Skip to main content

NHS Identity Agent configuration and registry settings

How to set up NHS Identity Agent and set the correct registry settings to optimise the software on a user's workstation.

On a new Identity Agent installation, there will be no registry entries created by default. The user will need to manually create the sub trees in the registry before first use. 

With a default installation, NHS Digital Identity Agent v2.4.5.0:

  • will authenticate into live
  • will be in ‘Normal’ mode
  • will not launch any web browser applications on login
  • will close down all browser sessions on logging out
  • will not create any entries in the registry

Download Identity Agent v2.4.5.0 (needs HSCN connection).

The agent is supplied with built-in defaults for all settings, meaning that by default there will be no settings present in the registry (including the directory path). The built-in defaults can be largely overridden through the application of specific registry values either directly or via Group Policy settings using an Administrative Template.

To help with this, download our simple-to-use IA Registry Editor Tool, which can be used to quickly update registry settings, including switching between different Path to Live environments.

You need admin rights on the workstation to change registry settings.

Registry settings should only be changed by a trained member of your IT or RA team. Making a mistake in a registry update can have consequences that mean a workstation will not operate properly and may have to be rebuilt.


Background

The Identity Agent will attempt to read settings from three separate areas of the registry.  The locations have different purposes, and this is reflected in the order in which they are prioritised. The priority order is controlled by Windows and not the Identity Agent.

  • Set by Group Policy – these settings will be applied by group policy. System administrators can create their own temple(s) from the registry setting information provided in this document for policy rollout if required. You should not attempt to create or modify settings manually or via a script in this part of the registry. These settings will always take precedence.
  • All Users (Local Machine) – these settings are machine-wide and will apply to any user who logs in to the system. The settings will remain machine specific, meaning that a user will always adopt these in preference to user settings.
  • Current User – these settings apply only to the current logged in user and will persist with the user profile. If the user has a roaming profile, then the settings will travel with the user between machines.

The Identity Agent process will run as a 32-bit process regardless of whether the OS is 32-bit or 64-bit. As such it is important to note that the registry path for the Identity Agent will alter depending upon which OS variant is in use.

  • 32-bit Operating System:
    • Set by Group Policy: HKLM\SOFTWARE\Policies\HSCIC\Identity Agent
    • All Users: HKLM\SOFTWARE\HSCIC\Identity Agent
    • Current User: HKCU\SOFTWARE\HSCIC\Identity Agent
  • 64-bit Operating System:
    • Set by Group Policy: HKLM\SOFTWARE\Policies\HSCIC\Identity Agent
    • All Users: HKLM\SOFTWARE\Wow6432Node\HSCIC\Identity Agent
    • Current User: HKCU\SOFTWARE\HSCIC\Identity Agent

Please review the settings below to ensure that they are appropriate for your configuration, and that the secure operation of any other application that exposes patient identifiable or sensitive data under a Spine authentication context is considered.

  • Subsequent to making registry changes, stop / restart NHS Digital Identity Agent v2.x to allow them to take effect as not all registry changes are dynamic.
  • Without any explicit registry settings, NHS Digital Identity Agent v2.x will operate under ‘Normal Mode’ and will authenticate against the live Spine environment and close all Web browsers on logging out of Spine.
  • To enable Mobility mode, set ‘MobilityPersistence_Available’ to ‘true’. The mode is then toggled ‘on’ and ‘off’ from the passcode form (‘Work with Smartcard removed’) on a per login basis, the previous setting is not retained, and the default is always set to off.
    If Mobility mode is set to true, but the “Work with Smartcard removed” toggle is not set to on, the precedence order will drop back to the next mode set to true in the registry. If no other modes are set to true, this will then default to Normal mode. If the user needs to preserve the session in addition to the ability of working with the Smartcard remove, ensure that both Session Lock and Mobility modes are enabled in the registry.
  • To enable Session Lock mode, set ‘SessionLockPersistence_Enabled’ to ‘true’.
  • To enable Enhanced Normal mode, set ‘EnhancedNormalMode’ to ‘true’. This will make Identity Agent v2.x behave in the same manner as Identity Agent v2.1.2.16 did running in Normal Mode.
  • If any of the above settings are changed in the registry, they operate in the order of precedence in the order they are described above.
  • On logging out of Spine, NHS Digital Identity Agent v2.x is configured by default to close all the following browsers running under the current user context: IE.x, Chrome, Firefox. To alter this behaviour, consider using the ‘ProcessesToKill’ registry key detailed below.
  • The ‘RoleSelectionGETPOSTURL’ and ‘LogoffPOSTURL’ entries are no longer required as NHS Digital Identity Agent v2.x now derives these programmatically.

Mobility mode

A key feature of ‘Mobility mode’ is that the user is periodically asked to re-authenticate, either by one-factor (presenting the Smartcard), or by two-factor (presenting the Smartcard and passcode)

The timings of these events can be specified by the use of ‘Config Themes’ - pre-set collections of mobility timer settings. The possible registry values for this setting are ‘off’ (default), ‘Minimal’, ‘Medium’, and ‘Maximum’. The individual values for these timers are described below:

Timer

Default

Minimal

Medium

Maximum

Time allowed idle before one-factor reverification is forced

300s

60s

180s

300s

Regardless of activity, time allowed before one-factor reverification is forced

1800s

(30m)

900s (15m)

1800s
(30m)

3600
(1h)

Regardless of activity, time allowed before two-factor reverification is forced

7200s

(2h)

3600s
(1h)

7200s
(2h)

14400s
(4h)

Advance System Tray notification before idle timer prompt

60s

20s

60s

120s

Advance System Tray notification before one-factor reverification prompt

180s

120s

180s

180s

Advance System Tray notification before two-factor reverification prompt

420s

300s

600s

600s

Time before two-factor reverification timer expires, where if the one-factor reverification about to be shown (either due to a forced reverification or due to the user presenting their Smartcard voluntarily) – that a two-factor reverification is forced instead.  (Prevents a two-factor reverification being required shortly after a one factor reverification has been completed.)

900s (15m)

600s

900s
(15m)

1200s
(20m)

Countdown timer on the one-factor reverification form.

240s

120s

240s

240s

Countdown timer on the two-factor reverification form.

240s

240s

240s

240s


Path-to-Live environments

The Identity Agent can be configured to operate against alternate environments through the use of registry settings.

This table lists the Path-to-Live environments and their respective settings:

Registry setting

Value

Environment: NIS1 (INT)

 

ActivatePOSTURL

https://gas.nis1.national.ncrs.nhs.uk/login/authactivate

Environment: VNIS1 (DEP)

 

ActivatePOSTURL

https://gas.vn1.national.ncrs.nhs.uk/login/authactivate

Environment: TSP (TRAINING)

 

ActivatePOSTURL

https://gas.tsp.national.ncrs.nhs.uk/login/authactivate

Environment: Live

 

ActivatePOSTURL

https://gas.national.ncrs.nhs.uk/login/authactivate

Note The value for Live is listed for reference only, it is not necessary to present an ActivatePOSTURL value in the registry to authenticate against the live environment.

In the event that the certificates for Path-to-Live are updated, the latest certificates for the environments can be downloaded from the URL below. Follow the link for ‘Root and SubCA Certificates’.

https://digital.nhs.uk/services/path-to-live-environments

These certificates need to go into the correct certificate stores for all users on the machines and require administrative rights to install them. Please contact your local ICT department to arrange this.

To help with this, download our simple-to-use IA Registry Editor Tool, which can be used to quickly update registry settings, including switching between different Path to Live environments.


Silent configuration

The agent supports a silent installation using standard deployment toolsets that recognise .msi packages, or if installing via a script the following command line can be used:

%SystemRoot%\System32\msiexec.exe /i "NHS-Digital-Identity-Agent-2.x.msi" /qn

Although the default configuration will satisfy the requirements for most installation scenarios, each feature can be included as part of a silent install by specifying the additional parameter as:

%SystemRoot%\System32\msiexec.exe /i "NHS-Digital-Identity-Agent-2.x.msi" ADDLOCAL=featurenames /qn


Automatic start on login

Where featurenames is a comma separated list using the ‘Component ID’ values from the below table.  E.g. ADDLOCAL=IA,CertsTest.

Feature Name

Component ID

Description

HSCIC Identity Agent

IA

Main product feature *

NHS Certificates for Production

CertsProd

Required for production environments

NHS Certificates for NIS1

CertsTest

Only required for test / development (PTL)

Once installed, launch the program through the ‘Identity Agent’ icon in the Programs | Identity Agent area of the Start Menu, or on Windows 8.1 / Windows 10 through the ‘Identity Agent’ icon on the Applications screen. Identity Agent will automatically start when the user logs into Windows subsequently.

* If the user is performing a command line installation using the ADDLOCAL option, ensure that “IA” is included along with the required certificates. If ADDLOCAL is not used, by default Identity Agent and Production certificates will be installed.


Registration Authorities

Note: All users performing CMS activities are recommended to set the following value in the Identity Agent registry.
CardRemovalCheck = False

64-bit Registry Path:

HKLM Registry Path for CardRemovalCheck flag : HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\HSCIC\Identity Agent

HKCU Registry Path for CardRemovalCheck flag : HKEY_CURRENT_USER\SOFTWARE\HSCIC\Identity Agent

Policy Registry Path for CardRemovalCheck flag : HKEY_LOCAL_MACHINE\SOFTWARE\Policies\HSCIC\Identity Agent

32-bit Registry Path:

HKLM Registry Path for CardRemovalCheck flag : HKEY_LOCAL_MACHINE\SOFTWARE\HSCIC\Identity Agent

HKCU Registry Path for CardRemovalCheck flag : HKEY_CURRENT_USER\SOFTWARE\HSCIC\Identity Agent

Policy Registry Path for CardRemovalCheck flag : HKEY_LOCAL_MACHINE\SOFTWARE\Policies\HSCIC\Identity Agent

Detailed documentation available in Identity Agent Admin guide.


Legacy setup

The location for registry settings matches that of HSCIC Identity Agent v1 / NHS Digital Identity Agent v2.x and this differs from BT Identity Agent registry locations. Any admin or ‘environment switcher’ type tools will need to be updated to reflect these locations.


Last edited: 31 January 2024 3:13 pm