source smart card tools and middleware. Supported Algorithms: RSA 1024; RSA 2048; USB. Select Enabled from the Require Touch drop-down list, if you want the users to touch their YubiKeys. The command line install is: msiexec /i YubiKey-Minidriver-4. YubiKey Minidriver for 32-bit systems – Windows Installer. The new YubiKey minidriver enables users to simply self-enroll using the native Windows. After Contacting Yubico Support it was discovered that this was caused by changing the Management Key. When I try to create the blcert using certreq –new blcert. The credential management tool will replace the default values by automatically setting a random value for the management key and PUK, and allow the end user to define the PIN. These steps assume an Active Directory environment is. The YubiKey 5C NFC FIPS is FIPS 140-2 certified (Overall Level 1 and Level 2 , Physical Security Level 3) and based on the YubiKey 5C NFC. 0 and NFC interfaces. Programming for multiple YubiKeys. 16. So, Hyper-V guests can use Yubikeys as smartcards but it doesn. Profit. pfx -> click Next, and finally Finish. Due to the open source software status of the libykpiv library, there might be other users of this library. This chapter covers the basic configuration for setting up a new Certification Authority (CA) to a Windows Server (2016 and above). To ensure your YubiKey is the correct one used by scdaemon, you should add it to its configuration. . The Yubico Minidriver expects the management Key to be the default and it protects it with the PIN. Posted: Thu Oct 19, 2017 6:49 pm. The YubiKey 5 Nano uses a USB 2. I will try RSA2048 anyway. sha256. The YubiKey 5C NFC FIPS has five distinct applications, which are all independent of each other and can be used simultaneously. As I already wrote in my previous post, to work with X. If you're looking for a usage guide, refer to this article. If it doesn’t, just repeat the same steps as above, by creating a. If sudo add-apt-repository ppa:yubico/stable fails to fetch the signing key, you can add it manually by running sudo apt-key adv --keyserver keyserver. yubikey_manager-5. YubiKey. AnyConnect does not work if any other PIV-compatible. Create a text file with the following contents to use as a certificate request. 0. Administrators benefit from the YubiKey minidriver through user provisioning using the Microsoft built-in MMC. gpg --card-status. Click Environment Variables…. 2. 1 card applets and profiles:Note: This article lists the technical specifications of the YubiKey 5C FIPS. Display hidden devices. exe" piv access set-retries 5. This chapter covers the basic configuration for setting up a new Certification Authority (CA) to a Windows Server (2016 and above). This article describes the issue when upon trying to log into an Azure domain joined ARM Windows 11 virtual machine with a YubiKey token, you might not get a FIDO2 token prompt. Professional Services. Select YubiKey from the Smart Card drop-down list. Click OK. Your Device Manager indicates that you are using the Microsoft Minidriver for the smartcard. Upgrade the on-premises applications to use modern authentication protocols. When prompted, press Enter to confirm adding the PPA. The authenticating entity calculates the response by encrypting the challenge by using Triple DES (3DES) that operates operating in CBC mode with a 168-bit key (and ignoring the. Extract the CAB and place it on a network location accessible to the golden images. msi INSTALL_LEGACY_NODE=1 /quiet. Yubikey personalization tools and neo manager can detect and read the Yubikey but GPG cannot. Smart Card Minidrivers. The return of this method is the enum PivPinOnlyMode. msi file by using command prompt, running: msiexec /i YubiKey-Minidriver-4. 1. If you’re unsure, check Device Manager’s Smart Cards section. Locate and select the smart card template you created for enroll on behalf of, and then click Next. 1. 3. A specification of typical USB devices used for human interaction, such as keyboards, mice, joysticks etc. msi INSTALL_LEGACY_NODE=1. To troubleshoot I have made sure the certificate is in the yubikey using Yubico's tool: as well as verified that the yubikey smart card minidriver is installed in the PC's Device manager. 0. If you don't have an on-premise. On the workstation I can see the Yubikey but not on the VM. Locate your imported certificate and double-click. The YubiKey 4C Nano has five distinct applications, which are all independent of each other and can be used simultaneously. Note: Some software such as GPG can lock the CCID USB interface, preventing another software from accessing applications that use that mode. S. Note: Some software such as GPG can lock the CCID USB interface, preventing another software from accessing applications that use that mode. I am using a USB smart token instead of a Yubikey, but the concept is the same. The YubiKey firmware 5. This can be through SCCM, GPO or any other method. 210-x86. We have setup Yubikey 5 series Smart Card PIV access for a Windows Active Directory environment and are running into a roadblocks on RDP access. I have been using a SmartCard (Yubikey 4, PIV interface) with RSA certificate to unlock BitLocker protected drives. For more information, see VMware's KB article on this. 4. The certificates are self-signed and generated by the Encrypted File System (EFS) wizard. yubico-piv-tool. conjunction with YubiKey minidriver Y Y Self Service collection of updates/re-provision of all issued content "Self Service App allows update or full reconfiguration of the YubiKey 'in the field' User authenticates with device PIN for additional security Automated or operator requested updates for the device, including certificate renewals" Y YExamples include PIV compliant smart cards using Microsoft’s built-in Minidriver and smartcards from various vendors, such as Gemalto, Athena, or SafeNet. The affected library is included in the Yubico PIV Tool and in the YubiKey Smart Card Minidriver. I went through this article - 360015654560-Deploying-the-YubiKey-Minidriver-to-Workstations-and-Servers and this article 360013780779-Troubleshooting-No-Valid-Certificates-Were-Found-on-This-Smart-Card-but with no. Government Agency […] Yubico has started shipping the YubiKey 5 Series with firmware 5. This tool also serves as example code for using the Windows Smart Card Key Storage Provider to create self-signed certificate via the YubiKey Minidriver. Hence, if you know that your application will be running alongside Microsoft Windows machines using the YubiKey Minidriver, you should strongly consider adding support for setting YubiKeys to PIN-protected mode. YubiKey smart card minidriver. It looks like the latest versions of Windows insist on installing a Yubikey Minidriver, which ends up wrecking havoc on your ability to actually use a Yubikey as a signing device. To do so, you must import the certificate authority root certificate into all the device’s keystore. It especially focuses on administration of smart cards and PKI tokens. The YubiKey is a device that makes two-factor authentication as simple as possible. Type certmgr. macOS Native Smart Card Support for Logon with Windows Server. Click Yes when prompted. Windows Smart Card Specification Version 7. That's it. h. 06. The other issue is the changed USB smartcard reader driver in Server 2022. introduce 最初yubikeyが認識されなくてつまずきました。 Authentticatorアプリや、yubikey managerなどおいてあるアプリは全部インストールしてみてもダメ。NFCにかざすと反応はするので、壊れてはないよねえと思いつつ。 全然認識されないので、スマートカードを使うためにminidriverというドライバを. Additionally, you may need to set permissions for your user to access YubiKeys via the. It is not compatible with Windows on Arm (ARM32, ARM64) based. The Yubico minidriver will configure a YubiKey to PIN-protected mode. msi [ sig ] (2023-10-11) 5. 210-x64. 1. One or more domain controller(s) are missing certificates. It has both a graphical interface and a command line interface. On Veracrypt you need to go to tools > manage security token keyfile and create a keyfile on the Yubikey token. Inspecting the key in Yubikey manager, I saw that the PUK was locked. 1. It enables RSA or ECC sign/encrypt operations using a private key stored on a smart card through common interfaces like PKCS#11. Run: sudo add-apt-repository ppa:yubico/stable && sudo apt-get update. The YubiKey Minidriver is specifically for using the Yubikey as a smart card, which isn't what OP isn't trying to do. This will allow you to simply insert one key, remove, then insert the next, repeatedly until. YubiKey Manager is a cross-platform tool; it runs on Windows, macOS, and Linux. This is useful for deployments where the YubiKeys need to be provisioned from a central location, or replacement YubiKeys need to be generated for users who have locked their PIN. Step 3: Follow the prompts as presented by each operating system. If you installed the "minidriver" and there has been an Windows OS upgrade since it was installed, you may need to uninstall it, download the latest, and then re-install the minidriver:. The credential management tool replaces the default values by automatically setting a random value for the management key and PUK and allows the end user to define the PIN. The problem. It does this by storing the PIV management key in a PIN protected object and using the PIN to unlock the smart card. Authenticating with the YubiKey requires a touch to verify user presence, making it a secure solution that is also four times faster. 1 for Desktop, in which we added functionality for managing the FIDO/WebAuthn features of your YubiKey such as changing your PIN, or registering your fingerprint to a YubiKey Bio. It has five distinct sub-modules, which are all independent of each other and can be used simultaneously. Windows users with YubiKey-installed ECC EV code signing certificates should also install the YubiKey Minidriver to prevent compatibility issues. 2. Accelerating modern passwordless authentication initiatives using Citrix and multi-protocol hardware security keys. Click Yes when prompted. 1. Windows Smart Card Specification Version 7. PIV; smart card; YubiKey Manager; Protecting vulnerable organizations. NET 6 console application project; Download the latest yubico-piv-tool and run this command from the folder you extracted the PFX to. YubiKey 5C NFC. Check if the YubiKey is recognized by the system. 172-x64. Since you don’t need to buy another USB token every three years, the average per year for 9 years is $211. I can verify the keys work in other computers, that windows detects the keys correctly (5c and 5 nfc). ubuntu. For businesses with 500 users or more. YubiKey-Minidriver-4. Today, PIV smart card support also is available on the YubiKey 4. It also supports multiple accounts so your admins can use the same method to access privileged accounts as well as their normal user accounts really easily. PIV; smart card; YubiKey Manager; Proven at scale at Google. When a smart card is inserted into the reader and the Base CSP/KSP calls CardAcquireContext, the class minidriver performs the following discovery process to mark the associated card as either PIV- or GIDS-compliant: A SELECT command is issued to locate the PIV AID. I did notice that also the Microsoft USbccid smartcard read was added to the device manager when the Yubikey was connected. To do so, install the minidriver with the INSTALL_LEGACY_NODE=1 option set. If you have a Security Key, right-click on the Security Key by Yubico device and select Remove device. Configure your YubiKey for Smart Card applications. However, the Windows inbox smart card minidriver for PIV smart cards (Identity Device (NIST SP 800-73 [PIV])) uses the same compatible identifier. Yubikey 5 NFC for Smart Card login on a domain connected workstation console as well as user elevation on the workstations are both working without an issue. And I figure, well I might as well try flipping it. If your organization is still using legacy passwordless authentication using smartcards (x. generic. 1 card applets and profiles:Note: This article lists the technical specifications of the YubiKey 5C FIPS. Go to the “Local Resources” tab of the RDP client settings and click “More…” under “Local devices and resources”. Click -> Run. Display hidden devices. The certificate chain is not trusted. Here goes questions about the PHP class, the PAM module, the Java client library, and. If your test Windows system is running on a Virtual Workstation , please ensure YubiKey is connected using pass through mode instead of shared device mode. Top. The Yubico Developer's PIV page contains information and resources for developers on how to incorporate PIV logon into their own applications. websites and apps) you want to protect with your YubiKey. User Account Control (UAC) is displayed, click Yes. I also added Yubikey on user account: There is nor on-prem active directory, it is pure Azure AD with free licence. This talk will cover Yubikey provisioning and lifecycle management, authentication service configuration, integration with existing applications and account lifecycle. Authentication Methods configuration ADFS 2019 (YubiKey already enabled. During development of this release we started to feel limited by the existing technical architecture of the app as. 7. allowHID = "TRUE". Enable Azure AD Hybrid features. You can also use the tool to check the type and firmware of a YubiKey. VMware Horizon supports PIV-compatible smart card authentication. I have a strange situation. This allows for an easy to use, easy to deploy scalable implementation of strong multi-factor authentication across an entire organization utilizing the native Windows tools and the. For typical usage, you will want to memorize the PIN, and keep a copy of the PUK and Management keys in a secure location. The YubiKey 4 series can hold up to 32 OATH credentials and supports both OATH-TOTP (time based) and OATH-HOTP (counter based). If you have a YubiKey, right-click on the YubiKey device, and select Remove device. It will be listed under Smart Cards as YubiKey Smart Card Minidriver. After setting it to the default, the minidriver will be able to authenticate to the YubiKey. usb. . The Yubico minidriver will configure a YubiKey to PIN-protected mode. 1 - 2023/06/09. Further, duplicate the QR code and store it to use it as a backup. Windows – Double-click the Yubico-desktop-<version>. Click on Scan account QR-code, then scan the QR code from the internet page. 1 - 2023/06/09. 2. Click Next -> select Browse… -> save the file as bitlocker-certificate. 210-x64. Run: sudo add-apt-repository ppa:yubico/stable && sudo apt-get update. No connectivity needed! Features include: Secure - Hardware-backed strong two-factor authentication with secret stored on the YubiKey, not on the mobile device. Supported Algorithms: RSA 1024; RSA 2048; ECC P256; ECC P384; USB Interface: CCID. 82, a little less than Lindersoft’s option. For more information, see VMware's KB article on this. If you have that minidriver installed you can have the user change the PIN from the Windows change password screen instead of issuing a determined PIN. Re-installing the minidriver and leaving the default management. ” the minidriver is installed, if it is listed as a “NIST. But the decisive reason for me was the convenience of the size of the Yubikey. Using Windows' built-in enrollment process, provision the Yubikey as a Smart Card. Linux – See Linux Installation Tips. For more information on why this happens, please see The YubiKey as a Keyboard. Issues addressed:YubiKey Manager. Start with having your YubiKey (s) handy. The YubiKey PIV Manager application shows that all is well on the "smart card" end, with one certificate installed for BitLocker. Cross-platform application for configuring any YubiKey over all USB interfaces. YubiKeys implement the PIV specification for managing smart card certificates. 1. 172-x64. 1. Cause. I also added Yubikey on user account: There is nor on-prem active directory, it is pure Azure AD with free licence. Note: Some software such as GPG can lock the CCID USB interface, preventing another software from accessing applications that use that mode. Using the Yubikey Remotely. Currently, Yubikey Neo and Yubikey 4 do support PIV. Hi all, I want to add my Microsoft account to my Yubikeys. This applet is a simpler alternative to GPG for managing asymmetric keys on a YubiKey. Download and install the YubiKey Manager, YubiKey Smart Card Minidriver, and optionally Yubico Authenticator apps. On Windows, the smart card functionality can be enhanced with the YubiKey Smart Card Minidriver. The new YubiKey minidriver enables users to simply self-enroll using the native Windows GUI, and even manage their smart card PIN from Windows Ctrl+Alt+Del. Interface. Download Yubico Login for Windows 10 (32 bit) Yubico Login for Windows Configuration Guide. When I try to create the blcert using certreq –new blcert. I see that the minidriver completely changes how windows sees the smartcard, but wouldnt it be possible that both ways can be used in the following way: 1) the PIV Manager maintains the container map meeded for container mode on the Yubi properly 2) otherwise the slots work as normal when the card is accessed like a slot based card2. AnyConnect work if no or only one YubiKey is connected. As an example, Google's instructions for using YubiKeys with Android can be found here. OpenSC-0. As of the time of writing, some windows versions have issues using Yubikey after the system sleeps or any number of other events. Using the Yubikey Remotely. I think PIV/Smart card touch policy is defined on the YubiKey itself. msc in the Search programs and files box, and then press Enter. Are you saying that others have actually got it working in Core? Reply. generic. I managed to generate gpg keys on the device and sign Git commits all in PowerShell. For environments with just Windows PCs, the YubiKey Smart Card Minidriver and native Windows smart.