How to set up a CIS1 smartcard workstation

Please follow the guidance in sequence. For a full list of platforms compatible with Registration Authority (RA) software, check the Warrantied Environment Specification.

All users

These are the system requirements for an optimal smartcard workstation setup:

• Operating system: Windows 10/Windows 11 64bit
• Browser: Edge or Chrome
• Smartcard reader: HID Global Omnikey 3121 USB smartcard reader

Registration Authority users 

Additional requirements for a workstation used for servicing or printing smartcards:

• Smartcard reader: secondary HID Global Omnikey 3121 USB smartcard reader
• Smartcard printer (optional): Magicard DoH (V2) or DoH 300 (V2) smartcard printer

Unsupported

• Java
• Citrix / VDI / Terminal services (card management services)

To be able to access the newer, internet-facing parts of the Care Identity Service, the user will need to be able to access certain domains. There are also considerations for anyone using a web proxy or VPN.

Read our guidance for IT teams on allowing domains.

This is a mandatory requirement for setting up a workstation. Windows 10 does not install the older versions of .NET by default, but you cannot proceed without it. To check/install it:

• open Control Panel
• go to Programs > Programs and Features
• on the left, choose 'Turn Windows features on or off'
• check the box for .NET 4.8

Follow the supporting documentation for installing and configuring NHS Credential Management, which also includes troubleshooting guidance for common issues.

Oberthur middleware is a mandatory installation for all machines.

This is required for interacting with series 9 smartcards.

The Idemia PIV minidriver is installed automatically via Windows Update (If enabled). If automatic Windows Update is disabled, you can install the middleware manually.

Follow the installation guide for installing NHS Identity Agent, which includes an administrator’s guide for configuration, as well as troubleshooting guidance for common issues.

Download the manufacturer drivers for the NHS supported 3121 readers. To support all variants of the Omnikey 3121 smartcard reader, it is recommended to install both the HID Omnikey CCID and HID Global X-Chip driver (BU component). If you are using other smartcard readers to login with, install the manufacturer drivers for those smartcard readers. Find out how to update drivers for other smartcard readers.

Restart the machine to complete the setup process.

You only need to complete these extra steps if you are Registration Authority users - check whether this is you.

We recommend all workstation users set the following value in the NHS Identity Agent registry:

CardRemovalCheck = False

Several other registry changes may be needed, which must be adjusted for each organisation or template. For new NHS Identity Agent installations, you will need to manually create the sub-trees in the registry before first use. 

Read guidance on NHS Identity Agent configuration and registry settings.

RA users who carry out smartcard management services will need to connect a secondary smartcard reader.

They also need to check and verify that the correct drivers are assigned to the secondary smartcard reader (see step 7).

See guidance on how to install smartcard printers.

We recommend you do not use an Omnikey 5321CR Contactless reader on a machine which has a Magicard DoH (V2) Printer (5x21 Reader) connected to it.

Check and verify that the correct drivers are assigned to the printer in-built smartcard readers.

Add custom NHS Identity Agent registry settings specific to your requirements. Read guidance on Identity Agent configuration and registry settings.

If you make changes to the registry, restart NHS Identity Agent.

This is a standalone tool that needs admin rights to run. It's designed to provide an easy way to configure NHS Identity Agent to switch environments and toggle certain features. For more information, read the user guide.

The NHS England Diagnostic Tool comes as a standalone tool without an installer. It is designed to provide an easy method for support teams to gather information about the configuration of a user's computer. Providing a diagnostic log file is recommended when raising incidents involving Identity Agent or card management services in Care Identity Management.

You will need to complete the additional steps for Registration Authority users if you carry out any of the actions in the table below.

Important notes:

• Registration Authority users must be logged in with their smartcard to perform card management services, as other authenticators do not support these operations.
• It is not recommended to use an Omnikey 5321CR contactless reader on a machine which has a Magicard DoH (V2) Printer (5x21 Reader) connected to it.

If you're having problems or need more help, go to our troubleshooting area.