Workstation Login Installation & Configuration for Windows
Overview
BlockID Workstation Login for Windows is a Credential Provider that supports passwordless and MFA logins on Windows for Active Directory users (for domain-joined machines).
This document guides Administrators through the steps necessary to install and configure Workstation Login for Windows.
Manual Installation and Configuration
Install BlockID Workstation Login for Windows
The Windows workstation must be joined to the Active Directory Domain.
We only support Active Directoy user login.
Copy the
blockIdSetup.<version>.exeinstaller to your workstation and double-click the file to launch the program.Review and accept the license agreement. Click Next to proceed.
- Select the installation folder and click Next.
- Select a folder to use as a Start Menu shortcut if desired.
- Choose whether or not you wish to create a Desktop shortcut. Click Next.
- Review the information displayed and click Install.
- When prompted by Windows Security, click Install to start the installation.
- Restart the machine
Configure BlockID Workstation Login for Windows
BlockID for Windows can be configured after installation by running the BlockID Configuration program installed on the workstation.
To begin, launch BlockID Configuration.
Add your tenant details:
- Transport Protocol: Select Secure Hyper Text Transport Protocol (HTTPS)
- Tenant ID: Your tenant domain, e.g.,
blockid-trial.1kosmos.net - Tenant Tag: Your tenant tag, e.g.:
1kosmos - Community ID: Your community name, e.g.,
default
Optionally change additional parameters as desired:
- Authz Type: Select between the following:
fingerprint (for touch ID or face ID)pinface (live ID)
- Timeout in Secs: Select between '10 to 240` seconds
- Connection Timeout: Select between
2 to 10minutes - Custom Error Message: Enter a message to display when an error is encountered
- Authz Type: Select between the following:
- If your organization is using a proxy, you must also add your details. Click the Advanced tab and enter your proxy information.
- After you have completed the configuration, you will need to restart the BlockID service:
- Click the General tab.
- Click Stop, located under BlockID service, near the bottom-left of the application, to stop the BlockID Service.
- Click Start to rerun the BlockID service.
- Click the General tab.
If you encounter any issues during installation, please consult the generated log file located at C:/Program Files/1kosmos/BlockID/log/blockId.InstallUtil_log
Automated Installation and Configuration via Batch Script
BlockID Workstation Login for Windows can be installed headless using a batch script and a configuration file containing tenant details from a Powershell terminal. The automated installation and configuration script only be run by a user with Administrator privileges.
The command line flags -i <package name> should be used for installation and -c <config file> for updating the configuration.
Installation and Configuration
BlockIDConfiguration.bat -install <installer_filename> -configure <config_filename> -restart
Example:
BlockIDConfiguration.bat -install BlockID_1.05.00.61B74507.exe -configure CONFIG -restart
Installation Only
BlockIDConfiguration.bat -install <installer_filename> -restart
Example:
BlockIDConfiguration.bat -install BlockID_1.05.00.61B74507.exe -restart
Configuration Only
BlockIDConfiguration.bat -configure <config_filename>
Example:
BlockIDConfiguration.bat -c CONFIG -restart
Sample CONFIG File
CONNECTION PROTOCOL=https://
CONNECTION PORT=443
TENANT ID=demo.1kosmos.net
TENANT TAG=1kosmos
COMMUNITY=default
AUTHZ TYPE=fingerprint
REQUEST TIMEOUT=45
CONN TIMEOUT=5
ERROR MSG=Error while receiving a response
PROXY URL=
PROXY USER=
PROXY PWD=
ENABLE OFFLINE OTP=1
ENABLE ONLINE OTP=0
PASSWORD FACTOR=0
HARDWARE OTP=0
TILE IMG=
OTP TILE IMG=
ENABLE MOTD=1
MOTD=BlockID Version: &v
OTP MOTD=Login with OTP
DENY PASSTHROUGH=0
DISABLE PASSWORD PROVIDER=0
ENABLE CAD=0
ENABLE FIDO=0
CONFIG Description Table
Please see the table below for information on the different CONFIG file options:
The Keys and Values should not have any leading or trailing whitespaces
| Name of Configuration | Description | Expected Values | Sample Values |
|---|---|---|---|
| CONNECTION_PROTOCOL | To define whether the connection should be secured or unsecured. | http://, https:// | https:// |
| CONNECTION_PORT | Value of the port on the tenant URL on which the connection would be established. | Default values are 80 for http & 443 for https | 443 |
| TENANT_ID | Contains the Tenant URL to connect to the admin console. | <tenant url> | abcinc.1kosmos.net |
| TENANT_TAG | Contains the Tenant Tag. | <tenant tag> | abcinc |
| COMMUNITY | Contains the community name. | <community name> | default |
| AUTHZ_TYPE | Contains the authentication mode for the mobile device. | Values can be fingerprint, face, or pin | fingerprint |
| REQUEST_TIMEOUT | The duration for which the credential provider will wait for a response from the admin console. The value is in seconds. | Value should ideally be kept in the range of 10 to 240. | 45 |
| CONN_TIMEOUT | The timeout value for the connection to be successfully established. The value is in seconds. | Value should ideally be kept in the range of 2 to 10. | 5 |
| ERROR_MSG | Default error message to be displayed on the lock screen. | <error message> | Error while receiving response |
| PROXY_URL | URL of the proxy. A URL to a direct proxy or a PAC file can be given here. | <proxy url> | http://12.12.12.12:8083/proxy.pac |
| PROXY_USER | Username in case of authenticated proxy. | <proxy user> | proxyuser |
| PROXY_PWD | Password in case of authenticated proxy. | <proxy password> | proxypassword |
| ENABLE_OFFLINE_OTP | Configuration to enable offline authentication through OTP. | "0" or empty value disables the functionality, and any other value enables it. Default is 1 | 1 |
| ENABLE_ONLINE_OTP | Configuration to enable online authentication through OTP. | "0" or empty value disables the functionality, and any other value enables it. The default is 0 | 0 |
| PASSWORD_FACTOR | Configuration to enable online/offline authentication through Password + OTP. | "0" or empty value disables the functionality and any other value enables it. The default is 0 | 0 |
| HARDWARE_OTP | Configuration to enable online authentication through Hardware OTP Token. | "0" or empty value disables the functionality, and any other value enables it. The default is 0 | 0 |
| TILE_IMG | Can be used to change the image on the BlockID tiles at the lock screen. It should contain the path to a bitmap file for a custom tile. Leaving the field empty uses the default BlockID image on the tile lock screen. | Should be left empty if the default image is to be used or the path to a bitmap file | D:\SampleIcon.bmp |
| OTP_TILE_IMG | Can be used to change the image on the BlockID tiles at the OTP lock screen. It should contain the path to a bitmap file for a custom tile. Leaving the field empty uses the default BlockID OTP image on the tile lock screen. | Should be left empty if the default image is to be used or the path to a bitmap file | D:\SampleIcon.bmp |
| ENABLE_MOTD | Configuration to enable MOTD (Message of the Day). Used to enable the user-defined label on the BlockID tile for QR popup. | "0" or empty value disables the functionality, and any other value enables it. Default is 1 | 1 |
| MOTD | MOTD (Message of the Day) string to display on the BlockID tile for QR on the lock screen. Valid substitutions: %m - Machine name, %d - Today's date, %i - IP address, %n - DNS name, %v - BlockID version | <motd> | BlockID Version: %v |
| OTP_MOTD | OTP MOTD (Message of the Day) string to display on the BlockID tile for OTP on the lock screen. Valid substitutions: %m - Machine name, %d - Today's date, %i - IP address, %n - DNS name, %v - BlockID version | <motd> | Login with OTP |
| DENY_PASSTHROUGH | When enabled, this setting does not pass credentials from the local machine to the remote machine when establishing an RDP connection | "0" or empty value disables the functionality and any other value enables it Default is 0 | 0 |
| DISABLE_PASSWORD_PROVIDER | Disables the default Windows username and password authentication and sets the BlockID as default | "0" or empty value disables the functionality and any other value enables it Default is 0 | 0 |
| ENABLE_CAD | Enforces Ctrl+Alt+Del to be used to get to the Windows login screen | "0" or empty value disables the functionality, and any other value enables it Default is 0 | 0 |
| ENABLE_FIDO | Configuration to enable login using FIDO. | "0" or empty value disables the functionality, and any other value enables it. The default is 0 | 0 |
For any ENABLE flag, a "0" or empty value disables the functionality. Any other value enables it.
TILE_IMG and OTP_TILE_IMG should contain a path to a custom image file to be used for BlockID tiles on the Windows lock screen. Keeping this value blank will use the default BlockID icon.
Additional Information
Please see Workstation Login for Windows for additional information on the different settings available for BlockID Workstation Login for Windows.