To install Rohos Logon Key on network workstations you can use MSI package, regular EXE setup package with command line support or Compact installation package (without Start Menu shortcuts and UI).
Please note, when Rohos is running in a Network mode (connected to Active Directory domain wide settings by LDAP database) then these settings maybe overwritten by the domain-wide settings.

Rohos Logon Key Setup command line options:

rohos_welcome.exe /VERYSILENT /usbkeyremoval=2 /regkey=XXXXXXXXXXXXX /usbdev=rohos_pkcs.dll /onlyusbkeylogin=3 /disableui=1 /NoTextLabels=10 /DisableCredUI=1

regkey – license key (default “”);
usbkeyremoval = 2 – (default 0) logoff after authentication key unplug;
usbdev – (default “”) the type of authentication key, see below the list of 2FA means;
onlyusbkeylogin =1 – (default 0) Choose a 2-factor authentication policy options (see USB_KEY_LOGIN_ONLY);
disableui=1 (default 0) disable access to Rohos main window and also doesnt creates start menu shortcuts to Rohos Logon Key application;
NoTextLabels=10 – (default 0) Hide Rohos icon from Windows logon screen;
DisableCredUI=1 – (default 0) Hide Rohos icon from UAC credentials prompt dialog box (RunAs Admin command);
ADmode=2 (default 0) prevent Rohos to verify\connect to AD LDAP.
ADAPSkipSetting = “USBKeyDllName” (default “”) prevent Rohos to sync some kind of option from domain-wide settings list. In this example Rohos will stop sync “USBKeyDllName” option (the kind of 2FA means) this will allow to use a custom 2FA method on selected set of workstations.

XXXXXXXXXXXXX – license key

Rohos Logon Key MSI:

  • It is specially designed, so you can set up program settings during installation. MSI package public options (see Chapter 4.9) can be changed using msiexec command line or MST file
  • It sets up restricted access rights to registry settings installed by Rohos Logon Key. This prevents users from change of program settings via Windows registry or Rohos Center.
  • It does not install program shortcuts into Start menu;

MSI package options

Options that can be changed via command line (in msiexec.exe):

  • LOGON_CAPTION=”Welcome to the company”
    (by default =”Welcome to windows”)
    Welcome screen caption text (big one)
  • LOGON_TEXT=” ”
    (by default =””)
    Welcome screen text notice (small text under the clock)
  • DISABLE_LOG=1
    (by default =0)
    Turns off all LOG files that can be produced by Rohos Logon Key program.
  • USB_KEY_LOGIN_ONLY=1
    (by default =0). Choose a 2-factor authentication policy options:
    1- Forces ALL users to log in with 2FA method  (use Emergengy login or SafeMode boot to login in case of 2FA method is not available)
    2- 2FA is enforced for a listed users. Usually this list created on a local PC when a 2FA is created on Rohos Logon Key locally;
    3- For ‘rohos’ user group in Active Directory
    4- For Remote Desktop login. Only remote desktop sessions will be subject to 2FA process;
    5- For Remote Desktop login with IP filter; Only remote desktop sessions outside LAN will be subject to 2FA process;
  • USB_REMOVAL=1
    (by default =0)
    1- Locks computer upon USB stick withdrawal.
    2- Log off session
    3 – Shutdown computer
    4 – Hibernate
    5 – Screensaver
    6 – Switch user
  • If this value is >50, it means keyless mode – time interval in seconds during which user can work without USB Key
    (see keyless mode feature)

(This option replaces the same settings from Rohos)

  • DISABLE_CENTER=1
    (by default =0)
    Disables to open Rohos main window. Note: Users cannot change program settings because program registry (HKLM\Software\Rohos) are intended for reading only for users.
  • REG_NUMBER=””
    (by default =0)
    Rohos Logon Key registration number (license)
  • USB_KEY_DLL=””

By default = USB flash drive.
Determines the type of 2FA method (authentication device or technology), used as an authentication key.

Possible values:

empty – USB Flash drive

rohos_mifare.dll – MiFare 1K RFID
rohos_ed-fs-2044.dll – RFID readers. Easyident/Addimat/pcProx/KCY
rohos_jcardv2.dll – JCard V2M
rohos_otp.dll – Google Authenticator or OTP tokens, YubiKey
rohos_phone.dll – Mobile phone (Android/iOs)
rohos_ybk.dll – Yubikey ID or OTP authentication
rohos_pkcs – any installed #PKCS11 compatible token.

Supported PKCS#11 tokens:

etpkcs11.dll – Alladdin eToken PRO
aseCardCryptoCSP.dll – Athena USB Cryptocard
HiCOSPKCS11.dll – FUTAKO HiToken v22
rtpkcs11.dll – Aktiv ruToken
utpkcs11.dll – uaToken
k1pk112.dll – iKey 20xx
aetpkss1.dll – iKey 30xx
sadaptor.dll – Crypto Identity 5
ep1pk111.dll – ePass 1000
ep2pk11.dll – ePass 2000
ngp11v211.dll – ePass 2000 FT12
eps2003csp11.dll – ePass 2003
pkcs_marx.dll – CrypToken


For example, the command line could be (silent install):
msiexec.exe /qr /i c:\rohos_welcome.msi LOGON_CAPTION=”Welcome to the company” USB_KEY_LOGIN_ONLY=3 USB_REMOVAL=1
To uninstall:
msiexec.exe /qr /uninstall c:\rohos_welcome.msi

It is possible to use Orca database table editor application to modify the MSI file and create MST transform files:

When you launch MSI file in cmd shell command prompt, you need to run it as administrator. Example of MST file using command line:

msiexec.exe /i rohos_welcome.msi /qn TRANSFORMS=rohos.mst

cmd line install

Or install MSI with MST via group policies.