Recovering from USB device driver is still in memory / USB Composite Device has error (Code 38)

Something you don’t often think about is how many devices you plug into your computer …….. until you plug-in a device and it doesn’t show up or interact as expected. This post details how I recovered from such a situation so I can find it next time, and hopefully it also helps others recover quickly, rather than the numerous dead-ends I went through to fix the problem.

My Situation

I’ve been evaluating a number of different YubiKey’s recently and out of the blue they stopped being recognised. Below is a message from the YubiKey Manager indicating that there is no device inserted (when in actual fact there is).

Insert YubiKey

To prove the point, plugging in two YubiKey’s informs me I should only have one at a time.

Insert only one YubiKey

Going into Device Manager and selecting Show hidden devices reveals the plethora of USB devices I’ve previously inserted into my computer.

Yubikey Device Manager Properties

Looking into the USB Composite Device‘s with the warning symbols reveals

Windows cannot load the device driver for this hardware because a previous instance of the device driver is still in memory. (Code 38)

USB Composite Device Manager

The Fix

After trying numerous different avenues, this is how I repaired the issue and got up and running again.

Navigate to Windows => Settings => Update and Security => Troubleshoot => Run the troubleshooter

Hardware Troubleshooter.PNG

The troubleshooter will detect the USB Composite Device has error for the devices being problematic. Select one and continue.

USB Composite Devices has error

Select Apply this fix

Apply Fix

Repeat for other USB Composite Device has error errors. Then Restart the computer.

Restart PC

After Restart you should be back in action like I was.

YubiKey Manager - Success.PNG

Hope this helps someone else, and will help me find it next time too.

 

Enrolling and using both Microsoft Authenticator and a YubiKey Physical Token with Azure MFA

Microsoft have just announced the Public Preview for Hardware OATH Tokens such as the Yubico YubiKey with Azure MFA. In this very long and graphic heavy post I show the end-to-end setup and use of a YubiKey physical token from Yubico as a Multi-Factor Authentication (MFA) second factor authentication method to Azure AD/Office 365.

Specifically I detail;

  • the user experience using a YubiKey Hardware Token with Azure MFA
  • the administrator configuration process for admin enabled YubiKey physical tokens for use with Azure MFA
  • a user enrolling a YubiKey physical token as an additional method for use with Azure MFA
  • switching second-factor authentication methods when authenticating to Azure AD / Office 365

For the process I show here;

  • the Admin account I’m using to do the configuration is a Global Admin
  • the user I’m enabling the token for
    • is assigned an Enterprise Mobility + Security E3 license
    • is enabled for MFA
    • was enrolled in MFA using the Microsoft Authenticator App.

Authenticating to Azure AD/Office 365 with a YubiKey for MFA

Before I get into the configuration and setup, here is the resulting process when complete. When authenticating to Azure AD/Office 365 I’m prompted for my Username and Password.

Using YubiKey Token Azure MFA 1

Then I’m prompted for my YubiKey One Time Password (OTP). With the key inserted in my computer ……

Laptop Yubikey Azure MFA.jpg

… and the Yubico Authenticator open, the Yubico Authenticator displays the OTP that I can copy and paste the password into the Login Code Window.

Note: The Yubico Authenticator will only display the OTP code for the appropriately configured YubiKey which it is inserted into the same computer running the Yubico Authenticator.

Admin Enabled OATH TOTP Token Assignment

In order to enable physical tokens for use with Azure MFA an Azure Administrator must configure token assignments for users in the Azure Portal. Like other functionality we’ve seen during Public Preview (such as Azure B2B) the method to configure these assignments is uploading a CSV with the necessary information. Hopefully we don’t have to wait too long for a Microsoft Graph/PowerShell Module to complete this step.

CSV Format

The CSV Format is shown below in raw and from VSCode. Essentially token assignment assigns a token to a UPN. The upload will fail if you don’t specify a valid UPN for your tenant.

Note: The header row must be present and don’t use quotes. 

upn,serial number,secret key,timeinterval,manufacturer,model
YubiKey@darren.customer.com.au,9876543,PFXXKIDENFSG4J3UEB2GQ2LONMQGSJ3EEB2XGZJAMEQHEZLBNRWHSIDTMVRXEZLUEBSGSZBAPFXXKPY=,30,YubiKey,HardwareKey

File Format.PNG

The file is uploaded via the Azure Active Directory => MFA Server => OATH Tokens configuration option. Once you’ve selected Upload and provided the file, the File upload is in-progress dialog is displayed. Select Refresh.

Uploaded for Processing

After successfully uploading the CSV and hitting the Refresh button we have the token assignment for the user.

Successfully Uploaded

In order to Activate the token you will need to have the Yubico Authenticator Application installed and the YubiKey token configured. That process is shown in the next section below. Once that is complete select Activate from the screen above and enter the OTP code displayed in the Yubico Authenticator for the token enrolled with the associated user.

Enrolling a YubiKey Physical Token with Azure MFA

With a hardware token associated with a user in Azure MFA the user can now enroll with that option. Head to Additional security verification options under the user’s profile and choose Setup Authenticator app

Enrol YubiKey Token Azure MFA 1

The following option will be displayed. Select the link for Configure app without notifications Enrol YubiKey Token Azure MFA 2

A slightly modified QR Code will be presented. Enrol YubiKey Token Azure MFA 3

Open the Yubico Authenticator Application and with the YubiKey inserted in the workstation from the File menu select Scan QR Code. The Yubico Authenticator App will magically scan the QR code and configure the credential in the Authenticator App. Select Save Credential.  Enrol YubiKey Token Azure MFA 4

Verification is required. Select Verify nowEnrol YubiKey Token Azure MFA 5

Copy and paste the OTP into the text box and select VerifyEnrol YubiKey Token Azure MFA 6

We now have the 3rd MFA method enrolled (Phone, Microsoft Authenticator and YubiKey with Yubico Authenticator). Select Save.

Enrol YubiKey Token Azure MFA 7

As I now have multiple methods registered and my latest method I just registered is now the default I have to re-verify the new method. Select Verify preferred option.

Enrol YubiKey Token Azure MFA 8

Copy and paste the OTP code into the text box and select Verify.

Enrol YubiKey Token Azure MFA 9

Verified. Update is successful. Select Close.

Enrol YubiKey Token Azure MFA 10

Back in the MFA Server OATH tokens Admin console for the associated user, select Activate and enter the current OTP code displayed in the Yubico Authenticator.

Successfully Uploaded

The token can now be used for MFA as shown at the beginning of this post.

Multiple MFA Methods – Switching MFA Methods

As I already had the Microsoft Authenticator Application registered as an MFA method before I enrolled the physical token I now have multiple methods enrolled. The primary is the token which is fine when using a laptop but as an iPhone user, NFC isn’t an option with YubiKey v5 yet as NFC Write is not enabled on iOS.

On logon after providing my username and password I’m prompted for MFA and I can select Sign in another way

Sign In Another Way

This then provides me with my other enrolled methods and top of the list is the option for Microsoft Authenticator

Sign In Another Way 2

Selecting the Microsoft Authenticator App option I am prompted on my Microsoft Authenticator App for MFA rather than using the primary method of the YubiKey with the Yubico Authenticator. I select Approve and I’m authenticated.

Changing Primary Method

With multiple methods enrolled at some point you may need to change your primary method. Back in the Additional security verification options for the user the default method can be updated. The key bottom two options are;

  • Notify me through app
    • for me this is the Microsoft Authenticator App
  • Use verification code from app
    • this is the Yubico Authenticator with the YubiKey enrolled

Change Primary Method.PNG

Summary

Microsoft Azure MFA now supports OATH TOTP Hardware Tokens. Compatible tokens can be registered by an Azure Administrator and assigned to users.

Hardware Tokens can be enrolled to a users profile in addition to other methods (phone call, SMS, Microsoft Authenticator).

Now what would be nice would be via Conditional Access the ability to specify the MFA Factor. e.g. If accessing Application X the only accepted MFA Method is physical token.

Validating a Yubico YubiKeys’ One Time Password (OTP) using Single Factor Authentication and PowerShell

Multi-factor Authentication comes in many different formats. Physical tokens historically have been very common and moving forward with FIDO v2 standards will likely continue to be so for many security scenarios where soft tokens (think Authenticator Apps on mobile devices) aren’t possible.

Yubico YubiKeys are physical tokens that have a number of properties that make them desirable. They don’t use a battery (so aren’t limited to the life of the battery), they come in many differing formats (NFC, USB-3, USB-C), can hold multiple sets of credentials and support open standards for multi-factor authentication. You can checkout Yubico’s range of tokens here.

YubiKeys ship with a configuration already configured that allows them to be validated against YubiCloud. Before we configure them for a user I wanted a quick way to validate that the YubiKey was valid. You can do this using Yubico’s demo webpage here but for other reasons I needed to write my own. There wasn’t any PowerShell examples anywhere, so now that I’ve worked it out, I’m posting it here.

Prerequisites

You will need a Yubikey. You will need to register and obtain a Yubico API Key using a Yubikey from here.

Validation Script

Update the following script to change line 2 for your ClientID that  you received after registering against the Yubico API above.

Running the script validates that the Key if valid.

YubiKey Validation.PNG

Re-running the submission of the same key (i.e I didn’t generate a new OTP) gets the expected response that the Request is Replayed.

YubiKey Validation Failed.PNG

Summary

Using PowerShell we can negate the need to leverage any Yubico client libraries and validate a YubiKey against YubiCloud.