With today's (2023/06/13) YubiOn FIDO Logon update, you can now set the YubiOn FIDO Logon registration code using the CLI tool. It's a very plain update, but by using this, it became possible for the administrator to collectively perform everything from the automatic distribution of software in an Active Directory environment to the setting of registration codes. And I would like to share how to do this.
This article is recommended for the following:
Those who are considering installing YubiOn FIDO Logon in an environment where Active Directory (or MDM tool, etc.) has already been installed.
Administrators who want to install software and register products all at once.
Note that the method I will introduce from now on is just an example, and depending on the settings of your AD environment, there may be cases where it cannot be applied as it is. Please use the method that matches your environment's AD configuration and policy settings.
Silent Installation
First, let's talk about automated software distribution. It was possible to do this before the repair, but since it is a general MSI installer, it supports automatic software installation with AD policies and silent installation with command line options. This time, we have also prepared a manual according to the renovation, so please refer to that as well.
First, open "Group Policy Management" on the domain controller machine and create a new "Group Policy Object" (GPO) for the domain to be set.
Select "Edit..." from the right-click menu of the created GPO to open the Group Policy Management Editor, and open "Computer Configuration" - "Policies" - "Software Settings" - "Software installation".
Select "New" - "Package..." from the right-click menu, and a dialog for selecting a Windows installer package (MSI installer) will be displayed.
At this time, the selected file must be on the network. The installation will also fail if it cannot be referenced due to authority or authentication issues. First of all, if you are talking about a trial, you can share the directory on the DC machine, put the installer there, display the directory via the network, and select the installer. Of course, when officially distributing within an organization, it is recommended to place it in an appropriate location according to the operation method within the organization.
Leave the option settings as default and click "OK" with "Assigned" selected.
At this point, first, the GPO has been created. Go back to the Group Policy Management window and assign GPO. This time, I will try to apply it to the entire domain, but this part should also be assigned according to the organization's AD usage, such as assigning it to an OU if necessary. This time right click on the domain and select " Link an Existing GPO...".
Select the GPO you just created and click "OK".
The setting is complete if the link to the GPO created earlier is generated directly under the domain. The YubiOn FIDO Logon client software will be installed automatically when you sign in to your domain account on a domain-joined machine.
Set Registration Code
Next, we will make settings to automatically set the registration code. We will use the CLI tool added in this update. We have also created a new manual this time, so please refer to it as well.
This time, the user's logon script will run the command for automatic registration. Assuming that after setting the registration code, the setting tool is started and the user registered the logon key, the setting tool is started when the registration code setting is successful.
First, prepare a batch file to execute the above flow. This time, first create "fls_register.bat" on the DC desktop. The contents should be as follows. (Enter your registration code in the "XXXXX-XXXXX-XXXXX-XXXXX" part).
"c:\Program Files\YubiOn\Fls\FlsCliTool\FlsCliTool.exe" register XXXXX-XXXXX-XXXXX-XXXXX
if %errorlevel% equ 0 (
"c:\Program Files\YubiOn\Fls\FlsAdministrateTool\FlsAdministrateTool.exe"
)The content in the "if" command is the content to be executed when the registration is successful. In the above example, the YubiOn FIDO Logon configuration tool is launched, but depending on the customer flow, it is possible to devise ways such as launching a security key setup (PIN or fingerprint settings, etc.). Security key setup can be started with the command "start ms-settings:signinoptions-launchsecuritykeyenrollment" in Windows 11. ( On Windows 10, the above command will display the "Sign-in options" screen.)
If the above is specified as a logon script, the above batch file will be called at every logon. However, once the above script is executed and the registration code has been set, a registered error (return value: 10) will be returned and nothing will be executed.
Now, when the above batch file is ready, set it as a logon script. We will add the logon script settings to the GPO for installation that we created earlier. Select "Edit..." from the right-click menu of the GPO again to open the Group Policy Management Editor, and this time select "User Configuration" -"Policies"- "Windows Settings" - "Scripts (Logon/Logoff)".
Double-click "Logon" to open the Logon Scripts setting screen. Click "Add..." to open the Add Script window, then press the "Browse..." button to open a file selection dialog.
The file selection dialog opened here has a few caveats. Instead of selecting the batch file you created earlier in this dialog, you need to bring the batch file you created earlier to the default folder of the dialog that opens. This time, I created a batch file on the desktop earlier, so copy the file from the desktop to the file selection dialog by dragging and dropping it.
After copying the file, click "Open" while the file is selected to confirm. Click "OK" on the Add Script window and "OK" on the Logon Properties window to complete the operation.
With the above operation, the specified batch file will be executed at logon. Let's check how it works on a PC that joins AD.
When you log on with an AD-joined PC, the registration code is automatically set and the setting tool is started.
Summary
Not only YubiOn FIDO Logon but also YubiOn Portal, we have received many requests and consultations for the collective installation of software, especially from medium to large-scale customers. YubiOn Portal also provides a mechanism for batch registration according to PC kitting, but this time YubiOn FIDO Logon also enables automatic setup in an environment where PC management such as an AD environment is possible, and we believe that customers have more options.
Please feel free to contact us from the contact form for consultation on introduction.