Background
If you attempt to enroll the YubiKey and receive a Windows Security error stating “The smart card is read-only,” the YubiKey Smart Card Minidriver is either not installed or not being detected correctly. This article describes the troubleshooting steps to take in this case for enrolling both locally, as well as within a remote session, using a protocol such as RDP.
Local Enrollment
- Download and install the latest version of the YubiKey Smart Card Minidriver.
- Remove and reinsert the YubiKey.
- Open Command Prompt.
- Run certutil -scinfo
- Verify that the Card value near the beginning of the output shows YubiKey Smart Card or similar.
If the card is still detected incorrectly, there may be other issues with the device or driver installation. Common troubleshooting steps for device installation issues are listed below.
- Uninstalling and reinstalling the minidriver.
- In Device Manager, showing hidden devices and removing all Smart Card objects. This will force device reinstallation the next time you insert the YubiKey.
- Using 3rd-party driver management software such as DriverStoreExplorer, forcing uninstallation of the minidriver, and then reinstalling it.
Remote Enrollment
First, follow the steps in the Local Enrollment section above to ensure that your local computer is using the YubiKey Smart Card Minidriver, then proceed to the steps below if you are still experiencing the read only error.
- Remote in to the destination server (using RDP, etc.).
- Open Services and ensure that the Plug and Play service is Running, and has a Startup Type of Automatic.
- Log out of the remote session, then re-log in.
- Open Command Prompt.
- Run: certutil -scinfo
- Verify that the Card value near the beginning of the output shows YubiKey Smart Card or similar.
If the issue persists, try installing the minidriver via our .MSI installer from this page, using an msiexec command that includes the INSTALL_LEGACY_NODE=1 property/value. See below for an example, and Deploying the YubiKey Minidriver to Workstations and Servers for additional information.
msiexec /i YubiKey-Minidriver-4.1.1.210-x64.msi INSTALL_LEGACY_NODE=1 /quiet
Note: You may want to set the Plug and Play service to automatically start on all servers you will remote into via GPO. Having this set ahead of time helps to avoid the need to manually trigger the driver.