PGTipz 0 Posted September 21, 2020 Report Share Posted September 21, 2020 I have a few devices and other family members with Enpass on Windows with the latest 6.5.0 version (via the Windows store) and when the devices restart or if i close/re-open Enpass it doesn't offer Windows Hello. I maybe mistaken, but i was under the impression this was a feature in the new version. I have Windows Hello on but says Master password is required every time you restart - is there a setting i am missing? Link to post Share on other sites
Garima Singh 110 Posted September 22, 2020 Report Share Posted September 22, 2020 Hey @PGTipz It seems that your device does not support full-time Windows Hello. Please refer to this FAQ to know more about full-time Windows Hello in Enpass. Hope this helps! Link to post Share on other sites
PGTipz 0 Posted September 22, 2020 Author Report Share Posted September 22, 2020 3 hours ago, Garima Singh said: Hey @PGTipz It seems that your device does not support full-time Windows Hello. Please refer to this FAQ to know more about full-time Windows Hello in Enpass. Hope this helps! Hi @Garima Singh I have downloaded the Windows desktop version which does not show the message "Master password is required every time you restart Enpass" but this also does not allow Windows Hello at startup or restart of Enpass (see the 3rd screenshot where i close then re-open Enpass). I have checked my devices (one currently using a HP Zbook 15 G3 Windows Enterprise) all with latest Windows Updates are not the affected on the TPM list so unsure how to fix it. Link to post Share on other sites
Bob___ 3 Posted September 22, 2020 Report Share Posted September 22, 2020 I have a similar problem with my Windows 10 PC. I extra bought an ASUS TPM-M 2.0 (it is a Infineon TPM chip) module to upgrade TPM for my desktop. The TPM-module is also correctly recognized by the Windows 10 system settings and is evaluated as ready for operation. I have already reset the TPM module (content deleted) and checked if the latest TPM firmware is installed on the module (it is he latest firmware). Nevertheless Enpass 6.50 (700) starts when restarting Windows 10 in the mode that I always have to type in the Enpass Master password first. After that (as long as the PC is running) I can open the Enpass app by finger scan with Windows Hello, but this was already possible without the TPM module. What else could be the reason that Windows Hello does not work immediately after restarting the Windows 10 PC? Link to post Share on other sites
Garima Singh 110 Posted September 23, 2020 Report Share Posted September 23, 2020 Hey @PGTipz & @Bob To determine whether the device should support Full-time Windows Hello(feature is only available with Enpass Store version), Enpass relies on the API provided by the Microsoft in this link. This is the only way to distinguish whether the security keys are generated by a legit Hardware TPM. There is little Enpass can do in this case. Although external TPM is available in the market we cannot ensure that they will support the given API. Hope this helps! Link to post Share on other sites
Bob___ 3 Posted September 23, 2020 Report Share Posted September 23, 2020 7 hours ago, Garima Singh said: Hey @PGTipz & @Bob To determine whether the device should support Full-time Windows Hello(feature is only available with Enpass Store version), Enpass relies on the API provided by the Microsoft in this link. This is the only way to distinguish whether the security keys are generated by a legit Hardware TPM. There is little Enpass can do in this case. Although external TPM is available in the market we cannot ensure that they will support the given API. Hope this helps! Hi Garima, I am not a developer or programmer. Can you or anyone else tell me how I can run this expression under Windows 10: public IAsyncOperation<KeyCredentialAttestationResult> GetAttestationAsync(); Link to post Share on other sites
PGTipz 0 Posted October 3, 2020 Author Report Share Posted October 3, 2020 (edited) On 9/23/2020 at 8:19 AM, Garima Singh said: Hey @PGTipz & @Bob To determine whether the device should support Full-time Windows Hello(feature is only available with Enpass Store version), Enpass relies on the API provided by the Microsoft in this link. This is the only way to distinguish whether the security keys are generated by a legit Hardware TPM. There is little Enpass can do in this case. Although external TPM is available in the market we cannot ensure that they will support the given API. Hope this helps! Ok thank you. Most devices don't have TPM and my HP laptop does but it's version 1.2 so that will explain that. Will there be support for older TPM versions? Edited October 3, 2020 by PGTipz Link to post Share on other sites
Stahlreck 5 Posted October 3, 2020 Report Share Posted October 3, 2020 Full Time Windows Hello doesn't work for either my PC nor my Surface Book 2. Both of them have TPM 2.0 and Bitlocker and other Windows Hello features are working fine so I'm not really sure what I'm supposed to look at when trying to debug the problem. The link to the Microsoft API doesn't help either...that's just a function that needs some script to output anything useful... Link to post Share on other sites
Garima Singh 110 Posted October 5, 2020 Report Share Posted October 5, 2020 Hey, On 10/3/2020 at 4:48 PM, PGTipz said: Most devices don't have TPM and my HP laptop does but it's version 1.2 so that will explain that. Will there be support for older TPM versions? @PGTipz Sorry to say no, currently we don't have any plan to support for older TPM versions as the minimum requirement to use windows hello feature for full time is TPM 2.0. @Stahlreck Please try updating TPM drivers or check if resetting TPM helps. Thanks! Link to post Share on other sites
Bob___ 3 Posted October 8, 2020 Report Share Posted October 8, 2020 Even with a TPM 2.0 compatible chip Windows Hello does not work directly when starting Enpass (Store Version 6.5.0 (700)) I still have to login with my password once and after that (if Enpass is not used for a while) I can login with Windows Hello. But this was possible before I plugged the TPM chip on my motherboard and activated it. I can only confirm what the previous users have already written, that in all other use cases Windows Hello works without problems. My request to the Enpass team: Please check the implementation of this feature again. Maybe there has to be a compatibility check with other TPM chips after all. Link to post Share on other sites
user from keepass 0 Posted October 10, 2020 Report Share Posted October 10, 2020 (edited) On 10/8/2020 at 7:21 PM, Bob___ said: Even with a TPM 2.0 compatible chip Windows Hello does not work directly when starting Enpass (Store Version 6.5.0 (700)) I still have to login with my password once and after that (if Enpass is not used for a while) I can login with Windows Hello. But this was possible before I plugged the TPM chip on my motherboard and activated it. I can only confirm what the previous users have already written, that in all other use cases Windows Hello works without problems. My request to the Enpass team: Please check the implementation of this feature again. Maybe there has to be a compatibility check with other TPM chips after all. Agree with you! Look my pics. Chinese interface of TPM version 2.0 in device manager of control panel And the prompt under windowshello setting was not supposed to be which it should be. Edited October 11, 2020 by user from keepass Link to post Share on other sites
Pratyush Sharma 110 Posted October 12, 2020 Report Share Posted October 12, 2020 Hi @Bob___ @user from keepass, Thanks for writing back in. We want a little input from your side so please follow these steps: Go to Start Menu > type "Powershell" > right-click on "Windows Powershell" icon > select "Run as Administrator". Now run these three commands and share results over PM or on support@enpass.io: Get-Tpm Get-TpmSupportedFeature -FeatureList "Key Attestation" Get-TpmEndorsementKeyInfo -Hash "Sha256" Get-TpmEndorsementKeyInfo Thanks for your co-operation. Link to post Share on other sites
FuN_KeY 3 Posted October 24, 2020 Report Share Posted October 24, 2020 @Pratyush Sharma I do have the exact same problem, but with an XPS 13 9370. It has a TPM 2.0 and it is enabled. Find bellow the outputs to the command you asked: PS C:\Windows\system32> Get-Tpm TpmPresent : True TpmReady : True TpmEnabled : True TpmActivated : True TpmOwned : True RestartPending : True ManufacturerId : 1314145024 ManufacturerIdTxt : NTC ManufacturerVersion : 7.2.0.1 ManufacturerVersionFull20 : 7.2.0.1 ManagedAuthLevel : Full OwnerAuth : OwnerClearDisabled : False AutoProvisioning : Enabled LockedOut : False LockoutHealTime : 2 hours LockoutCount : 0 LockoutMax : 32 SelfTest : {} PS C:\Windows\system32> Get-TpmSupportedFeature -FeatureList "Key Attestation" key attestation PS C:\Windows\system32> Get-TpmEndorsementKeyInfo -HashAlgorithm "sha256" IsPresent : True PublicKey : System.Security.Cryptography.AsnEncodedData PublicKeyHash : dd2ce7d9ae2451fbf5f391081d20a66e59d2d50f7033da542d6dc0186ac8f4d3 ManufacturerCertificates : {[Subject] TPMManufacturer=id:4E544300 + TPMModel=NPCT75x + TPMVersion=id:72 [Issuer] CN=Nuvoton TPM Root CA 2111 + O=Nuvoton Technology Corporation + C=TW [Serial Number] 525621C8FC0FDF5A5684 [Not Before] 26.10.2017 05:43:46 [Not After] 22.10.2037 05:43:46 [Thumbprint] CCD4B6E247B78D0E1002C580FE8075DE1E418784 } AdditionalCertificates : {} PS C:\Windows\system32> Get-TpmEndorsementKeyInfo IsPresent : True PublicKey : System.Security.Cryptography.AsnEncodedData PublicKeyHash : ManufacturerCertificates : {[Subject] TPMManufacturer=id:4E544300 + TPMModel=NPCT75x + TPMVersion=id:72 [Issuer] CN=Nuvoton TPM Root CA 2111 + O=Nuvoton Technology Corporation + C=TW [Serial Number] 525621C8FC0FDF5A5684 [Not Before] 26.10.2017 05:43:46 [Not After] 22.10.2037 05:43:46 [Thumbprint] CCD4B6E247B78D0E1002C580FE8075DE1E418784 } AdditionalCertificates : {} PS C:\Windows\system32> Link to post Share on other sites
Pratyush Sharma 110 Posted October 26, 2020 Report Share Posted October 26, 2020 Hi @FuN_KeY, Thanks for sharing the details. We have taken note of this and our team is now analyzing into the issue. Link to post Share on other sites
Tebald 0 Posted January 4 Report Share Posted January 4 Is there any news on this issue? I recently bought a TPM just for the purpose of using it with Windows Hello (already hava a Laptop thats fully supports Windwos Hello). It seems I have the same modul as FuN_KeY. Nuvuton 2.0 Link to post Share on other sites
Pratyush Sharma 110 Posted January 5 Report Share Posted January 5 Hi @Tebald, Welcome to the forums! We have sent you a personal message. Please check your inbox. Thanks! Link to post Share on other sites
blade 0 Posted January 10 Report Share Posted January 10 (edited) Hey guys, i think i got the same problem, first start and after a restart i have to enter the master pw ... after that windows hello works without any problem i use a amd tpm / with an usb fingerprint reader Quote PS C:\WINDOWS\system32> Get-Tpm TpmPresent : True TpmReady : True TpmEnabled : True TpmActivated : True TpmOwned : True RestartPending : True ManufacturerId : 1095582720 ManufacturerIdTxt : AMD ManufacturerVersion : 3.51.0.5 ManufacturerVersionFull20 : 3.51.0.5 ManagedAuthLevel : Full OwnerAuth : **************************** OwnerClearDisabled : False AutoProvisioning : Enabled LockedOut : False LockoutHealTime : 10 minutes LockoutCount : 0 LockoutMax : 31 SelfTest : {} PS C:\WINDOWS\system32> Get-TpmSupportedFeature -FeatureList "Key Attestation" key attestation PS C:\WINDOWS\system32> Get-TpmEndorsementKeyInfo -Hash "Sha256" IsPresent : True PublicKey : System.Security.Cryptography.AsnEncodedData PublicKeyHash : ************************************************************ ManufacturerCertificates : {} AdditionalCertificates : {[Subject] TPMVersion=id:00030001, TPMModel=AMD, TPMManufacturer=id:414D4400 [Issuer] CN=PRG-SSP, O=Advanced Micro Devices, S=CA, L=Santa Clara, C=US, OU=Engineering [Serial Number] ****************************** [Not Before] 15.10.2020 10:32:20 [Not After] 15.10.2045 10:32:20 [Thumbprint] E1CB7C9B1DBFADEFF0C6EC355EAAFD6728D9EC00 } PS C:\WINDOWS\system32> Get-TpmEndorsementKeyInfo IsPresent : True PublicKey : System.Security.Cryptography.AsnEncodedData PublicKeyHash : ManufacturerCertificates : {} AdditionalCertificates : {[Subject] TPMVersion=id:00030001, TPMModel=AMD, TPMManufacturer=id:414D4400 [Issuer] CN=PRG-SSP, O=Advanced Micro Devices, S=CA, L=Santa Clara, C=US, OU=Engineering [Serial Number] ********************************** [Not Before] 15.10.2020 10:32:20 [Not After] 15.10.2045 10:32:20 [Thumbprint] ********************************** } if there is any i can try or i can help, just pn me i'm open for experiments :-P edit: ah btw, i have ~2 month old dell amd laptop on this i dont have this problem here the log from the laptop: Quote PS C:\Windows\system32> Get-Tpm TpmPresent : True TpmReady : True TpmEnabled : True TpmActivated : True TpmOwned : True RestartPending : True ManufacturerId : 1095582720 ManufacturerIdTxt : AMD ManufacturerVersion : 3.42.0.5 ManufacturerVersionFull20 : 3.42.0.5 ManagedAuthLevel : Full OwnerAuth : OwnerClearDisabled : False AutoProvisioning : Enabled LockedOut : False LockoutHealTime : 2 hours LockoutCount : 0 LockoutMax : 32 SelfTest : {} PS C:\Windows\system32> Get-TpmSupportedFeature -FeatureList "Key Attestation" key attestation PS C:\Windows\system32> Get-TpmEndorsementKeyInfo -Hash "Sha256" IsPresent : True PublicKey : System.Security.Cryptography.AsnEncodedData PublicKeyHash : ************************************************ ManufacturerCertificates : {} AdditionalCertificates : {[Subject] TPMVersion=id:00030001, TPMModel=AMD, TPMManufacturer=id:414D4400 [Issuer] CN=PRG-RN, O=Advanced Micro Devices, S=CA, L=Santa Clara, C=US, OU=Engineering [Serial Number] ********************************** [Not Before] 30.11.2020 13:00:35 [Not After] 30.11.2045 13:00:35 [Thumbprint] ************************************* } PS C:\Windows\system32> Get-TpmEndorsementKeyInfo IsPresent : True PublicKey : System.Security.Cryptography.AsnEncodedData PublicKeyHash : ManufacturerCertificates : {} AdditionalCertificates : {[Subject] TPMVersion=id:00030001, TPMModel=AMD, TPMManufacturer=id:414D4400 [Issuer] CN=PRG-RN, O=Advanced Micro Devices, S=CA, L=Santa Clara, C=US, OU=Engineering [Serial Number] ********************************* [Not Before] 30.11.2020 13:00:35 [Not After] 30.11.2045 13:00:35 [Thumbprint] ********************************* } Edited January 10 by blade Link to post Share on other sites
Garima Singh 110 Posted January 11 Report Share Posted January 11 Hey @blade Welcome to the forums! We have sent you a personal message. Please check your inbox. Thanks! 1 Link to post Share on other sites
Hartmut 0 Posted January 26 Report Share Posted January 26 Are there news on this case? I want to use Enpass and checked it out before. Excepting that issue on this webpage everything else is fine: WindowsHelo works correctly while starting Win10-OS. But while starting Enpass now I have to use the MasterPassword. After the first initial start of Enpass the App can be unlocked by WindowsHelo. Link to post Share on other sites
Niesfisch 0 Posted January 28 Report Share Posted January 28 Hello, I have the same problem. My USB Fingerprint works with Windows Hello. Windows Login is ok but while starting Enpass i have to enter the Master Password. After that i can unlock Enpass with my Fingerprint Device. Enpass 6.5.2 (724) / Windows Store Version Link to post Share on other sites
Garima Singh 110 Posted January 29 Report Share Posted January 29 Hey @Niesfisch Welcome to the forums! To determine whether a device should support Full-time Windows Hello (which is only available with the Store version of Enpass), we rely on the API provided by the Microsoft. This is the only way to distinguish whether the security keys are generated by a legit Hardware TPM. There is little in the scope for any app to do in this case. Even with the external TPMs we cannot assure full-time support for Enpass until Windows Attestation API allows it. To test if your device is supported by Windows Attestation API, Microsoft has provided a test app which requires you to enable developer mode (which can be later turned off). Please follow the following steps and share the results with us. Turn ON Developer Mode, which is required for installing the App. Go to Windows Settings > Update & Security > For developers > Use developer features. Select Developer mode and allow the permissions it asks for. (Note: Remember to switch it back to default option Microsoft Store apps after installing the test app.) Switching to Developer mode may take a while. Please make sure it is done and proceed further. Now Install the test app. Download the zip from here and extract the contents. Double click on the file WindowsAttestationTest_1.0.0.0_x86.appxbundle to launch the installer. Allow the permission if it asks during installation. Launch the App and press the Start Test button in the App. Authenticate the Windows Hello dialog, and after it, the result will be shown in the App. Share the result and switch back to the Developer mode, as mentioned in Step 2. Thanks for your co-operation. Link to post Share on other sites
paulsiu 1 Posted February 1 Report Share Posted February 1 Hi, I have the latest Windows Hello, the latest enpass, and TPM 2.0. Yet when I restart my windows computer, I have to type in the master password and have to do it again if enpass crashes. I know this has been a recurring topic, but when will we have this issue resolved? Paul Link to post Share on other sites
Pratyush Sharma 110 Posted February 2 Report Share Posted February 2 Hi @paulsiu, I totally understand your concern and apologies for the trouble you are facing. To determine whether a device should support Full-time Windows Hello (which is only available with the Store version of Enpass), we rely on the API provided by the Microsoft. This is the only way to distinguish whether the security keys are generated by a legit Hardware TPM. There is little in the scope for any app to do in this case. Even with the external TPMs we cannot assure full-time support for Enpass until Windows Attestation API allows it. To test if your device is supported by Windows Attestation API, Microsoft has provided a test app which requires you to enable developer mode (which can be later turned off). Please follow the following steps and share the results with us. Turn ON Developer Mode, which is required for installing the App. Go to Windows Settings > Update & Security > For developers > Use developer features. Select Developer mode and allow the permissions it asks for. (Note: Remember to switch it back to default option Microsoft Store apps after installing the test app.) Switching to Developer mode may take a while. Please make sure it is done and proceed further. Now Install the test app. Download the zip from here and extract the contents. Double click on the file WindowsAttestationTest_1.0.0.0_x86.appxbundle to launch the installer. Allow the permission if it asks during installation. Launch the App and press the Start Test button in the App. Authenticate the Windows Hello dialog, and after it, the result will be shown in the App. Share the result with us on support@enpass.io and switch back to the Developer mode, as mentioned in Step 2. Thanks for your co-operation. Link to post Share on other sites
singularity0821 0 Posted February 5 Report Share Posted February 5 (edited) I'm having the same issue. The test app logs the following: 15:04:20.0348384 HelloSupported::True 15:04:20.0448471 KCM::OpenStatus::Success 15:04:20.0448471 KeyRetrievalStatus::Success 15:04:20.0678668 GetAttestationStatus::NotSupported Windows Security Center lists Attestation as "Ready" though: Edited February 5 by singularity0821 Added screenshot Link to post Share on other sites
Seger 5 Posted February 8 Report Share Posted February 8 14:08:27.0294074 HelloSupported::True 14:08:27.0463620 KCM::OpenStatus::NotFound 14:08:27.0463620 KCM::OpenFailed::RequestingCreate. 14:08:36.3408149 KeyRetrievalStatus::Success 14:08:41.4531682 GetAttestationStatus::Success 14:08:43.3594864 PublicKeySignStatus::Success 14:08:43.3594864 PublicKey::0710b8157d73857aeaaeb9b2912926f8c879656e7887bda900e5f804f9bb12f5e993f0f36dfc7254de99938bad2b3adc6e504d081002ba8f2767f9a41b61045781f62715b5a5f766523cecc4cfc17094f02ae8e085552d99f60f6f96dbb52b7ead48e36d7b714ffa7e1a38a2d245e17450b9e6ca05955f4ee533ac6dc6637d68f473406f560e22d869b0ec9fa31c984434df06640b4db379ddfe0eba424468b8ac461070bff447cc557fe3c237a14a3fcbfb173a966fb8e06a71c07ff346d6e93db5b90b6b97d08b8146f5a000b81b4b0dd810a7741d2792d4df166ba9c057888bf8b2cb286948aad5826ae7a18e020accbe5c7252545e65ede12afb5b695e12 My device is a Surface Laptop 2 (Microsoft) and I constantly get the ("ok" it's me field). Since the latest update, Enpass goes into a continuous loop after Windows restart, Windows Hello does not start cleanly. Only quitting Enpass and restarting helps. Link to post Share on other sites
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now