PS Batch YubiKey Config is a YubiKey batch configuration tool for the YubiKey Manager, written in Powershell.
- Simple to use! Quickly program entire trays worth of YubiKeys with YubiOTP, HOTP or TOTP seeds
- Script exports a well configured CSV file full of seed values for easy import into Okta/Duo/Azure/etc.
- Script is completely offline and relies on no dependancies other than Yubico's own YubiKey Manager software.
- Friendly command line UI shows you how many YubiKeys you've programmed during your batch programming session
- Full support for defining an administrative access code for each YubiKey, preventing users from reprogramming their devices
- Any operating system capable of running Powershell (Windows, Linux, macOS)
- Latest version of the YubiKey Manager
-
As a general rule of thumb, never run Powershell scripts that you do not understand. Always feel free to review this script for yourself and ask questions in the form of a GitHub Issue
-
For safety, I recommend that you run this script on a machine that is disconnected from your network, taking care to delete the CSV file once you are done uploading it. This script does not require network access.
-
For clarity on Powershell's default script execution policies, please review the Microsoft documentation .
- Ensure the YubiKey Manager is installed.
- Launch
PS_Batch_YubiKey_Config.ps1 - Click Enter on the keyboard when prompted to select a location for the CSV file which will hold the OTP seeds.
- Choose whether or not to set an access code to the YubiKeys. (If Yes, The access code will be set to the serial number of the YubiKeys.)
- Insert the first YubiKey to program and press the [Enter] key to begin batch programming.
- To finish programming, simply press Control + C or close the Powershell window. Throughout the session, the script will append to the CSV file that you defined.
- Upload the CSV file to the desired platform, delete the CSV file from your machine.
- Ensure the YubiKey Manager is installed.
- Launch the .ps1 file with the hotp flag attached.
PS_Batch_YubiKey_Config.ps1 -hotp - Click Enter on the keyboard when prompted to select a location for the CSV file which will hold the OTP seeds.
- Choose whether or not to set an access code to the YubiKeys. The access code will be set to the serial number of the YubiKeys.
- If you choose to set an access code, you will be additionally prompted to set a location to store those access codes.
- Insert the first YubiKey to program and press the [Enter] key to begin batch programming.
- To finish programming, simply press Control + C or close the Powershell window. Throughout the session, the script will append to the CSV file that you defined.
- Upload the CSV file to the desired platform, delete the CSV file from your machine.
- Ensure the YubiKey Manager is installed.
- Launch the .ps1 file with the totp flag attached.
PS_Batch_YubiKey_Config.ps1 -totp - Click Enter on the keyboard when prompted to select a location for the CSV file which will hold the OTP seeds.
- Define the issuer name. As an example, if these are being set up for Microsoft Office 365, "Office 365" might be a good issuer name.
- Insert the first YubiKey to program and press the [Enter] key to begin batch programming.
- To finish programming, simply press Control + C or close the Powershell window. Throughout the session, the script will append to the CSV file that you defined.
- Upload the CSV file to the desired platform, delete the CSV file from your machine.
- After programming the YubiKeys for TOTP with Microsoft Azure, the CSV file will still lack your user's UPN information. Proceed accordingly.
slot2 - YubiKeys will be programmed in their second slot rather than the default slot 1.
hotp - YubiKeys will be programmed with HOTP seeds rather than the default YubiOTP
totp - YubiKeys will be programmed with TOTP seeds. (User must use Yubico Authenticator app to generate TOTPs!)
ignoreduplicates - Script will not check if a YubiKey has already been programmed during the session
whatif - Script will not program YubiKeys and will instead write to the defined CSV file with dummy data.