We are using YK4's for PIV authentication for our Windows domain. However users are still required to change their domain password every 90 days. When they go to do this Windows allows you to change your smart card PIN. There are a couple of issues with this but the one that concerns me is that Windows allows users to setup a blank PIN. Surprisingly there aren't any Window's GPOs for PIN length and complexity. I was able to find this reg key that disables the ability to change the PIN via Windows which is really helpful in forcing users to use the Yubikey PIV manager. If your running Vista or 7 you must install the Hotfix as well (no reboot required). Windows 10 doesn't require anything but the reg key. Hope this helps someone else!
https://support.microsoft.com/en-us/kb/2808693 Regedit:
-----------
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider]
"AllowSmartCardPinChangeAndUnblock"=dword:00000000
---------
Login
FAQ
Search
