Main Page: YubiKey Smart Card Deployment Guide
TABLE OF CONTENTS
This page details using the Windows native interface with the Yubico Minidriver to manage the PIN and PUK on the YubiKey PIV function. For users on Linux or macOS, YubiKey Manager should generally be used, although note that in macOS, the Terminal command sc_auth changepin can be used to change the PIN.
Setting the PIN
Once a YubiKey is registered, the user’s PIN should be changed if the default value (123456) is still set. Once the user has logged into his account, he can change the PIN of a YubiKey connected to his system as follows:
Use Ctrl+Alt+Del to enter the lock screen.
Select Change a Password from the options presented.
The user is prompted to enter the current PIN, as well as the new PIN.
Press Enter to commit the new PIN.
By default, the user PIN is blocked when three consecutive incorrect PINs have been entered. The PIN Unblock Code (PUK) is used for unblocking the User PIN. If both the PIN and the PUK are blocked, the YubiKey must be reset, which deletes any loaded certificates and returns the YubiKey to a factory default state.
The YubiKey Minidriver will block the PUK if it is set to the factory default value. Once the PUK is blocked, it cannot be used unless the PIV applet is reset. To use the PUK, it must be first set with the YubiKey Manager before using the YubiKey Minidriver to load or modify certificates on the YubiKey PIV Applet.
If using the YubiKey Manager, the command below will prompt the user to set a new PUK value:
ykman piv change-puk
The current and new values for the PUK should be entered in alphanumeric text. These values are not automatically recorded, and should be noted for future use.
When unblocking the PIN via the Windows 7 logon interface, Windows requires the PIN unblock code (PUK) to be typed in as hexadecimal digits. This means that if your PUK is 12345678, to unlock a pin through the Windows UI, you must type the ASCII hex-encoded bytes of the PUK string (in this case, the unlock code would be 3132333435363738). Refer to an ASCII chart (for example, www.asciitable.com) to encode a PUK in hexadecimal.
To unblock the user PIN:
With the YubiKey inserted, attempt to log in at the Windows login screen. When the PIN is blocked, the “change a password” screen is displayed. The following screenshot is an example using Windows 10.
Select the checkbox for Unblock smart card.
On Windows 7 enter the PUK in the Response field in hexadecimal format.. (example: the default value of 12345678 in hexadecimal format is 3132333435363738)
For Windows 8 and above and Server 2012 and up, the PUK can be entered as normal text in the PIN Unblocking field.
In the New PIN and Confirm PIN fields, enter a new, properly formatted PIN, and then press Enter.
Remove and then reinsert the YubiKey, and test the new PIN to verify you can access the account.
Note: To enable this function, the "Allow Integrated Unblock screen to be displayed at the time of logon" Group Policy Object must be set. This setting is located in:
Computer Configuration > Administrative Templates > Windows Components > Smart Card