Revised EA cmdlet. Still requires PIN (may be SDK issue). (#180)

* Revised EA cmdlet. Still requires PIN (may be SDK issue).
* Improvements to ea cmdlet

Author: JMarkstrom

.gitignore

@@ -364,3 +364,4 @@ FodyWeavers.xsd
 /.vscode/launch.json
 /powershellYK.psd1
 /.cursorrules
+/Docs/Cookbook/Set-BIO-random-PIN.ps1

Module/Cmdlets/FIDO2/EnableYubikeyFIDO2EnterpriseAttestation.cs

@@ -1,17 +1,17 @@
 /// <summary>
-/// Enables enterprise attestation the YubiKey FIDO2 applet.
+/// Enables enterprise attestation on the YubiKey FIDO2 applet.
 /// Enterprise attestation (EA) allows the YubiKey to provide detailed device information
 /// during FIDO2 authentication, which can be useful for enterprise deployments.
 /// Requires a YubiKey capable of Enterprise Attestation and administrator privileges on Windows.
-/// Note: Enterprise attestation cannot be disabled without resetting the FIDO2 applet.
+/// Note: Enterprise attestation is only disabled when resetting the FIDO2 applet.
 /// 
 /// .EXAMPLE
 /// Enable-YubiKeyFIDO2EnterpriseAttestation
 /// Enables enterprise attestation on the connected YubiKey
 /// 
 /// .EXAMPLE
-/// Enable-YubiKeyFIDO2EnterpriseAttestation -Confirm:$false
-/// Enables enterprise attestation without confirmation prompt
+/// Enable-YubiKeyFIDO2EnterpriseAttestation -InformationAction Continue
+/// Enables enterprise attestation and displays informational messages
 /// </summary>
 
 // Imports
@@ -25,7 +25,7 @@
 
 namespace powershellYK.Cmdlets.Fido
 {
-    [Cmdlet(VerbsLifecycle.Enable, "YubiKeyFIDO2EnterpriseAttestation", SupportsShouldProcess = true, ConfirmImpact = ConfirmImpact.High)]
+    [Cmdlet(VerbsLifecycle.Enable, "YubiKeyFIDO2EnterpriseAttestation")]
     public class EnableYubikeyFIDO2CmdletEnterpriseAttestation : PSCmdlet
     {
         // Initialize processing and verify requirements
@@ -34,7 +34,7 @@ protected override void BeginProcessing()
             // Connect to FIDO2 if not already authenticated
             if (YubiKeyModule._fido2PIN is null)
             {
-                WriteDebug("No FIDO2 session has been authenticated, calling Connect-YubikeyFIDO2");
+                WriteDebug("No FIDO2 session has been authenticated, calling Connect-YubikeyFIDO2...");
                 var myPowersShellInstance = PowerShell.Create(RunspaceMode.CurrentRunspace).AddCommand("Connect-YubikeyFIDO2");
                 if (this.MyInvocation.BoundParameters.ContainsKey("InformationAction"))
                 {
@@ -43,7 +43,7 @@ protected override void BeginProcessing()
                 myPowersShellInstance.Invoke();
                 if (YubiKeyModule._fido2PIN is null)
                 {
-                    throw new Exception("Connect-YubikeyFIDO2 failed to connect FIDO2 application.");
+                    throw new Exception("Connect-YubikeyFIDO2 failed to connect to the FIDO2 applet!");
                 }
             }
 
@@ -57,19 +57,28 @@ protected override void BeginProcessing()
         // Process the main cmdlet logic
         protected override void ProcessRecord()
         {
+            // Create a FIDO2 session with the YubiKey
             using (var fido2Session = new Fido2Session((YubiKeyDevice)YubiKeyModule._yubikey!))
             {
-                // Set up key collector for PIN operations
-                fido2Session.KeyCollector = YubiKeyModule._KeyCollector.YKKeyCollectorDelegate;
-                fido2Session.AuthenticatorInfo.Options!.Any(v => v.Key.Contains(AuthenticatorOptions.ep));
-                if (!(fido2Session.AuthenticatorInfo.Options!.Any(v => v.Key.Contains(AuthenticatorOptions.ep))) || fido2Session.AuthenticatorInfo.GetOptionValue(AuthenticatorOptions.ep) == OptionValue.False)
+                // Check if enterprise attestation is supported
+                if (!fido2Session.AuthenticatorInfo.Options!.Any(v => v.Key.Contains(AuthenticatorOptions.ep)))
                 {
                     throw new Exception("Enterprise attestation not supported by this YubiKey.");
                 }
-                if (ShouldProcess("Enterprise attestion cannot be disabled without resetting the FIDO2 applet.", "Enterprise attestion cannot be disabled without resetting the FIDO2 applet.", "Disable not possible."))
+
+                // Check if enterprise attestation is already enabled
+                if (fido2Session.AuthenticatorInfo.GetOptionValue(AuthenticatorOptions.ep) == OptionValue.True)
                 {
-                    fido2Session.TryEnableEnterpriseAttestation();
+                    WriteInformation("Enterprise attestation is already enabled on this YubiKey.", new string[] { "FIDO2", "Info" });
+                    return;
                 }
+
+                // Set up key collector for PIN operations (required by SDK)
+                fido2Session.KeyCollector = YubiKeyModule._KeyCollector.YKKeyCollectorDelegate;
+
+                // Enable enterprise attestation if supported by the YubiKey
+                fido2Session.TryEnableEnterpriseAttestation();
+                WriteInformation("Enterprise attestation has been successfully enabled on this YubiKey.", new string[] { "FIDO2", "Info" });
             }
         }
     }