Jump to content
PGTipz

Windows Hello not working on startup/app restart

Recommended Posts

I have a few devices and other family members with Enpass on Windows with the latest 6.5.0 version (via the Windows store) and when the devices restart or if i close/re-open Enpass it doesn't offer Windows Hello. I maybe mistaken, but i was under the impression this was a feature in the new version.

I have Windows Hello on but says Master password is required every time you restart - is there a setting i am missing?

tyaEvToprQ.png

Share this post


Link to post
Share on other sites
3 hours ago, Garima Singh said:

Hey @PGTipz

It seems that your device does not support full-time Windows Hello. Please refer to this FAQ to know more about full-time Windows Hello in Enpass.

Hope this helps!

 

Hi @Garima Singh

I have downloaded the Windows desktop version which does not show the message "Master password is required every time you restart Enpass" but this also does not allow Windows Hello at startup or restart of Enpass (see the 3rd screenshot where i close then re-open Enpass).

 

I have checked my devices (one currently using a HP Zbook 15 G3 Windows Enterprise) all with latest Windows Updates are not the affected on the TPM list so unsure how to fix it.

 

8FLW95ISsO.png

H24OdnGr8I.png

wSxby4beAf.png

Share this post


Link to post
Share on other sites

I have a similar problem with my Windows 10 PC. I extra bought an ASUS TPM-M 2.0 (it is a Infineon TPM chip) module to upgrade TPM for my desktop. The TPM-module is also correctly recognized by the Windows 10 system settings and is evaluated as ready for operation. I have already reset the TPM module (content deleted) and checked if the latest TPM firmware is installed on the module (it is he latest firmware). Nevertheless Enpass 6.50 (700) starts when restarting Windows 10 in the mode that I always have to type in the Enpass Master password first.

After that (as long as the PC is running) I can open the Enpass app by finger scan with Windows Hello, but this was already possible without the TPM module.
What else could be the reason that Windows Hello does not work immediately after restarting the Windows 10 PC?

Share this post


Link to post
Share on other sites

Hey @PGTipz & @Bob

To determine whether the device should support Full-time Windows Hello(feature is only available with Enpass Store version), Enpass relies on the API provided by the Microsoft in this link.

This is the only way to distinguish whether the security keys are generated by a legit Hardware TPM. There is little Enpass can do in this case.
Although external TPM is available in the market we cannot ensure that they will support the given API.

Hope this helps!

Share this post


Link to post
Share on other sites
7 hours ago, Garima Singh said:

Hey @PGTipz & @Bob

To determine whether the device should support Full-time Windows Hello(feature is only available with Enpass Store version), Enpass relies on the API provided by the Microsoft in this link.

This is the only way to distinguish whether the security keys are generated by a legit Hardware TPM. There is little Enpass can do in this case.
Although external TPM is available in the market we cannot ensure that they will support the given API.

Hope this helps!

Hi Garima,

I am not a developer or programmer. Can you or anyone else tell me how I can run this expression under Windows 10:
public IAsyncOperation<KeyCredentialAttestationResult> GetAttestationAsync();

Share this post


Link to post
Share on other sites
On 9/23/2020 at 8:19 AM, Garima Singh said:

Hey @PGTipz & @Bob

To determine whether the device should support Full-time Windows Hello(feature is only available with Enpass Store version), Enpass relies on the API provided by the Microsoft in this link.

This is the only way to distinguish whether the security keys are generated by a legit Hardware TPM. There is little Enpass can do in this case.
Although external TPM is available in the market we cannot ensure that they will support the given API.

Hope this helps!

Ok thank you. Most devices don't have TPM and my HP laptop does but it's version 1.2 so that will explain that.

Will there be support for older TPM versions?

Edited by PGTipz

Share this post


Link to post
Share on other sites

Full Time Windows Hello doesn't work for either my PC nor my Surface Book 2. Both of them have TPM 2.0 and Bitlocker and other Windows Hello features are working fine so I'm not really sure what I'm supposed to look at when trying to debug the problem. The link to the Microsoft API doesn't help either...that's just a function that needs some script to output anything useful... :/

Share this post


Link to post
Share on other sites

Hey,

On 10/3/2020 at 4:48 PM, PGTipz said:

Most devices don't have TPM and my HP laptop does but it's version 1.2 so that will explain that.

Will there be support for older TPM versions?

@PGTipz Sorry to say no, currently we don't have any plan to support for older TPM versions as the minimum requirement to use windows hello feature for full time is TPM 2.0. 

@Stahlreck Please try updating TPM drivers or check if resetting TPM helps.

Thanks!

Share this post


Link to post
Share on other sites

tpm.thumb.png.e4fbb13b872aa4b1ce3e99ece37d7825.png

Even with a TPM 2.0 compatible chip Windows Hello does not work directly when starting Enpass (Store Version 6.5.0 (700)) I still have to login with my password once and after that (if Enpass is not used for a while) I can login with Windows Hello. But this was possible before I plugged the TPM chip on my motherboard and activated it.

I can only confirm what the previous users have already written, that in all other use cases Windows Hello works without problems.

My request to the Enpass team: Please check the implementation of this feature again. Maybe there has to be a compatibility check with other TPM chips after all.

 

Share this post


Link to post
Share on other sites
On 10/8/2020 at 7:21 PM, Bob___ said:

tpm.thumb.png.e4fbb13b872aa4b1ce3e99ece37d7825.png

Even with a TPM 2.0 compatible chip Windows Hello does not work directly when starting Enpass (Store Version 6.5.0 (700)) I still have to login with my password once and after that (if Enpass is not used for a while) I can login with Windows Hello. But this was possible before I plugged the TPM chip on my motherboard and activated it.

I can only confirm what the previous users have already written, that in all other use cases Windows Hello works without problems.

 

My request to the Enpass team: Please check the implementation of this feature again. Maybe there has to be a compatibility check with other TPM chips after all.

 

Agree with you! Look my pics.

Snipaste_2020-10-10_15-39-04.png.6df2614f058d7b3b6f7d858e1ca125d8.pngChinese interface of TPM version 2.0 in device manager of control panel

Snipaste_2020-10-10_15-43-34.png.59686f836708f8ed088fa3ead991d77a.pngAnd the prompt under windowshello setting was not supposed to be which it should be.

Edited by user from keepass

Share this post


Link to post
Share on other sites

Hi @Bob___ @user from keepass,

Thanks for writing back in.

We want a little input from your side so please follow these steps: Go to Start Menu > type "Powershell" > right-click on "Windows Powershell" icon > select "Run as Administrator".

Now run these three commands and share results over PM or on support@enpass.io:

  • Get-Tpm
  • Get-TpmSupportedFeature -FeatureList "Key Attestation"
  • Get-TpmEndorsementKeyInfo -Hash "Sha256"
  • Get-TpmEndorsementKeyInfo

Thanks for your co-operation.

Share this post


Link to post
Share on other sites

@Pratyush Sharma I do have the exact same problem, but with an XPS 13 9370. It has a TPM 2.0 and it is enabled.

Find bellow the outputs to the command you asked:

PS C:\Windows\system32> Get-Tpm


TpmPresent                : True
TpmReady                  : True
TpmEnabled                : True
TpmActivated              : True
TpmOwned                  : True
RestartPending            : True
ManufacturerId            : 1314145024
ManufacturerIdTxt         : NTC
ManufacturerVersion       : 7.2.0.1
ManufacturerVersionFull20 : 7.2.0.1

ManagedAuthLevel          : Full
OwnerAuth                 :
OwnerClearDisabled        : False
AutoProvisioning          : Enabled
LockedOut                 : False
LockoutHealTime           : 2 hours
LockoutCount              : 0
LockoutMax                : 32
SelfTest                  : {}



PS C:\Windows\system32> Get-TpmSupportedFeature -FeatureList "Key Attestation"
key attestation
PS C:\Windows\system32> Get-TpmEndorsementKeyInfo -HashAlgorithm "sha256"


IsPresent                : True
PublicKey                : System.Security.Cryptography.AsnEncodedData
PublicKeyHash            : dd2ce7d9ae2451fbf5f391081d20a66e59d2d50f7033da542d6dc0186ac8f4d3
ManufacturerCertificates : {[Subject]
                             TPMManufacturer=id:4E544300 + TPMModel=NPCT75x + TPMVersion=id:72

                           [Issuer]
                             CN=Nuvoton TPM Root CA 2111 + O=Nuvoton Technology Corporation + C=TW

                           [Serial Number]
                             525621C8FC0FDF5A5684

                           [Not Before]
                             26.10.2017 05:43:46

                           [Not After]
                             22.10.2037 05:43:46

                           [Thumbprint]
                             CCD4B6E247B78D0E1002C580FE8075DE1E418784
                           }
AdditionalCertificates   : {}



PS C:\Windows\system32> Get-TpmEndorsementKeyInfo


IsPresent                : True
PublicKey                : System.Security.Cryptography.AsnEncodedData
PublicKeyHash            :
ManufacturerCertificates : {[Subject]
                             TPMManufacturer=id:4E544300 + TPMModel=NPCT75x + TPMVersion=id:72

                           [Issuer]
                             CN=Nuvoton TPM Root CA 2111 + O=Nuvoton Technology Corporation + C=TW

                           [Serial Number]
                             525621C8FC0FDF5A5684

                           [Not Before]
                             26.10.2017 05:43:46

                           [Not After]
                             22.10.2037 05:43:46

                           [Thumbprint]
                             CCD4B6E247B78D0E1002C580FE8075DE1E418784
                           }
AdditionalCertificates   : {}



PS C:\Windows\system32>

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...