2 Prerequisites
Your system must be set up for Windows Hello for Business. MyID can manage the issuance of certificates to Windows Hello for Business credentials, but does not manage your Windows Hello for Business infrastructure.
Consult your Microsoft documentation for details of setting up Windows Hello for Business. The Microsoft docs website has a detailed guide:
- Docs / Windows Security / Identity and access protection / Windows Hello for Business
2.1 Client operating system
MyID's integration with Windows Hello for Business requires Windows 10 April 2018 Update (build 1803) or greater.
Note: To collect, update, or erase certificates to a Windows Hello for Business credential, you must be logged on to the PC directly – you cannot carry out these operations over a remote desktop connection.
2.2 MyID software
You must have the MyID Self-Service App installed on the client PC. This allows you to collect or update the Windows Hello credential.
If you want to be able to erase or reprovision a Windows Hello credential, you must also have MyID Desktop installed on the client PC.
2.3 Controlling Windows Hello enrollment
When the Microsoft group policy "Use Windows Hello for Business" is enabled, an additional option is available: "Do not start Windows Hello provisioning after sign-in". When this option has been selected, automatic enrollment when users log in to Windows is prevented. This allows MyID to start enrollment after appropriate processes have taken place, such as a self-service enrollment for derived credentials, or a request being created by a MyID operator.
2.4 Certificate policies
You must make sure that the certificate policies you select are suitable for Windows Hello.
-
Support for ECC certificates with Windows Hello
Windows may prevent certain certificates policies from being used; for example, certificates with Elliptic Curve keys. Limitations may be dependent on the hardware configuration of the computer in use. Before deploying to production environments, you must validate the compatibility of the required certificate policies with Windows Hello.
2.5 Hardware keystores
Windows Hello may not use a TPM in some circumstances, depending on the capability of the computer and group policy configuration.
Wherever possible, Windows Hello for Business takes advantage of trusted platform module (TPM) 2.0 hardware to generate and protect keys. However, Windows Hello for Business does not require a TPM. Administrators can choose to allow key operations in software.
MyID treats Windows Hello as a hardware key store – this means that certificate policies that are configured in MyID to issue or recover to hardware will permit recovery to Windows Hello whether or not it is using a TPM. You must ensure that your Windows Hello configuration is appropriate to meet the key protection requirements of your certificate policies.