Configure PIN Policy

This policy setting configures the requirements for PIN usage.

If you enable this policy setting, the default application behavior will be overriden.

The PIN Requirement Policy setting will only be shown for the certificate slots listed. These certificate slot identifiers are supported:
9a - Authentication
9c - Digital Signature
9d - Key Management
9e - Card Authentication

When the PIN Requirement Policy is set to a value other than "Slot defaults", the PIV standard for when the PIN is required for using a particular slot will be overridden.

Non-zero PIN expiration interval causes a timestamp to be written when the PIN is changed, and to force a PIN change after the specified number of days.

If you disable or do not configure this policy setting, slot-specific PIN policy will not be configurable through the UI.


Supported on: At least Windows Vista


Registry HiveHKEY_CURRENT_USER
Registry PathSoftware\Yubico\YubiKey PIV Manager
Value Namepin_policy_slots
Value TypeREG_MULTI_SZ
Default Value
PIN Requirement Policy:


  1. User-defined
    Registry HiveHKEY_CURRENT_USER
    Registry PathSoftware\Yubico\YubiKey PIV Manager
    Value Namepin_policy
    Value TypeREG_DWORD
    Value
  2. Slot defaults
    Registry HiveHKEY_CURRENT_USER
    Registry PathSoftware\Yubico\YubiKey PIV Manager
    Value Namepin_policy
    Value TypeREG_SZ
    Valuedefault
  3. Never
    Registry HiveHKEY_CURRENT_USER
    Registry PathSoftware\Yubico\YubiKey PIV Manager
    Value Namepin_policy
    Value TypeREG_SZ
    Valuenever
  4. Once
    Registry HiveHKEY_CURRENT_USER
    Registry PathSoftware\Yubico\YubiKey PIV Manager
    Value Namepin_policy
    Value TypeREG_SZ
    Valueonce
  5. Always
    Registry HiveHKEY_CURRENT_USER
    Registry PathSoftware\Yubico\YubiKey PIV Manager
    Value Namepin_policy
    Value TypeREG_SZ
    Valuealways

Enforce complex PINs and PUKs
Registry HiveHKEY_CURRENT_USER
Registry PathSoftware\Yubico\YubiKey PIV Manager
Value Namecomplex_pins
Value TypeREG_SZ
Default Valuefalse
True Valuetrue
False Valuefalse
PIN expiration interval (days):

Registry HiveHKEY_CURRENT_USER
Registry PathSoftware\Yubico\YubiKey PIV Manager
Value Namepin_expiration
Value TypeREG_DWORD
Default Value0
Min Value
Max Value1096
Derive the Management Key from PIN
Registry HiveHKEY_CURRENT_USER
Registry PathSoftware\Yubico\YubiKey PIV Manager
Value Namepin_as_key
Value TypeREG_SZ
Default Valuefalse
True Valuetrue
False Valuefalse

yubikey.admx