Thanks for the clarification. I think this was one of those cases of reading what you want to see.  Smart card vs SD card.

So I see the device is enabled in the Ports section of the BIOS, but I do not see any errors in the device manager.  Not sure if I have already installed this, but not clear where it should show in device manager.  Can you help?

You're very welcome.

Unfortunately, I don't know where to look, and most of the time the device does not show up unless you insert a SD card or a CAC.

Actually your are right.  When I pull the SD card the device just goes away.

Common Access Card is a smart card issued by the US Department of Defence. The latest CACs - perhaps all current CACs - conform to the Personal Identity Verification (PIV; FIPS 201) standard.

There are other smart cards used in various systems. For example, you can use most built in smart card readers with a PGP card if you choose to carry PGP credentials in that format.

I carry my personal certificate for S/MIME e-mail and my PGP credentials in a Yubikey NEO; it is much more convenient for me to use a USB device rather than require smart card readers on all the systems I use. The Yubikey also supports U2F (the security key standard used by Google and other companies on the web), is a secure store for OTP credentials that are used for two-factor authentication on many web sites (the sort that are issued as a QR code and result in a 6 or 8 digit number) and has a proprietary one time password system used by web sites such as LastPass for two factor authentication.

There are relatively few private individuals who use smart cards with computers, though most bank cards are now smart cards.

As you rightly note, Paul, the various card readers tend to disconnect from the system when no card is inserted, so it is often necessary to insert a card to update the drivers.

David, your reply is extremly helpful and relevant (along with your reply to my other post). 

I am not a true IT person, but manage the computers for a small company(12) and have a small number working remote over VPN.  I am looking for a physical device that I can use that will basicly make the computer useless unless connected.  Unfortunaly I fear thier loss by the user.  

I have spent a few minutes reading up on the terms in your reply and have seen the YupiKey in the past.  Just got overwhelmed.  Maybe 2 questions please.

Is the PC useable without the key or is the key just storing passwords and credentials?

Does this have anything to do with encrypting the device? 

You can do so many different things with a YubiKey.

My applications for these devices are all about securing trusted credentials used once the system is up and running. However, you can use the smart card functionality of all the current YubiKeys other than the U2F only key (that's the 4 series, NEO and the FIPS range) to secure all manner of services and applications including VPN applications. You can also login to Windows via smart card if you have the right back-end infrastructure.

If you have a Windows Server, this has all the software you need to set up a local certificate authority and authentication infrastructure for certificate authentication of users (including authentication of other services using RADIUS - notably including login to Wi-Fi networks). However, this is a fairly complex thing to do correctly, especially when it comes to securing the root certificate of the certificate authority and ensuring the purposes of your certificate authority are appropriately constrained so as not to introduce security risks.

If you do not already have a Windows domain to which all devices authenticate by password, there are further steps to go through, including upgrading all devices with Windows 10 Home to Windows 10 Pro (domain join is unavailable in the Home version of Windows). If you want to be secure, you should be using Windows 10 Pro with BitLocker or another disk encryption solution in any event.

There are ways to do the server end of all this without a Windows Server, but these typically involve the use of open source software that is not easy to configure correctly, such as FreeRADIUS and Samba.

Creating user certificates on YubiKeys is definitely a good move as part of introducing certificate based authentication. The PIN that protects the certificate is kept on a secure element; after so many incorrect PIN entries, the certificate is put beyond use and a new one needs to be issued.

I wish it was as simple as buy a bunch of YubiKeys and hand them out. If you want an overview of what is involved, read Yubico's white paper on smart card deployment, though be aware that this assumes you already have - or know how to set up - a Windows Active Directory domain.

Thanks for this info.

We do have R2008R2 and Win 7Pro, but I am hoping to upgrade all to 2016 And 10Pro or Ent in the spring.  At first glance, with my understanding and percieved depth, seems like I should roll these in together.

If it was me, I'd move to Windows Server 2016 (or whatever version is current come the Spring) and Windows 10 Pro on one client computer, then buy a couple of YubiKeys and experiment with certificate based authentication.

If you get all this right, it will solve a lot of headaches - though don't forget to make some provision for scenarios when the Windows Server is unavailable. One possibility is to use Azure and ADFS to give you a level of redundancy in the cloud; there are undoubtedly other approaches.