YubiKey 4 issues with Windows 10 Creators Update (Version 1703)

[petrsnd]

If I open YubiKey Piv Manager (1.4.2) on Windows 10 CU, then insert my YubiKey 4, everything works great the first time. It recognizes the YubiKey and allows me to initialize it. However, if I remove the key and try to do it again, YubiKey PIV Manager (1.4.2) fails to recognize the key.

• YubiKey 4 -- PIV applet firmware 4.3.4
• YubiKey PIV Manager version 1.4.2
• Windows 10 Pro, Creators Update (Version: 1703)

  > systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
  OS Name: Microsoft Windows 10 Pro 
  OS Version: 10.0.15063 N/A Build 15063

I get the following message in the YubiKey PIV Manager UI:

yubico-piv-tool.exe returns the following:

> .\yubico-piv-tool.exe -astatus
Failed to connect to reader.

I can get YubiKey PIV Manager to recognize the key again if I follow these steps:

1. Leave the YubiKey 4 inserted
2. Leave YubiKey PIV Manager (1.4.2) open
3. Open up Windows Device Manager
4. Navigate to "Smart card readers"
5. Find the "Microsoft Usbccid Smartcard Reader (WUDF)" device that was added by Windows, and right click to "Uninstall device"
6. Remove the YubiKey 4
7. Reinsert the YubiKey 4
8. Voilà! YubiKey 4 is recognized and I can work with it.

Another interesting thing is that after following the process described above, when you reinsert the YubiKey 4, ever so briefly you see a device appear under "Smart card readers" called "YubiKey 4 OTP+U2F+CCID". This eventually disappears only to be replaced by "Microsoft Usbccid Smartcard Reader (WUDF)" again. It is seemingly present long enough for YubiKey PIV Manager (1.4.2) to get started interacting with the key.

yubico-piv-tool.exe also works after following the process above.

After I remove the key, it won't work again unless I repeat the steps above to uninstall the device before plugging it back in.

[petrsnd]

More information. If you enable viewing hidden devices in Windows Device Manager, you can see additional information about what might be wrong.

From the Windows Device Manager Menu: "View" => "Show hidden devices"

This is what you see when you have inserted the card and it was not recognized (notice the light grey).

If you follow the steps I posted to delete the smart card reader to try again, you'll see this:

The PIV smart card is not being found by the operating system. This means I might have trouble trying to use the YubiKey 4 as a smart card to authenticate to an web application or for a domain login. So, I'm not this is only a YubiKey PIV Manager problem...

When I remove the YubiKey 4:

• the "Smart card filter driver"
• the "Microsoft Usbccid Smartcard Reader (WUDF)", and
• the "Identity Device (NIST SP 800-73 [PIV])"

all turn grey in Windows Device Manager.

When I plug the YubiKey 4 back in, only the first two come back as show in the first image above.

[petrsnd]

I have verified the same behavior on a Dell Precision 5510 and a Dell Precision M3800. I will try an HP laptop later today.

[petrsnd]

I reproduced the same issue on an HP Spectre x360 running Windows 10 Home CU (1703).

I know this is likely a Windows driver issue, but I experienced it while running YubiKey PIV Manager. I didn't know where else to file the issue to make you aware that YubiKey 4s are not working for PIV on Windows 10 CU.

[dagheyman]

Thanks for the detailed report! We are looking into it. Could you try doing .\yubico-piv-tool.exe -astatus -v2 when the key is not recognised, and paste the output here?

[petrsnd]

@dagheyman

> .\yubico-piv-tool.exe -astatus -v2
error: SCardEstablishContext failed, rc=8010001d
Failed to connect to reader.

SCARD_E_NO_SERVICE 0x8010001D The smart card resource manager is not running.

So for whatever reason the key insertion is not triggering this service to start?

resource manager The module of the smart card subsystem that manages access to multiple readers and smart cards. The resource manager identifies and tracks resources, allocates readers and resources across multiple applications, and supports transaction primitives for accessing services available on a given card.

[petrsnd]

I opened services snap-in and found that the Smart Card service is not running. Manually started this service and it works...

> .\yubico-piv-tool.exe -astatus
CHUID:  3019d4e739da739ced39ce739d836858210842108421384210c3f5341078c2d72b2f70c4b3f5214ccdb7211ebe350832303330303130313e00fe00
CCC:    f015a000000116ff020ccbacb8870cbb32b23714e3329cf10121f20121f300f40100f50110f600f700fa00fb00fc00fd00fe00
PIN tries left: 3

[petrsnd]

> sc.exe qtriggerinfo SCardSvr
[SC] QueryServiceConfig2 SUCCESS

SERVICE_NAME: SCardSvr

        START SERVICE
          DEVICE INTERFACE ARRIVAL     : 50dd5230-ba8a-11d1-bf5d-0000f805f530 [INTERFACE CLASS GUID]
        START SERVICE
          DEVICE INTERFACE ARRIVAL     : 121d8161-866d-4a24-ba58-9058940c0d47 [INTERFACE CLASS GUID]
        START SERVICE
          NETWORK EVENT                : bc90d167-9470-4139-a9ba-be0bbbf5b74d [RPC INTERFACE EVENT]
            DATA                       : c6b5235a-e413-481d-9ac8-31681b1faaf5
        START SERVICE
          NETWORK EVENT                : bc90d167-9470-4139-a9ba-be0bbbf5b74d [RPC INTERFACE EVENT]
            DATA                       : D09BDEB5-6171-4A34-BFE2-06FA82652568:F2ADD560-EB85-4170-82A2-A48E789690CD

[killerog]

Hello,

Lately I've been having issues with the authenticator application, and then I noticed this topic. This sounds very much like what I experienced, but maybe I should open a issue in that other repo instead?

[dagheyman]

I managed to reproduce this with a YubiKey 4 and a NEO on a fresh Creators Update VM. I get the same behaviour that you describe. Can't reproduce it on Anniversary Edition (build 14393).

[DanPeterson]

@dagheyman Microsoft bug?

[R-Adrian]

try adding 'SeLoadDriverPrivilege' to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SCardSvr\RequiredPrivileges reboot and see if it helps. make sure you don't delete any of the existing rights there, just add to the existing list.

The permission system was a bit re-arranged in Creators and MS broke practically all [radio] modems until you (or microsoft) patches the registry like this: https://answers.microsoft.com/en-us/windows/forum/windows_10-networking/dial-up-error-633-wbuild-15063-1703-creators-pro/2c5b280e-e246-4105-b8e6-58e413d2668e

and since it's a driver-loading issue i suspect that the same 'fix' applies in this case too.

[dagheyman]

@Aditza2015 Thanks for the suggestion! It doesn't seem to help at my end though. Actually it makes it slightly worse (?), after the registry change, the fix to do Uninstall device on the Smart card reader, doesn't seem to have any effect anymore.

@DanPeterson

Microsoft bug?

Could be. Do you have any more luck with the above workaround?

[R-Adrian]

and an update: this is probably happening because in Creators there will be a different svchost.exe process for EACH separate service.

if you look at running processes with taskmgr or sysinternals Process Explorer you'll notice that in Creators each service runs in its own separate svchost process while in Anniversary edition it uses a shared svchost for multiple services.

This process isolation has advantages because each process is assigned only the security privileges that it actually requests and can't leech privileges from other services that are run in the same svchost.

The downside is that missing but needed privileges that used to be leeched/inherited from other services are creating issues like this missing-driver bug.

try adding to SCardSvr more privileges from the list at: https://msdn.microsoft.com/en-us/library/windows/desktop/bb530716(v=vs.85).aspx

it probably also needs some of: SeTrustedCredManAccessPrivilege SeImpersonatePrivilege SeCreatePermanentPrivilege

and as a last attempt: SeTcbPrivilege (=act as part of the Operating System)

probably one of these or others on that MSDN list will help

20170614 edit: marked with strike-through the above paragraph.. the proper solution is a bit lower down the thread.

[dagheyman]

Thanks for the insights. Leaving the two original privileges in there and adding all the privileges you suggested gives a list like this for SCardSvr:

SeChangeNotifyPrivilege
SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeBackupPrivilege
SeChangeNotifyPrivilege
SeCreateGlobalPrivilege
SeCreatePagefilePrivilege
SeCreatePermanentPrivilege
SeCreateSymbolicLinkPrivilege
SeCreateTokenPrivilege
SeDebugPrivilege
SeEnableDelegationPrivilege
SeImpersonatePrivilege
SeIncreaseBasePriorityPrivilege
SeIncreaseQuotaPrivilege
SeIncreaseWorkingSetPrivilege
SeLoadDriverPrivilege
SeLockMemoryPrivilege
SeMachineAccountPrivilege
SeManageVolumePrivilege
SeProfileSingleProcessPrivilege
SeRelabelPrivilege
SeRemoteShutdownPrivilege
SeRestorePrivilege
SeSecurityPrivilege
SeShutdownPrivilege
SeSyncAgentPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeSystemtimePrivilege
SeTakeOwnershipPrivilege
SeTcbPrivilege
SeTimeZonePrivilege
SeTrustedCredManAccessPrivilege
SeUndockPrivilege
SeUnsolicitedInputPrivilege
SeTrustedCredManAccessPrivilege
SeImpersonatePrivilege
SeCreatePermanentPrivilege
SeTcbPrivilege

Unfortunately it doesn't seem to have any effect, the card doesn't show up in device manager at all (only the reader).

[R-Adrian]

hmm.. what if you add 'SeLoadDriverPrivilege' to the ScDeviceEnum service instead of SCardSvr service? (restore SCardSvr to have only the original 2 permissions too)

[dagheyman]

The last one seemed to do the trick!

So to reiterate, workaround seems to be:

Add SeLoadDriverPrivilege to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ ScDeviceEnum\RequiredPrivileges, reboot.

[R-Adrian]

and the conclusion is: it's another Microsoft bug with Creators Update... just as with the [radio] modems breaking Dial Up networking, they forgot to allow the Smart Card device enumeration service to actually load the drivers it needs.

[petrsnd]

@dagheyman I verified that this work around fixed the issue for me. So, have you filed a bug with Microsoft to get this fixed?

I'm certainly happy with the workaround for now, but it would be nice to be sure that customers will have their PIV card recognized out of the box.

[petrsnd]

Run as Administrator in Powershell:

> Set-ItemProperty "HKLM:\System\CurrentControlSet\Services\ScDeviceEnum" RequiredPrivileges @("SeCreateGlobalPrivilege", "SeTcbPrivilege", "SeChangeNotifyPrivilege", "SeImpersonatePrivilege", "SeTakeOwnershipPrivilege", "SeSecurityPrivilege", "SeLoadDriverPrivilege")

Use the script below...

[R-Adrian]

imho you should not blindly overwrite the entire privilege list because Microsoft might also add a different privilege, for a different purpose, via a patch.

best way would be to 1) first read the currently active privileges, 2) check if the list contains SeLoadDriverPrivilege 3) if it doesn't, then add to the end of the list that was read at step 1

this way you preserve the full list of the original manufacturer-assigned privileges

[dagheyman]

@DanPeterson

I verified that this work around fixed the issue for me. So, have you filed a bug with Microsoft to get this fixed?

Great that it's verified. I managed to file a report in the "Feedback Hub" inside Windows, I guess you could go there and upvote it. Here is the link (paste in explorer.exe): feedback-hub:?contextid=74&feedbackid=93d6694e-28cc-4282-b1b2-79cccf64f784&form=1&src=1 Shortlink: https://aka.ms/fr4t81

[petrsnd]

@Aditza2015 Yeah... I was being lazy. :blush:

Run as Administrator in Powershell:

$v = (gp "HKLM:\System\CurrentControlSet\Services\ScDeviceEnum" RequiredPrivileges).RequiredPrivileges; if (-not ($v -contains "SeLoadDriverPrivilege")) { $v += "SeLoadDriverPrivilege"; sp "HKLM:\System\CurrentControlSet\Services\ScDeviceEnum" RequiredPrivileges $v }

[R-Adrian]

https://support.microsoft.com/en-gb/help/4022716/windows-10-update-kb4022716

June 27, 2017—KB4022716 (OS Build 15063.447)

Addressed issue where, after upgrading to Windows 10 RS2, modem dial-up fails with Error 633.   Addressed issue where the smartcard service (sccardsvr.exe) stops periodically and never restarts when the smart card application attempts to access the cards.

the manual work-around should no longer be needed after the update.

[Vilican]

Update: I'm using Windows, build 15063.483, however, the issue still persists.

[R-Adrian]

did you try adding 'SeLoadDriverPrivilege' to the ScDeviceEnum service?

[Vilican]

@Aditza2015, Yes, I used the PowerShell script a few posts above, but it didn't work.

[Vilican]

Sorry, it worked, but I had set in setting a card reader name. It is OK.

[unixninja92]

I can confirm this is fixed in 15063.608(possibly earlier). While/before that update was installing I tried using the reg edit fix (adding SeLoadDriverPrivilege) and once the 608 update had installed this additional reg value broke the Smart Card service. Removing the value fixed it again.

[johndavies24]

My experience, with multiple yubikeys on multiple computers, is that the PIV manager recognizes the yubikey the first time it is plugged in and then never again. No suggestions in this thread have solved this problem. This has been tested in version 1703 build 15063.674 and subsequently in version 1709 build 16299.19. All with the same outcome.

Yubico support has suggested the following steps:

• Uninstall KB4041676
• Stop the Windows update service
• Delete the Windows update cache
• Start the Windows update service
• Run Windows updates to reinstall the fixed KB4041676
• Reboot
• Test YubiKey PIV Manager

However, the windows update package KB4041676 does not exist on the machine that is fully updated to the newest feature update and all additional update packages. This update package is present on another computer that I tested this stuff on, this computer is still running version 1703. I guess I'll try what @unixninja92 said and remove this reg edit fix and see if it works again.

[johndavies24]

Nope

[johndavies24]

After a long conversation with yubico the solution (for me, at least) was stupid easy. The yubikey PIV manager fills in a setting field for the "Card reader name". Delete whatever it fills in here (mine was saying "nano") and make sure it is empty like in my screenshot. Everything works now. Edit I likely somehow named it nano, it didnt reproduce in a fresh environment. Whatever, it works now.

[emlun]

@johndavies24 Glad you got it working, thanks for sharing!

[fabiopbx]

Everytime i update windows this happens :(

I've tried all of the above, maybe someone can point me in the right direction? Cant login or sign emails, any ideas?

[R-Adrian]

that message usually means that the certificate is no longer recognized.

unfortunately i'm in the same boat, since the YubiKey Smart Card driver arrived with Fall Creators Update and replaced the default PIV driver, Adobe Reader DC is no longer recognizing the Yubikey as valid for signing documents and the certificate(s) from the key don't even appear anymore under Internet Options -> Content -> Certificates

I have already tried to enable them via Group Policy.... no luck there either. :(

[shanselman]

It's now April of 2018 and I'm (we) are still hitting this. I am starting to feel like YubiKeys on Windows aren't a viable or robust option.

[R-Adrian]

i still cannot get the smart card certificates to show up in the personal certificates at all, on both the desktop and the laptop.

i tried:

• updating the yubico smartcard minidriver to v3.7.0.152 - this did not help at all. https://www.yubico.com/wp-content/uploads/2018/03/YubiKey-Minidriver-3.7.0.152.zip

• i updated the laptop to Windows 10 1803 17133.1 and then to 17133.73 (windows insider builds) - this didn't help either - the certificates are completely ignored by the OS. Adobe Reader can't see the certificates either.

The certificates are recognized as present by the Yubico PIV Manager... but they are simply ignored by Windows.

[R-Adrian]

and an update: i managed to make it work again by blacklisting the Yubico minifilter driver, i went back to using the standard windows driver, (Identity Device NIST SP 800-73 PIV) https://forum.yubico.com/viewtopic948b.html?p=9916

1. Open Device Manager, locate and right-click YubiKey Smart Card (under Smart cards) and select Uninstall Device (mark Delete the driver software for this device).

Block re-installation from Windows Update:

1. type: gpedit.msc
2. Browse to Local Computer policy, Computer Configuration, Administrative Templates, System, Device Installation, Device Installation restrictions.
3. Double-click Prevent installation of the devices that match any of these device IDs
4. Click Enabled, Show Contents, click ADD, in the ADD item fields type: SCFILTER\CID_59756269b657934 SCFILTER\CID_59756269b657934e454f7233 Click OK,
5. Exit gpedit.msc
6. gpupdate /force
7. re-insert the key.

[R-Adrian]

another note: that trick only works on Windows 10 1709 edition.

on Windows 10 1803 build 17133.73 (windows insider build) the driver prevention trick from above still works but certificate propagation from card to the OS is not happening. I can't use the certificates on 1803 :(

[emlun]

Hi @shanselman and @Aditza2015,

I'm afraid there doesn't seem to be much we can do here to help you. Please open a support ticket and they'll do what they can to help.

[R-Adrian]

update: i forced a windows version upgrade to build 17134.1, using minifilter driver v3.7.0.152 too, and smart card certificates are propagating normally now. Seems that one was a bug in the 17133.x edition. (or Remote Desktop-related, see the issue referenced below)

[fabiopbx]

For all with issues, I have for the longest time had issues with windows simpyl not being able to see the certificates in the cards while PIV manager saw them fine, this caused my outlook and windows login to stop working. After trying to many of the above suggested fixes what normally fixes this is editing the registry:

_Computer\HKEY_LOCALMACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Yubikey NEO Smart Card _Computer\HKEY_LOCALMACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Yubikey 4 Smart Card

and change the value of the key '80000001' to 'C:\Windows\System32\msclmd.dll' instead of the yubico driver, I say normally because at some point it goes back to default :( removed the driver still gets installed at some point even tho I said no...

I am running windows build preview (fast track) but i have had this problem long before the updates.... Hope it helps anyone :)

[R-Adrian]

don't use a full path there, the default OS value has no path, just a file name, for good reason: "C:\Windows\SysWOW64\msclmd.dll" is a different binary than "C:\Windows\System32\msclmd.dll"

[fabiopbx]

indeed, the default one, the yubico one does not contain any path, just the dll name, this does work for me as described above however, wrong or not :D

@Aditza2015

[pbatard]

There's a typo in @R-Adrian driver prevention policy. One of the Hardware IDs, the one for a Yubikey 4, is listed as:

• SCFILTER\CID_59756269b657934

However, it should be:

• SCFILTER\CID_597562696b657934

In other words, it is missing a 6 before b. The other ID (for Yubikey Neo) is correct.

NB: If you want to make sure that you filter the right ID, just open Device Manager, then select the Yubikey Smart Card and copy the value from Hardware IDs on the Details tab:

Unfortunately, it looks like this typo has also made it into the official Minidriver post on the forum...

[R-Adrian]

(if you look closely to my post, you'll see it also has the URL to that forum post... unfortunately i "inherited" the typo from the forum.)

[pbatard]

I see that you edited your post, but unfortunately it appears you did exactly the opposite of what was needed... Currently, it appears that, instead of fixing the typo with SCFILTER\CID_597562696b657934 by adding a '6' before the 'b', you introduced a new typo in SCFILTER\CID_597562696b657934e454f7233 by removing the '6' before the 'b' there. So now, both the IDs are wrong... ouch!

As per the screenshot I attached above, BOTH the IDs will begin with SCFILTER\CID_597562696b657934 and it's 62696b, NOT 6269b. Thanks!

Oh, and by the way, for people who do not want to go through the ordeal of having to filter driver installation, does anybody have any idea how one is supposed to reference an Authenticode code signing certificate stored on a Yubikey 4 or Neo, when using signtool.exe? Without the minidriver, all you had to do was signtool" sign /v /sha1 <SHA-1 of the signing cert> ..., but with the new minidriver, you always run into the The smart card cannot perform the requested operation or the operation requires a different smart card message when trying to do that.

I certainly hope I just haven't managed to figure out how to do just that, because if it turns out that the new minidriver is going to prevent people from using a Yubikey as a safe vault for code signing credentials, then this is a major feature regression as far as I'm concerned...

[emlun]

@pbatard Have you tried bringing your questions to Yubico Support?

[pbatard]

Good point. I had been trying to bring it up on the forum, only to realize that the forum had been closed for new posts, so I didn't push further. And I was waiting to see if someone would reply to that question on this tracker. But seeing that it hasn't happened, I will open a support ticket for this when I get a chance.

[pbatard]

Okay, thanks to the very reactive people @ Yubico Support, I finally managed to figure out how to get my Yubikey to work as an Authenticode signing device, with the new Minidriver.

I'm going to document the steps that worked for me, so that they can hopefully help others in the same situation. This is done from a Windows 10 (1803) platform and assumes that you have your .pfx along with its password available:

0. If you added Local Group Policy driver installation filtering as per above, make sure to remove it.
1. If the Windows Update Minidriver is installed (Yubikey Smart Card Minidriver under Settings → Apps & features) make sure to uninstall it. According to Yubico support, this is an old driver that should not be used.
2. (Without any Yubikey plugged in) install the latest Smart Card Minidriver, which can be downloaded from here (YubiKey Minidriver 3.7.0.152 at the time of this post). Basically, just unzip the file, right click on the .inf and select Install.
3. Download the latest Yubikey Manager from here to reset your Yubikey (which is basically the only way I found to remove existing code signing credentials, as mine seemed to ask for a management key that I didn't have to delete them in PIV Manager, even though I had set the PIN as the management key). In order to reset the key:
   • Go to the location where Yubikey Manager is installed (e.g. C:\Program Files\Yubico\YubiKey Manager) and open a command prompt.
   • Run the command ykman piv reset. Of course, you will lose ALL data you have stored on the key.
   • Open PIV Manager, which will detect that the key has been reinitialized, and ask you to set a PIN. Do so.
4. (As per this document) Open Regedit and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider.
5. Create two new DWORD (32-bit) Value keys there:
   • AllowPrivateExchangeKeyImport
   • AllowPrivateSignatureKeyImport
6. Set the value of both these keys to 1
7. Navigate to the directory where you have you .pfx (e.g. My Credential.pfx) and issue the following command:
   • certutil -csp "Microsoft Base Smart Card Crypto Provider" -importpfx "My Credential.pfx"
8. You will be prompted first for your .pfx password, then for the Yubikey's PIN, and, after a while, certutil should report: CertUtil: -importPFX command completed successfully.
9. Unplug and replug your key
10. If you open PIV Manager, you should be able to confirm that it reports that You have 1 certificate(s) loaded. You will however see that this certificate appears under Authentication and not Digital signature (which is fine).
11. If needed, in PIV Manager, export the certificate as .crt so that you can access its SHA-1, which is the value listed if you open the CRT under Details → Thumbprint (e.g. 0123456789abcdef0123456789abcdef01234567)
12. You can now reference that SHA-1 with SignTool, using a command such as
    • "C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x64\signtool" sign /v /sha1 0123456789abcdef0123456789abcdef01234567 /fd SHA256 /tr http://sha256timestamp.ws.symantec.com/sha256/timestamp myapp.exe

There you have it. I sure wish all these steps had been detailed on the Yubico forums, and especially the 2 registry keys, because that's information I only managed to get from support.

Oh, and I should also mention one last important point. If you used a relatively recent version of Firefox to retreive the PFX you got from your Authenticode provider, you may want to read on this issue, and especially the openssl commands to convert the credentials you exported to a .pfx that certutil will be happy about. Else you may get a 0x80092002 (-2146885630 CRYPT_E_BAD_ENCODE) error...

And yeah, these are a lot of steps (and pitfalls) just to reacquire a capability that used to take one convenient step to achieve in PIV Manager...

[mike-mclaren]

Wanted to say thank you, lots of good info in this thread. We were having similar issues to the above and struggled a bit trying to find a solution. The cards were always recognized, but any changes we made to the cards (new certs, etc.) were not. In fact, we removed all the yubikey certs from the windows store, created new certs on the yubikey, and when we plugged the key back in, the old certs showed back up.

Eventually we stumbled upon this bit all the way at the bottom of the page here: https://developers.yubico.com/yubico-piv-tool/YubiKey_PIV_introduction.html

"For the application to be usable in windows the object CHUID (Card Holder Unique Identifier) has to be set and unique. The card contents are also aggressively cached so the CHUID has to be changed if the card contents change."

I couldn't figure out which "card contents" it was talking about, but generating a new CHUID fixed it. New certs loaded in to windows and everything was well.

Command:
yubico-piv-tool -a set-chuid -k

Hope that helps someone, cheers.