Skip to main content
Version: Next

Windows Installation and Configuration

This page describes how to install HYPR Passwordless for Windows and configure key settings. For macOS, see macOS Installation.

Install via msiexec (silent)

You can use the msiexec command to deploy the HYPR Passwordless for Windows client without the displaying the installation UI. Note that if you're doing this manually at the command line you'll need to run from a command prompt that has administrative privileges.

You have two options for setting the necessary parameters:

Option 1

  1. Define the installation parameters in a hypr.json configuration file located in the same folder as the HYPR Passwordless .msi file. (See Common Installation Parameters for details.)

  2. Run msiexec without any parameters:

msiexec.exe /qn /i WorkforceAccess_x64.msi

Option 2

  1. Pass the installation parameters directly to msiexec on the command line. For example:
msiexec.exe /qn /i WorkforceAccess_x64.msi HYPRAPPID="HYPRDefaultWorkstationApplication"
HYPRRP="https://highlandsbank.gethypr.com/rp" HYPRSUPPORT="support@hb.com" HYPRHASH="LeM
8XnCIy8+Cxm+HKTEOBZr1g3D8odQNHTH+vdu7RWc=,5kJvNEMw0KjrCAu7eXY5HZdvyCS13BbA0VJG1RSP91w="
HYPRINSTALLTOKEN="0f03f635-4d9a-46ff-b537-cd97ad77cb6e" HYPRSUPPORT="support@hb.com"

Settings reference

This section lists each Windows setting with its MSI property, hypr.json key, and Registry name.

rpUrl

  • MSI: HYPRRP
  • JSON: rpUrl
  • Registry: Relying Party Url

The URL of your HYPR instance. Must end in /rp. For example: https://yourtenant.gethypr.com/rp.

If you need to change this setting, you must uninstall and re-install HYPPR Passwordless. DO NOT manually update the registry.

appId

  • MSI: HYPRAPPID
  • JSON: appId
  • Registry: Application ID

The ID of the HYPR Control Center internal application used to configure Workstation functionality. For example: HYPRDefaultWorkstationApplication.

If you need to change this setting, you must uninstall and re-install HYPPR Passwordless. DO NOT manually update the registry.

pinningHash

  • MSI: HYPRHASH
  • JSON: pinningHash
  • Registry: Public Key Pinning

A hash of the HYPR server SSL/TLS certificate used for public key pinning. Multiple hashes can be comma‑separated; validation succeeds if any hash matches. Specify DISABLE to disable pinning checks. See the hypr.json downloaded with the installer for values.

installToken

  • MSI: HYPRINSTALLTOKEN
  • JSON: installToken
  • Registry: N/A

A token used to establish encrypted communication between the client and HYPR Server. Pre‑set per deployment. Note that token is not saved in the registry.

certTemplate

  • MSI: HYPRTEMPLATE
  • JSON: certTemplate
  • Registry: Certificate Template

Active Directory certificate template name for Advanced Installs and mobile enrollment. Default typically hyprwin. See Advanced Certificates.

supportEmail

  • MSI: HYPRSUPPORT
  • JSON: supportEmail
  • Registry: Support Email

Email address used for support requests from within the client UI.

proxyServer

  • MSI: HYPRPROXYSERVER
  • JSON: proxyServer
  • Registry: Proxy Server

Proxy server in the form proxy[:port], e.g., proxy.myoffice.com:3128. Port defaults to 8080.

See HTTP Proxy Support for more information.

proxyBypass

  • MSI: HYPRPROXYBYPASS
  • JSON: proxyBypass
  • Registry: Proxy Bypass

Comma‑separated list of hostnames and/or IP addresses to exclude from proxy. Wildcards are supported (e.g., *.mycompany.com, 10.20.*).

See HTTP Proxy Support for more information.

proxyAutoConfigURL

  • MSI: HYPRPROXYAUTOCONFIGURL
  • JSON: proxyAutoConfigURL
  • Registry: Proxy Auto Config Url

URL for proxy autoconfiguration file (PAC file).

See HTTP Proxy Support for more information.

qrCodeUrl

  • MSI: HYPRQRCODEURL
  • JSON: qrCodeUrl
  • Registry: Qr Code Url

URL to handle incoming QR code requests. Typically your tenant URL.

fullUI

  • MSI: N/A
  • JSON: fullUI
  • Registry: N/A

Controls whether the Environment Setting dialog is shown during install. 0 hides the dialog; 1 shows it. Not applicable when installing via msiexec with command‑line parameters.

  • MSI: HYPRCUSTOMLOGO
  • JSON: customLogo
  • Registry: Custom Logo

Path to a local image to override the default HYPR logo. Supported: PNG, JPEG, BMP. Preferred size: 101x82. Use doubled backslashes in paths in hypr.json (e.g., C:\\myImages\\hb_logo.png), but not with MSI properties or registry values. See Branding Customization.

customBackground

  • MSI: HYPRCUSTOMBACKGROUND
  • JSON: customBackground
  • Registry: Custom Background

Path to a local image to override the default background. Supported: PNG, JPEG, BMP. Preferred size: 633x398. Use doubled backslashes in paths in hypr.json (e.g., C:\\myImages\\hb_background.png), but not with MSI properties or registry values. See Branding Customization.

noYKMD

  • MSI: NO_YKMD
  • JSON: noYKMD
  • Registry: No Yubikey Minidriver

If set to 1, the installer will not install or update Yubico's Cmart Card mini‑driver embedded in HYPR Passwordless.

This setting must be configured during a fresh installation to take effect. Do not manually edit this setting in the registry after installation.

passwordlessUserTile

  • MSI: HYPRPASSWORDLESSUSERTILE
  • JSON: passwordlessUserTile
  • Registry: Passwordless User Tile

If 1, the Passwordless User login tile displays by default. If 0, Windows controls the default.

protectLogs

  • MSI: HYPRPROTECTLOGS
  • JSON: protectLogs
  • Registry: Protect Logs

Controls access to HYPR logs. See Setting Log Access on Windows.

sendLogsPrompt

  • MSI: HYPRSENDLOGSPROMPT
  • JSON: sendLogsPrompt
  • Registry: Send Logs Prompt

Overrides the default Contact Support label. See Contact Support.

securityKeyCertTemplate

  • MSI: HYPRSECURITYKEYTEMPLATE
  • JSON: securityKeyCertTemplate
  • Registry: Certificate Template (Security Keys)

Certificate template used for non‑exportable private keys with security keys or Smart Cards. If not set, certTemplate is reused. See Certificate Template for Security Keys and Smart Cards (Non-exportable Keys).

securityKeyPinCharacters

  • MSI: HYPRSECURITYKEYPINCHARS
  • JSON: securityKeyPinCharacters
  • Registry: Security Key PIN Characters

Valid characters for security key or Smart Card PINs: Numeric, AlphaNumeric, or Any. AlphaNumeric allows ASCII letters A–Z (case‑sensitive). Any allows ASCII 0x21–0x7E (no spaces). AlphaNumeric and Any are only available with Yubico keys.

securityKeyPinComplexity

  • MSI: HYPRSECURITYKEYPINCOMPLEXITY
  • JSON: securityKeyPinComplexity
  • Registry: Security Key PIN Complexity

PIN complexity: "basic" or "strict". "Basic" prevents simple/repeating sequences (e.g., "123456", "111111", "121212", "123987"). See Using a Security Key.

securityKeyPinMinimumLength

  • MSI: HYPRSECURITYKEYPINMINLENGTH
  • JSON: securityKeyPinMinimumLength
  • Registry: Security Key PIN Minimum Length

Minimum PIN length for security keys or Smart Cards. Allowed values: 6, 7, or 8. Default is 6.

securityKeyPinRetries

  • MSI: HYPRSECURITYKEYPINRETRIES
  • JSON: securityKeyPinRetries
  • Registry: Security Key PIN Retries

Number of allowed PIN/PUK retries during pairing if a PIN is set. If empty, zero, or negative, the device default applies. Max value is 255.

securityKeyPinPolicy

  • MSI: HYPRSECURITYKEYPINPOLICY
  • JSON: securityKeyPinPolicy
  • Registry: Security Key PIN Policy

Controls when the user must enter the PIN, or provide a biometric (fingerprint), to complete an operation. The policy is applied to the YubiKey during pairing. Changing the setting in the registry affects future pairings, but has no effect on already paired YubiKeys.

  • 0: Default. Same as 2 on standard YubiKey, or 4 on biometric key.
  • 1: Never. DO NOT set this.
  • 2: PIN Once.
  • 3: PIN Always.
  • 4: PIN or Biometric Once.
  • 5: PIN or Biometric Always.

For background on how YubiKey PIN and touch policies work, see PIN, touch, and biometric policies.

Windows doesn't support YubiKey PIN policies. If a non-default policy is configured, Windows may not prompt the user to enter a required PIN, or may force entry of a PIN even when one isn't required. Because of this, HYPR recommends against setting a non-default policy.

securityKeyTouchPolicy

  • MSI: HYPRSECURITYKEYTOUCHPOLICY
  • JSON: securityKeyTouchPolicy
  • Registry: Security Key Touch Policy

Controls whether the YubiKey must be touched after the user enters the PIN to complete the operation. The policy is applied to the YubiKey during pairing. Changing the setting in the registry affects future pairings, but has no effect on already paired YubiKeys.

  • 0 (default), 1, 2: Touch is not required after PIN entry.
  • 3: Touch is required after PIN entry.

For background on how YubiKey PIN and touch policies work, see PIN, touch, and biometric policies.

Windows doesn't support YubiKey touch policies – it won't prompt the user to touch the key when needed. Because of this, HYPR recommends against setting a non-default touch policy.

smartCardPairing

  • MSI: HYPRSMARTCARDPAIRING
  • JSON: smartCardPairing
  • Registry: Smart Card Pairing Enabled

Enables an explicit user interface option for pairing Smart Card devices. Default 0 (disabled). Set to 1 to enable.

Smart Cards can always be paired. If this setting is disabled, the user can pair either a USB security key (e.g. YubiKey) or a Smart Card when they select the "Security Device" option.

supportURL

  • MSI: HYPRSUPPORTURL
  • JSON: supportURL
  • Registry: Support URL

Overrides the Need Assistance? URL. Opens in the default browser. See Contact Support.

unlockAppName

  • MSI: HYPRUNLOCKAPPNAME
  • JSON: unlockAppName
  • Registry: Unlock App Name

Application name shown in the HYPR client. See Branding Customization.

userAccountCheck

  • MSI: HYPRUSERACCOUNTCHECK
  • JSON: userAccountCheck
  • Registry: User Account Check

If enabled (1), attempts a certificate revocation check during login in addition to native Windows checks; may introduce delays.

applyDuringUpgrade

  • MSI: APPLYDURINGUPGRADE
  • JSON: applyDuringUpgrade
  • Registry: N/A
  • Default: 0

Applies to HYPR Passwordless for Windows version 10.5.1 and later

Normally, HYPR Passwordless for Windows only allows configuration parameters to be set during the initial installation. Existing parameters are preserved during upgrades, even if new MSI properties or a hypr.json file are provided.

Starting in version 10.5.1, most parameters can be changed during upgrades. This is an opt-in feature, and the current behavior remains the default.

Set to 1 to apply MSI and/or hypr.json properties during an upgrade.

The following parameters are always preserved during an upgrade. MSI and/or hypr.json properties are ignored:

  • "Relying Party Url" (HYPRRP / rpUrl)
  • "Application ID" (HYPRAPPID / appId)
  • "Custom Background" (HYPRCUSTOMBACKGROUND / customBackground)
  • "Custom Logo" (HYPRCUSTOMLOGO / customLogo)

The "Disable Password Login" parameter (HYPRDISABLEPASSWORDLOGIN / disablePasswordLogin) is a special case. This parameter consists of bit flags. If bit 3 (0x08) is set in the registry, it will remain set and won't be cleared during an upgrade. This bit indicates that passwordless login is mandatory (using a password is disabled). The only way to clear this bit is to update the registry directly (e.g., using Group Policy).

disablePasswordLogin

  • MSI: HYPRDISABLEPASSWORDLOGIN
  • JSON: disablePasswordLogin
  • Registry: Disable Password Login
  • Default: 0

Controls password‑oriented Credential Providers via bit flags. Backward compatible with 0 (allow) and 1 (disable when paired).

Bits:

BitValueDescription
01Disable password‑oriented login when at least one device is paired with HYPR.
12Reserved (not implemented). Do not use.
24Keep password‑oriented login disabled once disabled (persists even if all pairings are later deleted).
38Always disable password‑oriented login (regardless of pairings).

Common values:

  • 0 Always allow password‑oriented login
  • 1 Disable when at least one device is paired; allow when none are paired
  • 5 Allow until the first device is paired; then disable and keep disabled
  • 8 Always disable password‑oriented login
  • 13 Password was allowed, then a device was paired; now disabled and persisted
Risk of lockout

Permanently disabling password‑oriented login can prevent access if all passwordless options are removed or fail. Plan recovery paths and rollout carefully.

additionalPasswordProviderGUIDs

  • MSI: HYPRPWDCREDPROVFILTER
  • JSON: additionalPasswordProviderGUIDs
  • Registry: Additional Password Provider GUIDs
  • Default: empty

Add one or more third‑party password Credential Provider GUIDs to filter (hide). HYPR already filters the built‑in Windows Password and Network Password providers.

Provide GUIDs separated by commas (braces optional). Examples:

{2135f72a-90b5-4ed3-a7f1-8bb705ac276a},F8A1793B-7873-4046-B2A7-1F318747F427
25CBB996-92ED-457e-B28C-4774084BD562

Enumerate installed providers at:

HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers

It is not possible to infer from the registry whether a provider is password‑oriented. Identify the owning product and verify it permits password login before filtering.

Do not filter passwordless providers

Adding GUIDs for passwordless providers by mistake can remove all login options.

Remote Sessions Enabled

  • MSI: N/A
  • JSON: N/A
  • Registry: Remote Sessions Enabled

To enable HYPR Passwordless for Windows during Remote Desktop (RDP) remote sessions, set the Remote Sessions Enabled registry key to 1. This setting is not available as an MSI property or hypr.json value. The default value is 0 (disabled).

Security impact

Enabling HYPR for RDP remote sessions can change your remote access threat model. Review the security considerations and required RDP configuration steps in Accessing a Remote Desktop before turning this on.

HYPR Registry Keys

The installation process adds a HYPR key to the Windows Registry at the following location:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\HYPR Workforce Access

The contents of this registry key (and all subkeys) is required for normal functioning of the application and shouldn't normally be changed post-install. However, for troubleshooting purposes HYPR Support may ask you to review or modify some of the values.

The HYPR Workforce Access key is readable by all users, but can only be modified by Administrators. The Config subkey (and the per-user subkeys under Config) can only be accessed by Administrators.