Windows Hello doesn't work on system boot, must restart Enpass

[PGTipz]

I have a few devices and other family members with Enpass on Windows with the latest 6.5.0 version (via the Windows store) and when the devices restart or if i close/re-open Enpass it doesn't offer Windows Hello. I maybe mistaken, but i was under the impression this was a feature in the new version.

I have Windows Hello on but says Master password is required every time you restart - is there a setting i am missing?

[Garima Singh]

Hey @PGTipz

It seems that your device does not support full-time Windows Hello. Please refer to this FAQ to know more about full-time Windows Hello in Enpass.

Hope this helps!

 

[PGTipz]

3 hours ago, Garima Singh said:

Hey @PGTipz

It seems that your device does not support full-time Windows Hello. Please refer to this FAQ to know more about full-time Windows Hello in Enpass.

Hope this helps!

 

Hi @Garima Singh

I have downloaded the Windows desktop version which does not show the message "Master password is required every time you restart Enpass" but this also does not allow Windows Hello at startup or restart of Enpass (see the 3rd screenshot where i close then re-open Enpass).

 

I have checked my devices (one currently using a HP Zbook 15 G3 Windows Enterprise) all with latest Windows Updates are not the affected on the TPM list so unsure how to fix it.

 

[Bob___]

I have a similar problem with my Windows 10 PC. I extra bought an ASUS TPM-M 2.0 (it is a Infineon TPM chip) module to upgrade TPM for my desktop. The TPM-module is also correctly recognized by the Windows 10 system settings and is evaluated as ready for operation. I have already reset the TPM module (content deleted) and checked if the latest TPM firmware is installed on the module (it is he latest firmware). Nevertheless Enpass 6.50 (700) starts when restarting Windows 10 in the mode that I always have to type in the Enpass Master password first.

After that (as long as the PC is running) I can open the Enpass app by finger scan with Windows Hello, but this was already possible without the TPM module.
What else could be the reason that Windows Hello does not work immediately after restarting the Windows 10 PC?

[Garima Singh]

Hey @PGTipz & @Bob

To determine whether the device should support Full-time Windows Hello(feature is only available with Enpass Store version), Enpass relies on the API provided by the Microsoft in this link.

This is the only way to distinguish whether the security keys are generated by a legit Hardware TPM. There is little Enpass can do in this case.
Although external TPM is available in the market we cannot ensure that they will support the given API.

Hope this helps!

[Bob___]

7 hours ago, Garima Singh said:

Hey @PGTipz & @Bob

To determine whether the device should support Full-time Windows Hello(feature is only available with Enpass Store version), Enpass relies on the API provided by the Microsoft in this link.

This is the only way to distinguish whether the security keys are generated by a legit Hardware TPM. There is little Enpass can do in this case.
Although external TPM is available in the market we cannot ensure that they will support the given API.

Hope this helps!

Hi Garima,

I am not a developer or programmer. Can you or anyone else tell me how I can run this expression under Windows 10:
public IAsyncOperation<KeyCredentialAttestationResult> GetAttestationAsync();

[PGTipz]

On 9/23/2020 at 8:19 AM, Garima Singh said:

Hey @PGTipz & @Bob

To determine whether the device should support Full-time Windows Hello(feature is only available with Enpass Store version), Enpass relies on the API provided by the Microsoft in this link.

This is the only way to distinguish whether the security keys are generated by a legit Hardware TPM. There is little Enpass can do in this case.
Although external TPM is available in the market we cannot ensure that they will support the given API.

Hope this helps!

Ok thank you. Most devices don't have TPM and my HP laptop does but it's version 1.2 so that will explain that.

Will there be support for older TPM versions?

Edited October 3, 2020 by PGTipz

[Stahlreck]

Full Time Windows Hello doesn't work for either my PC nor my Surface Book 2. Both of them have TPM 2.0 and Bitlocker and other Windows Hello features are working fine so I'm not really sure what I'm supposed to look at when trying to debug the problem. The link to the Microsoft API doesn't help either...that's just a function that needs some script to output anything useful...

[Garima Singh]

Hey,

On 10/3/2020 at 4:48 PM, PGTipz said:

Most devices don't have TPM and my HP laptop does but it's version 1.2 so that will explain that.

Will there be support for older TPM versions?

@PGTipz Sorry to say no, currently we don't have any plan to support for older TPM versions as the minimum requirement to use windows hello feature for full time is TPM 2.0. 

@Stahlreck Please try updating TPM drivers or check if resetting TPM helps.

Thanks!

[Bob___]

Even with a TPM 2.0 compatible chip Windows Hello does not work directly when starting Enpass (Store Version 6.5.0 (700)) I still have to login with my password once and after that (if Enpass is not used for a while) I can login with Windows Hello. But this was possible before I plugged the TPM chip on my motherboard and activated it.

I can only confirm what the previous users have already written, that in all other use cases Windows Hello works without problems.

My request to the Enpass team: Please check the implementation of this feature again. Maybe there has to be a compatibility check with other TPM chips after all.

 

[user from keepass]

On 10/8/2020 at 7:21 PM, Bob___ said:

Even with a TPM 2.0 compatible chip Windows Hello does not work directly when starting Enpass (Store Version 6.5.0 (700)) I still have to login with my password once and after that (if Enpass is not used for a while) I can login with Windows Hello. But this was possible before I plugged the TPM chip on my motherboard and activated it.

I can only confirm what the previous users have already written, that in all other use cases Windows Hello works without problems.

 

My request to the Enpass team: Please check the implementation of this feature again. Maybe there has to be a compatibility check with other TPM chips after all.

 

Agree with you! Look my pics.

Chinese interface of TPM version 2.0 in device manager of control panel

And the prompt under windowshello setting was not supposed to be which it should be.

Edited October 11, 2020 by user from keepass

[Pratyush Sharma]

Hi @Bob___ @user from keepass,

Thanks for writing back in.

We want a little input from your side so please follow these steps: Go to Start Menu > type "Powershell" > right-click on "Windows Powershell" icon > select "Run as Administrator".

Now run these three commands and share results over PM or on support@enpass.io:

• Get-Tpm
• Get-TpmSupportedFeature -FeatureList "Key Attestation"
• Get-TpmEndorsementKeyInfo -Hash "Sha256"
• Get-TpmEndorsementKeyInfo

Thanks for your co-operation.

[FuN_KeY]

@Pratyush Sharma I do have the exact same problem, but with an XPS 13 9370. It has a TPM 2.0 and it is enabled.

Find bellow the outputs to the command you asked:

PS C:\Windows\system32> Get-Tpm


TpmPresent                : True
TpmReady                  : True
TpmEnabled                : True
TpmActivated              : True
TpmOwned                  : True
RestartPending            : True
ManufacturerId            : 1314145024
ManufacturerIdTxt         : NTC
ManufacturerVersion       : 7.2.0.1
ManufacturerVersionFull20 : 7.2.0.1

ManagedAuthLevel          : Full
OwnerAuth                 :
OwnerClearDisabled        : False
AutoProvisioning          : Enabled
LockedOut                 : False
LockoutHealTime           : 2 hours
LockoutCount              : 0
LockoutMax                : 32
SelfTest                  : {}



PS C:\Windows\system32> Get-TpmSupportedFeature -FeatureList "Key Attestation"
key attestation
PS C:\Windows\system32> Get-TpmEndorsementKeyInfo -HashAlgorithm "sha256"


IsPresent                : True
PublicKey                : System.Security.Cryptography.AsnEncodedData
PublicKeyHash            : dd2ce7d9ae2451fbf5f391081d20a66e59d2d50f7033da542d6dc0186ac8f4d3
ManufacturerCertificates : {[Subject]
                             TPMManufacturer=id:4E544300 + TPMModel=NPCT75x + TPMVersion=id:72

                           [Issuer]
                             CN=Nuvoton TPM Root CA 2111 + O=Nuvoton Technology Corporation + C=TW

                           [Serial Number]
                             525621C8FC0FDF5A5684

                           [Not Before]
                             26.10.2017 05:43:46

                           [Not After]
                             22.10.2037 05:43:46

                           [Thumbprint]
                             CCD4B6E247B78D0E1002C580FE8075DE1E418784
                           }
AdditionalCertificates   : {}



PS C:\Windows\system32> Get-TpmEndorsementKeyInfo


IsPresent                : True
PublicKey                : System.Security.Cryptography.AsnEncodedData
PublicKeyHash            :
ManufacturerCertificates : {[Subject]
                             TPMManufacturer=id:4E544300 + TPMModel=NPCT75x + TPMVersion=id:72

                           [Issuer]
                             CN=Nuvoton TPM Root CA 2111 + O=Nuvoton Technology Corporation + C=TW

                           [Serial Number]
                             525621C8FC0FDF5A5684

                           [Not Before]
                             26.10.2017 05:43:46

                           [Not After]
                             22.10.2037 05:43:46

                           [Thumbprint]
                             CCD4B6E247B78D0E1002C580FE8075DE1E418784
                           }
AdditionalCertificates   : {}



PS C:\Windows\system32>

 

[Pratyush Sharma]

Hi @FuN_KeY,

Thanks for sharing the details.

We have taken note of this and our team is now analyzing into the issue.

[Tebald]

Is there any news on this issue? I recently bought a TPM just for the purpose of using it with Windows Hello (already hava a Laptop thats fully supports Windwos Hello). It seems I have the same modul as FuN_KeY.

Nuvuton 2.0

 

[Pratyush Sharma]

Hi @Tebald,

Welcome to the forums!

We have sent you a personal message. Please check your inbox. Thanks!

[blade]

Hey guys, 

i think i got the same problem, first start and after a restart i have to enter the master pw ... after that windows hello works without any problem

i use a amd tpm / with an usb fingerprint reader

Quote

PS C:\WINDOWS\system32> Get-Tpm

TpmPresent                : True
TpmReady                  : True
TpmEnabled                : True
TpmActivated              : True
TpmOwned                  : True
RestartPending            : True
ManufacturerId            : 1095582720
ManufacturerIdTxt         : AMD
ManufacturerVersion       : 3.51.0.5
ManufacturerVersionFull20 : 3.51.0.5

ManagedAuthLevel          : Full
OwnerAuth                 : ****************************
OwnerClearDisabled        : False
AutoProvisioning          : Enabled
LockedOut                 : False
LockoutHealTime           : 10 minutes
LockoutCount              : 0
LockoutMax                : 31
SelfTest                  : {}

PS C:\WINDOWS\system32> Get-TpmSupportedFeature -FeatureList "Key Attestation"
key attestation
PS C:\WINDOWS\system32> Get-TpmEndorsementKeyInfo -Hash "Sha256"

IsPresent                : True
PublicKey                : System.Security.Cryptography.AsnEncodedData
PublicKeyHash            : ************************************************************
ManufacturerCertificates : {}
AdditionalCertificates   : {[Subject]
                             TPMVersion=id:00030001, TPMModel=AMD, TPMManufacturer=id:414D4400

                           [Issuer]
                             CN=PRG-SSP, O=Advanced Micro Devices, S=CA, L=Santa Clara, C=US, OU=Engineering

                           [Serial Number]
                             ******************************

                           [Not Before]
                             15.10.2020 10:32:20

                           [Not After]
                             15.10.2045 10:32:20

                           [Thumbprint]
                             E1CB7C9B1DBFADEFF0C6EC355EAAFD6728D9EC00
                           }

PS C:\WINDOWS\system32> Get-TpmEndorsementKeyInfo

IsPresent                : True
PublicKey                : System.Security.Cryptography.AsnEncodedData
PublicKeyHash            :
ManufacturerCertificates : {}
AdditionalCertificates   : {[Subject]
                             TPMVersion=id:00030001, TPMModel=AMD, TPMManufacturer=id:414D4400

                           [Issuer]
                             CN=PRG-SSP, O=Advanced Micro Devices, S=CA, L=Santa Clara, C=US, OU=Engineering

                           [Serial Number]
                             **********************************

                           [Not Before]
                             15.10.2020 10:32:20

                           [Not After]
                             15.10.2045 10:32:20

                           [Thumbprint]
                             **********************************
                           }

if there is any i can try or i can help, just pn me i'm open for experiments :-P 

 

edit: ah btw, i have ~2 month old dell amd laptop on this i dont have this problem

here the log from the laptop:

Quote

PS C:\Windows\system32> Get-Tpm

TpmPresent                : True
TpmReady                  : True
TpmEnabled                : True
TpmActivated              : True
TpmOwned                  : True
RestartPending            : True
ManufacturerId            : 1095582720
ManufacturerIdTxt         : AMD
ManufacturerVersion       : 3.42.0.5
ManufacturerVersionFull20 : 3.42.0.5

ManagedAuthLevel          : Full
OwnerAuth                 :
OwnerClearDisabled        : False
AutoProvisioning          : Enabled
LockedOut                 : False
LockoutHealTime           : 2 hours
LockoutCount              : 0
LockoutMax                : 32
SelfTest                  : {}

PS C:\Windows\system32> Get-TpmSupportedFeature -FeatureList "Key Attestation"
key attestation
PS C:\Windows\system32> Get-TpmEndorsementKeyInfo -Hash "Sha256"

IsPresent                : True
PublicKey                : System.Security.Cryptography.AsnEncodedData
PublicKeyHash            : ************************************************
ManufacturerCertificates : {}
AdditionalCertificates   : {[Subject]
                             TPMVersion=id:00030001, TPMModel=AMD, TPMManufacturer=id:414D4400

                           [Issuer]
                             CN=PRG-RN, O=Advanced Micro Devices, S=CA, L=Santa Clara, C=US, OU=Engineering

                           [Serial Number]
                             **********************************

                           [Not Before]
                             30.11.2020 13:00:35

                           [Not After]
                             30.11.2045 13:00:35

                           [Thumbprint]
                             *************************************
                           }
PS C:\Windows\system32> Get-TpmEndorsementKeyInfo

IsPresent                : True
PublicKey                : System.Security.Cryptography.AsnEncodedData
PublicKeyHash            :
ManufacturerCertificates : {}
AdditionalCertificates   : {[Subject]
                             TPMVersion=id:00030001, TPMModel=AMD, TPMManufacturer=id:414D4400

                           [Issuer]
                             CN=PRG-RN, O=Advanced Micro Devices, S=CA, L=Santa Clara, C=US, OU=Engineering

                           [Serial Number]
                             *********************************

                           [Not Before]
                             30.11.2020 13:00:35

                           [Not After]
                             30.11.2045 13:00:35

                           [Thumbprint]
                             *********************************
                           }

 

 

Edited January 10 by blade

[Garima Singh]

Hey @blade

Welcome to the forums!

We have sent you a personal message. Please check your inbox. Thanks!

[Hartmut]

Are there news on this case? I want to use Enpass and checked it out before. Excepting that issue on this webpage everything else is fine: WindowsHelo works correctly while starting  Win10-OS. But while starting Enpass now I have to use the MasterPassword. After the first initial start of Enpass the App can be unlocked by WindowsHelo.

[Niesfisch]

Hello,

I have the same problem. My USB Fingerprint works with Windows Hello. Windows Login is ok but while starting Enpass i have to enter the Master Password. After that i can unlock Enpass with my Fingerprint Device. Enpass 6.5.2 (724) / Windows Store Version

[Garima Singh]

Hey @Niesfisch

Welcome to the forums!

To determine whether a device should support Full-time Windows Hello (which is only available with the Store version of Enpass), we rely on the API provided by the Microsoft. This is the only way to distinguish whether the security keys are generated by a legit Hardware TPM. There is little in the scope for any app to do in this case. Even with the external TPMs we cannot assure full-time support for Enpass until Windows Attestation API allows it.

To test if your device is supported by Windows Attestation API, Microsoft has provided a test app which requires you to enable developer mode (which can be later turned off).

Please follow the following steps and share the results with us.

1. Turn ON Developer Mode, which is required for installing the App. 
2. Go to Windows Settings > Update & Security > For developers > Use developer features. Select Developer mode and allow the permissions it asks for.  (Note: Remember to switch it back to default option Microsoft Store apps after installing the test app.) 
3. Switching to Developer mode may take a while. Please make sure it is done and proceed further. 
4. Now Install the test app. 
5. Download the zip from here and extract the contents. 
6. Double click on the file WindowsAttestationTest_1.0.0.0_x86.appxbundle to launch the installer. 
7. Allow the permission if it asks during installation. 
8. Launch the App and press the Start Test button in the App. 
9. Authenticate the Windows Hello dialog, and after it, the result will be shown in the App. 

 Share the result and switch back to the Developer mode, as mentioned in Step 2.

 Thanks for your co-operation.

[paulsiu]

Hi,

I have the latest Windows Hello, the latest enpass, and TPM 2.0. Yet when I restart my windows computer, I have to type in the master password and have to do it again if enpass crashes. I know this has been a recurring topic, but when will we have this issue resolved?

Paul

 

[Pratyush Sharma]

Hi @paulsiu,

I totally understand your concern and apologies for the trouble you are facing.

To determine whether a device should support Full-time Windows Hello (which is only available with the Store version of Enpass), we rely on the API provided by the Microsoft. This is the only way to distinguish whether the security keys are generated by a legit Hardware TPM. There is little in the scope for any app to do in this case. Even with the external TPMs we cannot assure full-time support for Enpass until Windows Attestation API allows it.

To test if your device is supported by Windows Attestation API, Microsoft has provided a test app which requires you to enable developer mode (which can be later turned off).

Please follow the following steps and share the results with us.

1. Turn ON Developer Mode, which is required for installing the App. 
2. Go to Windows Settings > Update & Security > For developers > Use developer features. Select Developer mode and allow the permissions it asks for.  (Note: Remember to switch it back to default option Microsoft Store apps after installing the test app.) 
3. Switching to Developer mode may take a while. Please make sure it is done and proceed further. 
4. Now Install the test app. 
5. Download the zip from here and extract the contents. 
6. Double click on the file WindowsAttestationTest_1.0.0.0_x86.appxbundle to launch the installer. 
7. Allow the permission if it asks during installation. 
8. Launch the App and press the Start Test button in the App. 
9. Authenticate the Windows Hello dialog, and after it, the result will be shown in the App. 

 Share the result with us on support@enpass.io and switch back to the Developer mode, as mentioned in Step 2.

 Thanks for your co-operation.

[singularity0821]

I'm having the same issue. The test app logs the following:

15:04:20.0348384 HelloSupported::True
15:04:20.0448471 KCM::OpenStatus::Success
15:04:20.0448471 KeyRetrievalStatus::Success
15:04:20.0678668 GetAttestationStatus::NotSupported

Windows Security Center lists Attestation as "Ready" though:

Edited February 5 by singularity0821
Added screenshot

[Seger]

14:08:27.0294074 HelloSupported::True
14:08:27.0463620 KCM::OpenStatus::NotFound
14:08:27.0463620 KCM::OpenFailed::RequestingCreate.
14:08:36.3408149 KeyRetrievalStatus::Success
14:08:41.4531682 GetAttestationStatus::Success
14:08:43.3594864 PublicKeySignStatus::Success
14:08:43.3594864 PublicKey::0710b8157d73857aeaaeb9b2912926f8c879656e7887bda900e5f804f9bb12f5e993f0f36dfc7254de99938bad2b3adc6e504d081002ba8f2767f9a41b61045781f62715b5a5f766523cecc4cfc17094f02ae8e085552d99f60f6f96dbb52b7ead48e36d7b714ffa7e1a38a2d245e17450b9e6ca05955f4ee533ac6dc6637d68f473406f560e22d869b0ec9fa31c984434df06640b4db379ddfe0eba424468b8ac461070bff447cc557fe3c237a14a3fcbfb173a966fb8e06a71c07ff346d6e93db5b90b6b97d08b8146f5a000b81b4b0dd810a7741d2792d4df166ba9c057888bf8b2cb286948aad5826ae7a18e020accbe5c7252545e65ede12afb5b695e12
 

My device is a Surface Laptop 2 (Microsoft) and I constantly get the ("ok" it's me field). Since the latest update, Enpass goes into a continuous loop after Windows restart, Windows Hello does not start cleanly. Only quitting Enpass and restarting helps.