Trouble getting Yubikey hardware tokens setup


I have followed the process here:

The last step of the process says "The CSV log output from the tool can be then imported into Defender."

When I Open AD users and computers, defender menu, and click import, it doesn't specify CSV as a format.
when I manually select the CSV file It tells me "The selected file was unable to be opened. Please ensure that you have selected a valid file and have entered the correct key."

I tried entering the private key in to the key but that didn't help.

When I opened the csv file the content didn't really look right either:


4799605 {secretKey} {TxtoathMovingFactorSeed}


It seems weird to me that it says {secretKey} instead of the secret key...

I have tried manually editing the file myself changing the placeholder {secretkey} and {txtoathmovingfactorseed] with their actual values, but it didn't help.

Has anyone else done this process before? Any tips?

  • Hi,

    To import Yubikeys, Defender needs the file in the following format

    Token serial number, 160-bit Secret, Moving factor seed value

    As an example, the CSV file should look something like this:


    Once the file is generated, you can import through ADUC. Defender menu | Import Tokens | Click Browse | Select "All files" on the dropdown, and point in the CSV file | Click Open | Leave the "Key" blank | Click Next

    This part of the KB, unfortunately appears to be incorrect:

    "Using the “YubiKey Personalization Tool”, on the settings tab set the Log configuration output to "Flexible Format", using "{serial} {secretKey} {TxtoathMovingFactorSeed}"

    Looking at the Yubikey help for the Flexible format:

    "With the flexible logging format the format can be specified manually, this is done by adding a number of variables enclosed in {}, newline and tab can be added with variables endl and tab. Currently supported variables are: eventType, timestampLocal, configSlot, pubIdTxt, pvtIdTxt, secretKeyTxt, secretKeyB64, currentAccessCodeTxt, currentAccessCodeTxtPadded, newAccessCodeTxt, newAccessCodeTxtPadded, hotpDigits, oathMovingFactorSeed, strongPw1, strongPw2, sendRef, chalBtnTrig, hmacLT64, timestampFixed, oathFixedModhex1, oathFixedModhex2, oathFixedModhex, tokenLength, serial, endl, tab"

    Then possibly the below should be correct (I haven't got a configurable Yubikey to test with at the moment)


    Thanks, Karl.
  • In reply to Karl.Hindle:

    Hi Karl,

    You have explained the issue with the Yubikey Personalization tool CSV export. It looks like at some stage after the KB article Yubikey must of split {secretKey} in to {secretKeyTxt} or {secretKeyB64}

    The second problem I had (which seems obvious now) is that I still had the Yubikey Personalization tool left open (which locks access to the csv file so I couldn't then import it in the Defender Import Wizard...

    Thanks for your help it is appreciated!