Skip to main content

Issue or remove a Windows Hello device in Care Identity Management

How to use Care Identity Management to issue a Windows Hello device as an authenticator, as an alternative to a smartcard, or remove a device from a user's profile.

Page contents

Which roles can do this?

  • Registration Authority Manager
  • Registration Authority Agent (Advanced)

Before you start

For the Registration Authority

You will need to set up a registration meeting with your user, either via video or face-to-face. Registration must be completed in your presence. 

Clear your browser’s cache - a quick way to do this is Ctrl Shift Delete

For the user

They should have set up their device with a Windows Hello sign-in option on their machine - this may require assistance from their local IT Support team.

They must have a working internet connection.

They must bring their device to the meeting. 

Check that the user has plenty of battery charge or power source on their device, as if the battery drops below 20% battery saver mode will automatically start.

In battery saver mode, the software that creates keys for Windows Hello, the Trusted Platform Module, will not create keys so registration will not be possible.

View the Warrantied Environment Specification to check browser compatibility.

Face-to-face process

From the Care Identity Management home page, choose 'Find an existing user'.

CIM home page find an existing user highlighted

 

Enter the user's details and select 'Search'.

Care Identity Management find an existing user

 

Choose 'View profile' on the right of the screen.

Care Identity Management user found

 

Go to the Authenticators tab on the user's profile page and select Issue other authenticator

Shows Authenticators tab with Issue other authenticator button highlighted.

 

Select Windows Hello and continue.

CIM select other authenticator windows hello highlighted

 

You will now see a screen with instructions how to register the device.

When you've read the instructions and are both ready to proceed, select 'Generate link'.

CIM register windows hello with for business text removed

 

Copy the link and send it to the user by email, or paste it into the chat function of the video call software you are using.

Shows the registration link, with the Copy link button highlighted

 

The user should click the link.

The user's device will perform a biometric scan (face/fingerprint).

When the user's biometric has been scanned successfully, they will see a confirmation from Windows.

Select OK.

Shows a timer icon overlaid by a popup that says 'making sure it's you'

 

To confirm that the registration process is complete, the user will see a Registration successful confirmation page.

Shows a registration successful message and invites the user to close the page.

 

The user can now close the page.

The user profile page will now show that the user's device has been registered to the user.

CIM windows hello device highlighted in authenticator list

Test the Windows Hello registration has been successful

To test and demonstrate that the registration has worked, ask the user to authenticate using Windows Hello.

Remove a Windows Hello device

From the user's profile, select the 'Authenticators' tab, find the Windows Hello device in the list and select 'Remove' on the right.

CIM windows hello device in authenticator list remove highlighted

 

Select the box to confirm you want to remove the Windows Hello device, followed by the 'Remove authenticator' button.

CIM remove windows hello device

 

Finally you'll see a message confirming that the device has been removed from the user's profile.

CIM windows hello device removed successfully message

Last edited: 24 April 2025 2:34 pm