3.2 Creating the Windows Hello credential profile

Important: The Windows Hello option in the credential profile appears only when you have set the Windows Hello for Business supported within MyID configuration option. See section 3.1, Setting the Windows Hello configuration options for details.

To set up a credential profile for Windows Hello:

  1. From the Configuration category, select Credential Profiles.
  2. Click New.
  3. Type a Name and Description.

  4. In the Card Encoding section, select Windows Hello.

    Note: You can also select the Derived Credential option if you want to issue certificates to Windows Hello as a derived credential through the Derived Credentials Self-Service Portal. For more information, see the Creating a Windows Hello credential profile section in the Derived Credentials Self-Service Request Portal guide.

  5. In the Services section, select MyID Logon and MyID Encryption.

  6. In the Mail Documents section, set up any mailing documents you may want to issue.

    See the Mail Documents section in the Administration Guide for details.

  7. Click Next.

  8. On the Select Certificates screen, select the certificates you want to issue to the Windows Hello credential.

    Note: You must use a certificate for Signing and Encryption; you cannot use MyID keys for signing and encryption operations on Windows Hello credentials.

    For more information on this screen, see the Selecting certificates section in the Administration Guide.

    See also section 2.4, Certificate policies.

  9. Click Next and proceed to the Select Roles screen.

    See the Linking credential profiles to roles section in the Administration Guide for details.

  10. Click Next and complete the workflow.

    You do not need to specify any card layouts.

3.2.1 Additional identities

In the credential profile, you can configure additional identities; certificates for any additional identities that have been set up for the end user are written to the Windows Hello credential at issuance.

This allows a user to have certificates for a different associated identity protected by their primary Windows Hello credentials; for example, you do not need to have a separate enrolled Windows Hello credential on the computer for an administrator account.

You can use additional identity certificates for signing and encryption, but they are not offered for logon or unlocking.

Note: The additional identity certificates use the Windows Hello authenticated state. If the user has not previously authenticated using Windows Hello during the current logon session, there will be a single Windows Hello authentication request. You are recommended to use this feature only when it aligns with your organization's own security policies.

For more information, see the Additional identities section in the Administration Guide.

3.2.2 Terms and conditions

You can configure a credential profile for Windows Hello that requires the user to accept terms and conditions when the Windows Hello credential is issued or updated. With other credential types (for example, smart cards) the cardholder must authenticate to their credential with their PIN to sign the terms and conditions; with Windows Hello, the user does not have to authenticate to Windows Hello again, as they are already authenticated to the credential.

For more information on configuring terms and conditions, see the Issuance Settings section in the Administration Guide.