This article covers pre-provisioning the YubiKey's PIV function with a known PUK (PIN unblocking key) and management key for use with the YubiKey Smart Card Minidriver.
First, download the latest version of YubiKey Manager here, and install it. After installation, open an elevated CMD/PowerShell or Windows Terminal, and change its directory to YubiKey Manager's installation directory. This is most likely "C:\Program Files\Yubico\YubiKey Manager" but could be "C:\Program Files (x86)\Yubico\YubiKey Manager" if you installed 32-bit YubiKey Manager on 64-bit Windows.
Initialize the YubiKey to prep for certificate enrollment by running:
ykman piv objects generate chuid
Change the PIN by running:
ykman piv access change-pin -P <current PIN> -n <new pin>
If a default PUK is detected during the first enrollment using the YubiKey Smart Card Minidriver, the Minidriver will block the PUK for security (since its value is well-known). If you wish to enable PIN unblocking via PUK, change the PUK from its default value prior to performing the first enrollment. Change the PUK by running:
ykman piv access change-puk -p <current puk> -n <new puk>
By default, if the Minidriver detects a default management key, during first enrollment, it will upgrade it to a secure, random value, protected by the PIN. We don't recommend changing the management key after it has been upgraded to a secure random value. Since the management key is now a random value protected by the PIN, if the PIN/PUK is blocked, any attempt to use the management key will fail, essentially requiring that the YubiKey's PIV application be reset.
Change the management key by running the following. YubiKey Manager should offer to use the default MK value so you don't need to type it manually. If it doesn't, or if using this results in an error, try resetting the YubiKey's PIV application, and trying again.
ykman piv access change-management-key -P <PIN> --protect --new-management-key <management key>
To change the management key after it has been upgraded by the Minidriver, run the following.
ykman piv access change-management-key -P <PIN> --protect --new-management-key <management key>