This ADMX administrative template allows administrators to easily deploy configuration of the YubiKey Smart Card Minidriver through Active Directory Group Policy or Microsoft Intune. It can also be used on standalone computers to unlock some features of the YubiKey Minidriver that are disabled by default, like controlling the touch policy or blocking the generation of unsafe keys (ROCA).
These are the YubiKey Minidriver settings that can currently be configured, with their default values highlighted:
- Configure touch policy for new keys
- Never
- Always
- Cached
- Enable ROCA mitigation
- Enable debug logging
- Debug log verbosity
- Level 0 - Card module methods only
- Level 1 - Errors and warnings
- Level 2 - Informational
- Level 3 - Full APDU tracing
- Debug log verbosity
- Block PUK on Management Key upgrade
- Disable automatic BaseCSP cache management
- Enable card management key
- Configure device key refresh
- 300 seconds
- Disable support for the Always Prompt PIN
- Disable automatic fingerprint prompt
- Configure User PIN cache policy
- Normal
- Timed
- None
- Always prompt
- Configure External PIN cache policy
- Normal
- Timed
- None
- Always prompt
- Configure PIN cache timeout
- 60 seconds
The settings are on par with the 4.6.3.252 version of the Minidriver, released on May 21, 2024. Note that some settings are only applicable to devices that support slot metadata (YubiKey 5.2.7+).
Just copy the ADMX and ADML files into the local or central ADMX store.
Thanks to the awesome open-source community, the template has been translated into the following languages:
- English
- French
- Italian
If you want to contribute with a new localization, you can create a language-specific copy of the en-US ADML file.
The ADMX template is based on the following official document: