Skip to main content
Version: 10.5.0

Windows Installation and Configuration

This page describes how to install HYPR Passwordless for Windows and configure key settings. For macOS, see macOS Installation. For a list of all Windows-specific parameters, see Installation Parameters.

Install via msiexec

You can use the msiexec command to deploy the HYPR Passwordless for Windows client without the displaying the installation UI. Note that if you're doing this manually at the command line you'll need to run from a command prompt that has administrative privileges.

You have two options for setting the necessary parameters:

MSI File Installation with JSON

  1. If you have not received or downloaded a ready-to-use hypr.json file alongside your .msi installation file, you can define your installation parameters manually by creating your own hypr.json configuration file. When installing, this file should be located in the same folder as the HYPR Passwordless .msi file. For more information about the installation parameters, see Common Installation Parameters.

  2. Run msiexec without any parameters:

msiexec.exe /qn /i WorkforceAccess_x64.msi

Command Line Installation

  1. Pass the installation parameters directly to msiexec on the command line. For example:
msiexec.exe /qn /i WorkforceAccess_x64.msi HYPRAPPID="HYPRDefaultWorkstationApplication"
HYPRRP="https://highlandsbank.gethypr.com/rp" HYPRSUPPORT="support@hb.com" HYPRHASH="LeM
8XnCIy8+Cxm+HKTEOBZr1g3D8odQNHTH+vdu7RWc=,5kJvNEMw0KjrCAu7eXY5HZdvyCS13BbA0VJG1RSP91w="
HYPRINSTALLTOKEN="0f03f635-4d9a-46ff-b537-cd97ad77cb6e" HYPRSUPPORT="support@hb.com"

Installation Parameters

The following parameters can be configured for Windows installations. Each parameter can be set via MSI properties, hypr.json file, or Registry values.

Parameter index

Detailed settings

rpUrl

  • MSI: HYPRRP
  • JSON: rpUrl
  • Registry: N/A

The URL of your HYPR instance. Must end in /rp, for example https://yourtenant.gethypr.com/rp.

appId

  • MSI: HYPRAPPID
  • JSON: appId
  • Registry: N/A

The ID of the HYPR Control Center internal application used to configure Workstation functionality: HYPRDefaultWorkstationApplication.

pinningHash

  • MSI: HYPRHASH
  • JSON: pinningHash
  • Registry: N/A

A hash of the HYPR server SSL/TLS certificate used for public key pinning. Multiple hashes can be comma‑separated; validation succeeds if any hash matches. Specify DISABLE to disable pinning checks. See the hypr.json downloaded with the installer for values.

installToken

  • MSI: HYPRINSTALLTOKEN
  • JSON: installToken
  • Registry: N/A

A token used to establish encrypted communication between the client and HYPR Server. Pre‑set per deployment.

certTemplate

  • MSI: HYPRTEMPLATE
  • JSON: certTemplate
  • Registry: N/A

Active Directory certificate template name for Advanced Installs and mobile enrollment. Default typically hyprwin. See Advanced Certificates.

supportEmail

  • MSI: HYPRSUPPORT
  • JSON: supportEmail
  • Registry: N/A

Email address used for support requests from within the client UI.

proxyServer

  • MSI: HYPRPROXYSERVER
  • JSON: proxyServer
  • Registry: N/A

Proxy server in the form proxy[:port], e.g., proxy.myoffice.com:3128. Port defaults to 8080.

proxyBypass

  • MSI: HYPRPROXYBYPASS
  • JSON: proxyBypass
  • Registry: N/A

Comma‑separated hostnames to exclude from proxy. Wildcards supported (e.g., .mycompany.com, 10.20.).

qrCodeUrl

  • MSI: HYPRQRCODEURL
  • JSON: qrCodeUrl
  • Registry: N/A

URL to handle incoming QR code requests. Typically your tenant URL.

disablePasswordLogin

  • MSI: HYPRDISABLEPASSWORDLOGIN
  • JSON: disablePasswordLogin
  • Registry: Disable Password Login
  • Default: 0

Controls password‑oriented Credential Providers via bit flags. Backward compatible with 0 (allow) and 1 (disable when paired).

Bits:

BitValueDescription
01Disable password‑oriented login when at least one device is paired with HYPR.
12Reserved (not implemented). Do not use.
24Keep password‑oriented login disabled once disabled (persists even if all pairings are later deleted).
38Always disable password‑oriented login (regardless of pairings).

Common values:

  • 0 Always allow password‑oriented login
  • 1 Disable when at least one device is paired; allow when none are paired
  • 5 Allow until the first device is paired; then disable and keep disabled
  • 8 Always disable password‑oriented login
  • 13 Password was allowed, then a device was paired; now disabled and persisted
Risk of lockout

Permanently disabling password‑oriented login can prevent access if all passwordless options are removed or fail. Plan recovery paths and rollout carefully.

additionalPasswordProviderGUIDs

  • MSI: HYPRPWDCREDPROVFILTER
  • JSON: additionalPasswordProviderGUIDs
  • Registry: Additional Password Provider GUIDs
  • Default: empty

Add one or more third‑party password Credential Provider GUIDs to filter (hide). HYPR already filters the built‑in Windows Password and Network Password providers.

Provide GUIDs separated by commas (braces optional). Examples:

{2135f72a-90b5-4ed3-a7f1-8bb705ac276a},F8A1793B-7873-4046-B2A7-1F318747F427
25CBB996-92ED-457e-B28C-4774084BD562

Enumerate installed providers at:

HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers

It is not possible to infer from the registry whether a provider is password‑oriented. Identify the owning product and verify it permits password login before filtering.

Do not filter passwordless providers

Adding GUIDs for passwordless providers by mistake can remove all login options.

fullUI

  • MSI: N/A
  • JSON: fullUI
  • Registry: N/A

Controls whether the Environment Setting dialog is shown during install. 0 hides the dialog; 1 shows it. Not applicable when installing via msiexec with command‑line parameters.

  • MSI: HYPRCUSTOMLOGO
  • JSON: customLogo
  • Registry: N/A

Path to a local image to override the default HYPR logo. Supported: PNG, JPEG, BMP. Preferred size: 101x82. Use doubled backslashes in paths (e.g., C:\\myImages\\hb_logo.png). See Branding Customization.

customBackground

  • MSI: HYPRCUSTOMBACKGROUND
  • JSON: customBackground
  • Registry: N/A

Path to a local image to override the default background. Supported: PNG, JPEG, BMP. Preferred size: 633x398. Use doubled backslashes. See Branding Customization.

noYKMD

  • MSI: NO_YKMD
  • JSON: noYKMD
  • Registry: N/A

If set to 1, the installer will not install or update Yubico's smart card mini‑driver embedded in HYPR Passwordless.

passwordlessUserTile

  • MSI: HYPRPASSWORDLESSUSERTILE
  • JSON: passwordlessUserTile
  • Registry: Passwordless User Tile

If 1, the Passwordless User login tile displays by default. If 0, Windows controls the default.

protectLogs

  • MSI: HYPRPROTECTLOGS
  • JSON: protectLogs
  • Registry: N/A

Controls access to HYPR logs. See Setting Log Access on Windows.

sendLogsPrompt

  • MSI: HYPRSENDLOGSPROMPT
  • JSON: sendLogsPrompt
  • Registry: N/A

Overrides the default Contact Support label. See Contact Support.

securityKeyCertTemplate

  • MSI: HYPRSECURITYKEYTEMPLATE
  • JSON: securityKeyCertTemplate
  • Registry: Certificate Template (Security Keys)

Certificate template used for non‑exportable private keys with security keys or smart‑cards. If unset, certTemplate is reused. See Advanced Certificates.

securityKeyPinCharacters

  • MSI: HYPRSECURITYKEYPINCHARS
  • JSON: securityKeyPinCharacters
  • Registry: N/A

Valid characters for security key or smart‑card PINs: Numeric, AlphaNumeric, or Any. AlphaNumeric allows ASCII letters A–Z (case‑sensitive). Any allows ASCII 0x21–0x7E (no spaces). AlphaNumeric and Any are only available with Yubico keys.

securityKeyPinComplexity

  • MSI: HYPRSECURITYKEYPINCOMPLEXITY
  • JSON: securityKeyPinComplexity
  • Registry: N/A

PIN complexity: "basic" or "strict". "Basic" prevents simple/repeating sequences (e.g., "123456", "111111", "121212", "123987"). See Using a Security Key.

securityKeyPinMinimumLength

  • MSI: HYPRSECURITYKEYPINMINLENGTH
  • JSON: securityKeyPinMinimumLength
  • Registry: N/A

Minimum PIN length for security keys or smart‑cards. Allowed values: 6, 7, or 8. Default is 6.

securityKeyPinRetries

  • MSI: HYPRSECURITYKEYPINRETRIES
  • JSON: securityKeyPinRetries
  • Registry: N/A

Number of allowed PIN/PUK retries during pairing if a PIN is set. If empty, zero, or negative, the device default applies. Max value is 255.

securityKeyTouchPolicy

  • MSI: HYPRSECURITYKEYTOUCHPOLICY
  • JSON: securityKeyTouchPolicy
  • Registry: N/A

YubiKey touch policy during pairing. If set to 3 ("Once"), a touch is required after PIN entry. Default is 0 ("Never"). See Yubico documentation.

smartCardPairing

  • MSI: HYPRSMARTCARDPAIRING
  • JSON: smartCardPairing
  • Registry: N/A

Enables pairing of smart‑card devices. Default 0 (disabled). Set to 1 to enable.

supportURL

  • MSI: HYPRSUPPORTURL
  • JSON: supportURL
  • Registry: N/A

Overrides the Need Assistance? URL. Opens in the default browser. See Contact Support.

unlockAppName

  • MSI: HYPRUNLOCKAPPNAME
  • JSON: unlockAppName
  • Registry: N/A

Application name shown in the HYPR client. See Branding Customization.

userAccountCheck

  • MSI: HYPRUSERACCOUNTCHECK
  • JSON: userAccountCheck
  • Registry: User Account Check

If enabled (1), attempts a certificate revocation check during login in addition to native Windows checks; may introduce delays.

HYPR Registry Keys

The installation process adds a HYPR key to the Windows Registry at the following location:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\HYPR Workforce Access

The contents of this registry key are required for normal functioning of the application and shouldn't normally be changed post-install. However, for troubleshooting purposes HYPR Support may ask you to review or modify some of the values.