Using DigitalPersona Workstation

DigitalPersona Workstation is a robust and fully featured workstation client which allows you to significantly and easily increase the security of computers in your enterprise. Its specific features, options and behavior can be configured though Active Directory GPOs and other tools.

  • Attended Enrollment, an optional component of DigitalPersona Workstation, allows administrators to assign a specific user or group to supervise the credential enrollment process. See Using DigitalPersona Attended Enrollment.

  • DigitalPersona Kiosk, a separate DigitalPersona client with many of the same features, provides users with fast, convenient and secure multi-factor identification and authentication in environments where users share a common Windows account yet need separately controlled access to resources, applications and data. See Using DigitalPersona Kiosk.

Most of the content in this section is written from the end-user perspective, and can also be accessed from the various DigitalPersona help features.

Note: The availability of some product features described in this page may be limited, or behave differently, as determined by GPO policies and other settings described in the Administration Tools and Policies and Settings.

It addition to the end-user features described in the following sections, DigitalPersona LDS Workstation may be used to provide multi-factor authentication on supported versions of Microsoft Windows Server (sometimes referred to as Client On Server or COS).

However, only the AD Workstation is designed to be installed on a domain controller. The LDS Workstation is not designed with this capability and will not work on a domain controller due to the fact that all domain users will become local users if you run the software on the domain controller.

In the above scenarios, if DigitalPersona Server is installed on the machine, DigitalPersona Workstation must be installed after the DigitalPersona Server and it must only be used for authentication.

Warning! Do not attempt to enroll or manage user credentials using this configuration, as it may cause unpredictable results.

Getting Started

By default, DigitalPersona credentials are enrolled through the DigitalPersona Attended Enrollment component. However, a DigitalPersona administrator may optionally choose to allow Windows users to self-enroll (that is, enroll their credentials through the DigitalPersona LDS Workstation).

User Onboarding

The first time that an unenrolled user attempts to log on to a computer where a DigitalPersona Workstation client is installed, self-enrollment is not disabled and a Multi-Factor Authentication policy is being enforced, the onboarding procedure is triggered.

Note: This feature is not available for the Kiosk client.

For example:

  1. The DigitalPersona Logon Policy is Password plus PIN and a user has never enrolled a DigitalPersona credential before.

  2. The user attempts to log on using their password or a PKI Smart Card.

  3. The HID DigitalPersona Console displays, with a window where the user can create a DigitalPersona account, needed in order to enroll the PIN credential.

  4. The user enters their password and clicks Create in order to establish their HID DigitalPersona account.

    Once the account is created, if the user is unable to enroll any credentials, the onboarding process will not appear again. In this case, an administrator may use Attended Enrollment to assist the user in enrolling any additional required credentials.

  5. They close the Console by clicking on the Close (X) button in the upper right portion of the window.

  6. The Windows Logon screen redisplays, with a new link - First time using HID DigitalPersona?

  7. The user clicks the link to redisplay the HID DigitalPersona Console.

  8. They authenticate with their password and then click the PIN tile to enroll their personal PIN.

  9. They close the Console by clicking on the Close (X) button in the upper right portion of the window.

    A message displays that the user can now use their credentials for authentication.

  10. The Windows Logon screen re-displays.

  11. The user enters their password, the system requests their PIN, they enter it and are logged on to Windows.

The DigitalPersona Console

The DigitalPersona Console is the central location for primary access to DigitalPersona Workstation features and settings.

Note: The console illustration includes DigitalPersona Password Manager and Quick Actions, which are part of the DigitalPersona Console in DigitalPersona clients in versions 2.0.3 and above.

Password Manager (which includes Quick Actions) is an optional feature that may be installed by selecting Custom as the Setup Type during installation.

The DigitalPersona Console may include the following features.

Microsoft Windows Authentication

Once your DigitalPersona Workstation client has been installed, logon (authentication) to Windows is controlled by the Logon Authentication Policy and Enhanced Logon Policy, which are set by GPOs in Active Directory. The path to these settings is: Computer Configuration\Policies\Software Settings\DigitalPersona Client/Security/Authentication

For a complete description of these policies, see Logon Authentication Policy.

Credentials that may be used to authenticate for Windows logon will be limited to those specified in the policy and supported by required hardware or software present on the workstation.

Some credentials, such as PKI Smart Cards, need to be previously formatted and initialized using the manufacturer’s middleware. Contactless Cards must be enrolled by the end-user, on their computer, or through the DigitalPersona Attended Enrollment components (see Using DigitalPersona Attended Enrollment).

The actual process of using your DigitalPersona credentials will vary slightly depending on the type of credential, but will generally follow Microsoft usage with the exceptions described in the following sections.

Multi-Factor Authentication

One of the primary benefits of the DigitalPersona solution is the easy implementation of multi-factor authentication (MFA), that is, requiring more than one credential in order to log on to Windows (and other resources as defined by the administrator).

When DigitalPersona MFA is enabled and you have logged on for the first time, the system will remember which credentials you have used to log on with, and the sequence they were used in. For example, if you used your Windows Password first and your fingerprints second, the next time you go to log on, you will not have to select these, but will automatically be presented with the UI necessary to authenticate with those credentials in that order.

Card Authentication

To use a Contactless ID card to log on to Windows, you must click your user tile on the Windows Logon screen before presenting the card. Then you can use a Contactless ID card in conjunction with another credential as specified by the Logon Authentication Policy in force.

A PKI smart card or Contactless Writable card may be presented directly from the Logon screen for immediate logon to Windows.

Locking/Unlocking

To lock a DigitalPersona-managed computer:

  1. From the Start screen, click your user name and select Lock from the menu.

  2. Press the Windows Logo key+L.

  3. When configured by the DigitalPersona administrator, you can lock the computer by removing the card which was used to log on to Windows from the card reader.

To unlock a DigitalPersona-managed computer:

Use any authorized credential or required combination of credentials to unlock the computer and log on to the workstation.

Opening the DigitalPersona Console

You can open the DigitalPersona Console in any of the following ways:

  • From the Apps screen, under DigitalPersona, select DigitalPersona Console.

  • Double-click the DigitalPersona Workstation icon in the notification area, at the far right of the taskbar.

  • Right-click the DigitalPersona icon, and click Open DigitalPersona Console.

  • Press the hot key combination Ctrl+Win Logo Key+H to open the Logons menu and then click DigitalPersona Console (when no logons have been created yet) or Manage (after logons have been created.)