You can install the integration for passwordless Windows login on your users' computers with the command-line interface that is provided or with the UI-based installation.
- To use the passwordless Windows login feature, users' computers must be running Windows 10
(64-bit) or Windows 11, and must support TPM 2.0.Note: If you have set the Resident Key option to Required for FIDO2 security keys, users do not require TPM on their computer in order to use the passwordless login, provided that they paired their keys after the setting was changed to Required. For more information on the Resident Key option, see Configuring the FIDO2 security key for PingID. Since TPM 2.0 provides a higher degree of security, the passwordless login for Windows will always use TPM for storage if the relevant computer has the necessary support.
- The first time that a user carries out passwordless Windows login, they need to be online and connected to the organizational network because certificate enrollment requires a connection to Active Directory. Afterwards, there is no need for a connection to the network, and authentication can be carried out online or offline (for as long as the certificate is valid).
Installing passwordless Windows Login integration on client computers (UI)
You can install the integration for passwordless Windows Login on your users' computers with the UI-based installation described in this topic.
Run the provided executable, and when the welcome screen is displayed, click
Accept the license agreement and click Next.
The settings that must be entered on the Passwordless Sign-on
Settings screen should be copied from the
Configuration tab of the application you created for
Windows Login - Passwordless in PingOne. If your organization uses a proxy,
click Configure Proxy. Otherwise, click
If you clicked Configure Proxy in the previous step,
enter the proxy information, click Apply, and when you
are returned to the Passwordless Sign-on Settings screen,
When the Ready to Install screen is displayed, click
Install to start the installation.
Installing passwordless Windows Login integration on client computers (CLI)
While you can install the integration for passwordless Windows Login on your users' computers with the UI wizard that is provided, you can also use the CLI-based installation that is described in this topic.
The following parameters are mandatory and should be copied from the Configuration tab of the application you created for Windows Login - Passwordless, in PingOne.
- /OIDCDiscoveryEndpoint - the OIDC discovery endpoint, from the URL section of the Configuration tab
- /OIDCClientID - the client ID, from the General section of the Configuration tab
/OIDCSecret - the client secret, from the General section of the Configuration tab. Click the Show Secret icon, and then copy the text displayed.
- /DIR - the path where the software should be installed. If this parameter is not specified, it will be installed to C:\Program Files\Ping Identity\PingID\Windows Passwordless
- /LOG - specify a path if you want a log file to be created for the installation
- /VERYSILENT - neither the background window nor the installation progress window are displayed
- /SILENT - the background window is not displayed, but the installation progress window is displayed
- /ProxyAddress - proxy URI, if you are using a proxy
- /ProxyUserName - user name if you are using a proxy
- /ProxyPassword - password if you are using a proxy
- /HttpRequestTimeout - timeout to use for HTTP requests, in milliseconds - can be between 1000 and 30000, default is 10000 milliseconds
- /NORESTART - prevents installer from restarting the system following a successful installation. Note that Windows Login - Passwordless will not work until after the computer is rebooted.
- /RSA_PADDING - use the value
oaepto specify that OAEP padding should be used in the encryption for offline authentication (default). If you do not want to use OAEP padding for offline authentication, use the value
- /ALG_KEY_TYPE - set the registry key algorithm type.
- 0 = RSA
- 1= ECC
- /AllowInsecureDiscouragedUV - Skip user verification for
Windows login passwordless users when using any FIDO device. Possible values:
- 0 = Disabled
- 1 = EnabledCAUTION: Use this option with caution, as it relies solely on the FIDO device to authenticate, and does not distinguish between different users.
Sample installation command
"PingIDWindowsLogin - Passwordless_188.8.131.52.exe"