10.8 Installing the unlock credential provider
MyID provides an unlock credential provider that allows a user to unlock their PIV card from the Windows logon screen.
See the Unlock credential provider section in the Operator's Guide for details of using the unlock credential provider to unlock a PIV card.
10.8.1 Prerequisites
The credential unlock provider is supported on Windows 10, build 1709 or later.
To unlock a card, it must be a PIV card or other device that has a PIV applet, and it must have been issued by your MyID system.
10.8.2 Configuring Windows for Integrated Unblock
You must set the AllowIntegratedUnblock policy in the Credential Security Support Provider in Windows to allow the unlock credential provider to operate.
See your Microsoft documentation for details of configuring this through group policy or the registry.
10.8.3 Installing the unlock credential provider
You must install the unlock credential provider on each PC on which you want users to be able to unlock their PIV cards at the Windows logon screen.
The installation .msi file is provided in the following folder on the MyID installation media:
\MyID Clients\Unlock Credential Provider\
The installation package filename is UNLOCKCREDPROV-x.x.x_x.msi.
10.8.4 Customizing the unlock credential provider
You can customize the text displayed on the unlock credential provider screen by editing the registry; for example, you could change the "Please contact your help desk" message to include a phone number.
Note: Back up your registry before making any changes.
The text strings are stored as String values in the registry in the following location:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Intercede\MyIDUnlockCredentialProvider
If the MyIDUnlockCredentialProvider key does not exist, you can create it.
You can edit the following text:
|
String Value |
Default Text |
Type |
|---|---|---|
|
ChallengeText |
Challenge: |
Label |
|
ChangePinText |
Change PIN |
Label |
|
PinCheckLabel |
PIN Check |
Label |
|
PinLabel |
PIN |
Label |
|
PinResetText |
PIN reset |
Label |
|
ResponseLabel |
Response |
Label |
|
UnlockInstructionsText |
Please contact your help desk. |
Label |
|
EmptyResponseText |
Response code is empty |
Prompt |
|
FailedToUnlockText |
Unlock failed |
Prompt |
|
InvalidResponseText |
Invalid response code |
Prompt |
|
PINLengthWrongText |
PIN length is incorrect |
Prompt |
|
PINMismatchText |
PINs do not match |
Prompt |
Text of type Label is static text displayed on screen.
Text of type Prompt is displayed in response to a user action.
Other labels available are:
- PinResetText – the message shown when a card is successfully unlocked.
- ChangePinText – reserved for future use.
10.8.5 Troubleshooting
Whenever a card is unlocked, or an unlock procedure fails, a message is written to the Windows application event log.
An error will indicate a card communication issue – for example, the card may be SO PIN locked. In this case, the APDU response is logged. These are industry standard response codes for smart card operations, not specific MyID errors.