Revised EA cmdlet. Still requires PIN (may be SDK issue).

Author: JMarkstrom

.gitignore

@@ -364,3 +364,4 @@ FodyWeavers.xsd
 /.vscode/launch.json
 /powershellYK.psd1
 /.cursorrules
+/Docs/Cookbook/Set-BIO-random-PIN.ps1

Module/Cmdlets/FIDO2/EnableYubikeyFIDO2EnterpriseAttestation.cs

@@ -3,7 +3,7 @@
 /// Enterprise attestation (EA) allows the YubiKey to provide detailed device information
 /// during FIDO2 authentication, which can be useful for enterprise deployments.
 /// Requires a YubiKey capable of Enterprise Attestation and administrator privileges on Windows.
-/// Note: Enterprise attestation cannot be disabled without resetting the FIDO2 applet.
+/// Note: Enterprise attestation is only disabled when resetting the FIDO2 applet.
 /// 
 /// .EXAMPLE
 /// Enable-YubiKeyFIDO2EnterpriseAttestation
@@ -25,26 +25,23 @@
 
 namespace powershellYK.Cmdlets.Fido
 {
-    [Cmdlet(VerbsLifecycle.Enable, "YubiKeyFIDO2EnterpriseAttestation", SupportsShouldProcess = true, ConfirmImpact = ConfirmImpact.High)]
+    [Cmdlet(VerbsLifecycle.Enable, "YubiKeyFIDO2EnterpriseAttestation")]
     public class EnableYubikeyFIDO2CmdletEnterpriseAttestation : PSCmdlet
     {
         // Initialize processing and verify requirements
         protected override void BeginProcessing()
         {
-            // Connect to FIDO2 if not already authenticated
-            if (YubiKeyModule._fido2PIN is null)
+            // Connect to a YubiKey if not already connected
+            if (YubiKeyModule._yubikey is null)
             {
-                WriteDebug("No FIDO2 session has been authenticated, calling Connect-YubikeyFIDO2");
-                var myPowersShellInstance = PowerShell.Create(RunspaceMode.CurrentRunspace).AddCommand("Connect-YubikeyFIDO2");
+                WriteDebug("No YubiKey selected, calling Connect-Yubikey...");
+                var myPowersShellInstance = PowerShell.Create(RunspaceMode.CurrentRunspace).AddCommand("Connect-Yubikey");
                 if (this.MyInvocation.BoundParameters.ContainsKey("InformationAction"))
                 {
                     myPowersShellInstance = myPowersShellInstance.AddParameter("InformationAction", this.MyInvocation.BoundParameters["InformationAction"]);
                 }
                 myPowersShellInstance.Invoke();
-                if (YubiKeyModule._fido2PIN is null)
-                {
-                    throw new Exception("Connect-YubikeyFIDO2 failed to connect FIDO2 application.");
-                }
+                WriteDebug($"Successfully connected");
             }
 
             // Check if running as Administrator
@@ -57,19 +54,39 @@ protected override void BeginProcessing()
         // Process the main cmdlet logic
         protected override void ProcessRecord()
         {
+            // Create a FIDO2 session with the YubiKey
             using (var fido2Session = new Fido2Session((YubiKeyDevice)YubiKeyModule._yubikey!))
             {
-                // Set up key collector for PIN operations
-                fido2Session.KeyCollector = YubiKeyModule._KeyCollector.YKKeyCollectorDelegate;
-                fido2Session.AuthenticatorInfo.Options!.Any(v => v.Key.Contains(AuthenticatorOptions.ep));
-                if (!(fido2Session.AuthenticatorInfo.Options!.Any(v => v.Key.Contains(AuthenticatorOptions.ep))) || fido2Session.AuthenticatorInfo.GetOptionValue(AuthenticatorOptions.ep) == OptionValue.False)
+                // Check if enterprise attestation is supported
+                if (!fido2Session.AuthenticatorInfo.Options!.Any(v => v.Key.Contains(AuthenticatorOptions.ep)))
                 {
                     throw new Exception("Enterprise attestation not supported by this YubiKey.");
                 }
-                if (ShouldProcess("Enterprise attestion cannot be disabled without resetting the FIDO2 applet.", "Enterprise attestion cannot be disabled without resetting the FIDO2 applet.", "Disable not possible."))
+                
+                // Check if enterprise attestation is already enabled
+                if (fido2Session.AuthenticatorInfo.GetOptionValue(AuthenticatorOptions.ep) == OptionValue.True)
+                {
+                    WriteWarning("Enterprise attestation is already enabled on this YubiKey.");
+                    return;
+                }
+                
+                // Check if PIN is required (only when alwaysUv is enabled but clientPin is not set)
+                bool alwaysUv = fido2Session.AuthenticatorInfo.GetOptionValue(AuthenticatorOptions.alwaysUv) == OptionValue.True;
+                bool clientPin = fido2Session.AuthenticatorInfo.GetOptionValue(AuthenticatorOptions.clientPin) == OptionValue.True;
+                
+                if (alwaysUv && !clientPin)
+                {
+                    throw new Exception("Enabling Enterprise Attestation requires a PIN to be set when alwaysUv is enabled.");
+                }
+                
+                // Set up key collector only if PIN authentication is needed
+                if (clientPin)
                 {
-                    fido2Session.TryEnableEnterpriseAttestation();
+                    fido2Session.KeyCollector = YubiKeyModule._KeyCollector.YKKeyCollectorDelegate;
                 }
+                
+                // Enable enterprise attestation if supported by the YubiKey
+                fido2Session.TryEnableEnterpriseAttestation();
             }
         }
     }