Applies To
RSA Product Set: SecurID
RSA Product/Service Type: SecurID Authenticator for Windows
RSA Version/Condition: All Versions
Platform: Windows
Issue
Users without Windows Administrator permissions are unable to manage a DS100 using the SecurID Authenticator for Windows application (register an OTP credential, update firmware, change the FIDO PIN, or reset the FIDO module).
Cause
Users without Windows Administrator permissions must have the RSA FIDO Management Service installed on their computer to manage a DS100 using the SecurID Authenticator application.
Microsoft has decided to block all communication using the FIDO CTAP protocol to FIDO Security Keys unless those applications are running with Administrator permissions, which most Enterprise users do not have. The RSA FIDO Management Service elevates a single library within the Authenticator application, that is capable only of CTAP protocol communications, to run with Windows Administrator permissions when a DS100 or other FIDO Security key is detected. The RSA FIDO Management Service uses a code signing certificate to ensure only that the CTAP library within the SecurID Authenticator application, and no other code on the end user's computer is elevated to run with administrator permissions.
Resolution
A Windows Administrator must install the RSA FIDO Management Service on End User computers. If installation of applications from the MS store is being blocked, the Administrator will also need to install the SecurID Authenticator for Windows application.
Note: If installing apps from the Microsoft Store is blocked, an admin will also need to deploy SecurID Authenticator 6.1.2 (or later) for Windows via DISM sideload on end-user computers per the instructions in the SecurID Authenticator Admin Guide.
Deployment of the RSA FIDO Management Service
- The RSA FIDO Management Service can be installed via its GUI installer for testing by IT staff who have Windows administrator permissions.
- Distribution and installation via a Windows Group Policy or an organization's Software Configuration Management (SCM) tool by IT staff is recommended for end users who do not have Windows administrator permissions.
Installation of RSA FIDO Management Service Install (via GUI)
- Download the RSA FIDO Management Service from the RSA Community link:
https://community.securid.com/t5/securid-authenticator-for/rsa-fido-management-service-1-0-0-formicrosoft-
windows/ta-p/682729.
- Double-click the file rsa_fido_management_service_1.0.0.zip to open it.
- Drag the .MSI installer file to the desktop or other convenient location and launch it.
- Click Next.
- Select I accept the terms in the license agreement and click Next.
- Click Install.
- Click Yes if the User Account Control dialog asking if changes are allowed is displayed.
Note: If you see a dialog box that is yellow and states the app is from an unknown developer, see the
Troubleshooting section of this guide.
- Click Finish.
Installation of RSA FIDO Management Service Install (via command line)
The following syntax should be used to perform a silent install or uninstall of the RSA FIDO Management Service via the
command line. It is recommended to perform bulk distribution and installation via a Windows Group Policy or an
organization's Software Configuration Management (SCM) tool for users that are not Windows administrators.
- Double click file rsa_fido_management_service_1.0.0.zip to open it.
- Drag the .MSI installer file to the desktop or another convenient location.
- Launch the Command Prompt (cmd) with "Run as administrator".
- Navigate to the file system location where the installer is located.
- Use the following command to perform an automated, silent install:
msiexec /i "RSA FIDO Management Service (x64).msi" /qn
Additional Commands:
Uninstall silent mode: msiexec /x "RSA FIDO Management Service (x64).msi" /qn
