Yubico Forum
https://forum.yubico.com/

Prevent Windows Smart Card PIN change option
https://forum.yubico.com/viewtopic.php?f=23&t=2495
Page 1 of 1

Author:  dnbrown [ Fri Dec 02, 2016 8:17 pm ]
Post subject:  Prevent Windows Smart Card PIN change option

We are using YK4's for PIV authentication for our Windows domain. However users are still required to change their domain password every 90 days. When they go to do this Windows allows you to change your smart card PIN. There are a couple of issues with this but the one that concerns me is that Windows allows users to setup a blank PIN. Surprisingly there aren't any Window's GPOs for PIN length and complexity. I was able to find this reg key that disables the ability to change the PIN via Windows which is really helpful in forcing users to use the Yubikey PIV manager. If your running Vista or 7 you must install the Hotfix as well (no reboot required). Windows 10 doesn't require anything but the reg key. Hope this helps someone else!

https://support.microsoft.com/en-us/kb/2808693

Regedit:
-----------
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider]
"AllowSmartCardPinChangeAndUnblock"=dword:00000000

---------

Attachments:
WindowPINChange.jpg
WindowPINChange.jpg [ 38.7 KiB | Viewed 957 times ]

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/