PGTipz Posted September 21, 2020 Report Share Posted September 21, 2020 I have a few devices and other family members with Enpass on Windows with the latest 6.5.0 version (via the Windows store) and when the devices restart or if i close/re-open Enpass it doesn't offer Windows Hello. I maybe mistaken, but i was under the impression this was a feature in the new version. I have Windows Hello on but says Master password is required every time you restart - is there a setting i am missing? Link to comment Share on other sites More sharing options...
Garima Singh Posted September 22, 2020 Report Share Posted September 22, 2020 Hey @PGTipz It seems that your device does not support full-time Windows Hello. Please refer to this FAQ to know more about full-time Windows Hello in Enpass. Hope this helps! Link to comment Share on other sites More sharing options...
PGTipz Posted September 22, 2020 Author Report Share Posted September 22, 2020 3 hours ago, Garima Singh said: Hey @PGTipz It seems that your device does not support full-time Windows Hello. Please refer to this FAQ to know more about full-time Windows Hello in Enpass. Hope this helps! Hi @Garima Singh I have downloaded the Windows desktop version which does not show the message "Master password is required every time you restart Enpass" but this also does not allow Windows Hello at startup or restart of Enpass (see the 3rd screenshot where i close then re-open Enpass). I have checked my devices (one currently using a HP Zbook 15 G3 Windows Enterprise) all with latest Windows Updates are not the affected on the TPM list so unsure how to fix it. Link to comment Share on other sites More sharing options...
Bob___ Posted September 22, 2020 Report Share Posted September 22, 2020 I have a similar problem with my Windows 10 PC. I extra bought an ASUS TPM-M 2.0 (it is a Infineon TPM chip) module to upgrade TPM for my desktop. The TPM-module is also correctly recognized by the Windows 10 system settings and is evaluated as ready for operation. I have already reset the TPM module (content deleted) and checked if the latest TPM firmware is installed on the module (it is he latest firmware). Nevertheless Enpass 6.50 (700) starts when restarting Windows 10 in the mode that I always have to type in the Enpass Master password first. After that (as long as the PC is running) I can open the Enpass app by finger scan with Windows Hello, but this was already possible without the TPM module. What else could be the reason that Windows Hello does not work immediately after restarting the Windows 10 PC? Link to comment Share on other sites More sharing options...
Garima Singh Posted September 23, 2020 Report Share Posted September 23, 2020 Hey @PGTipz & @Bob To determine whether the device should support Full-time Windows Hello(feature is only available with Enpass Store version), Enpass relies on the API provided by the Microsoft in this link. This is the only way to distinguish whether the security keys are generated by a legit Hardware TPM. There is little Enpass can do in this case. Although external TPM is available in the market we cannot ensure that they will support the given API. Hope this helps! Link to comment Share on other sites More sharing options...
Bob___ Posted September 23, 2020 Report Share Posted September 23, 2020 7 hours ago, Garima Singh said: Hey @PGTipz & @Bob To determine whether the device should support Full-time Windows Hello(feature is only available with Enpass Store version), Enpass relies on the API provided by the Microsoft in this link. This is the only way to distinguish whether the security keys are generated by a legit Hardware TPM. There is little Enpass can do in this case. Although external TPM is available in the market we cannot ensure that they will support the given API. Hope this helps! Hi Garima, I am not a developer or programmer. Can you or anyone else tell me how I can run this expression under Windows 10: public IAsyncOperation<KeyCredentialAttestationResult> GetAttestationAsync(); Link to comment Share on other sites More sharing options...
PGTipz Posted October 3, 2020 Author Report Share Posted October 3, 2020 (edited) On 9/23/2020 at 8:19 AM, Garima Singh said: Hey @PGTipz & @Bob To determine whether the device should support Full-time Windows Hello(feature is only available with Enpass Store version), Enpass relies on the API provided by the Microsoft in this link. This is the only way to distinguish whether the security keys are generated by a legit Hardware TPM. There is little Enpass can do in this case. Although external TPM is available in the market we cannot ensure that they will support the given API. Hope this helps! Ok thank you. Most devices don't have TPM and my HP laptop does but it's version 1.2 so that will explain that. Will there be support for older TPM versions? Edited October 3, 2020 by PGTipz Link to comment Share on other sites More sharing options...
Stahlreck Posted October 3, 2020 Report Share Posted October 3, 2020 Full Time Windows Hello doesn't work for either my PC nor my Surface Book 2. Both of them have TPM 2.0 and Bitlocker and other Windows Hello features are working fine so I'm not really sure what I'm supposed to look at when trying to debug the problem. The link to the Microsoft API doesn't help either...that's just a function that needs some script to output anything useful... Link to comment Share on other sites More sharing options...
Garima Singh Posted October 5, 2020 Report Share Posted October 5, 2020 Hey, On 10/3/2020 at 4:48 PM, PGTipz said: Most devices don't have TPM and my HP laptop does but it's version 1.2 so that will explain that. Will there be support for older TPM versions? @PGTipz Sorry to say no, currently we don't have any plan to support for older TPM versions as the minimum requirement to use windows hello feature for full time is TPM 2.0. @Stahlreck Please try updating TPM drivers or check if resetting TPM helps. Thanks! Link to comment Share on other sites More sharing options...
Bob___ Posted October 8, 2020 Report Share Posted October 8, 2020 Even with a TPM 2.0 compatible chip Windows Hello does not work directly when starting Enpass (Store Version 6.5.0 (700)) I still have to login with my password once and after that (if Enpass is not used for a while) I can login with Windows Hello. But this was possible before I plugged the TPM chip on my motherboard and activated it. I can only confirm what the previous users have already written, that in all other use cases Windows Hello works without problems. My request to the Enpass team: Please check the implementation of this feature again. Maybe there has to be a compatibility check with other TPM chips after all. Link to comment Share on other sites More sharing options...
user from keepass Posted October 10, 2020 Report Share Posted October 10, 2020 (edited) On 10/8/2020 at 7:21 PM, Bob___ said: Even with a TPM 2.0 compatible chip Windows Hello does not work directly when starting Enpass (Store Version 6.5.0 (700)) I still have to login with my password once and after that (if Enpass is not used for a while) I can login with Windows Hello. But this was possible before I plugged the TPM chip on my motherboard and activated it. I can only confirm what the previous users have already written, that in all other use cases Windows Hello works without problems. My request to the Enpass team: Please check the implementation of this feature again. Maybe there has to be a compatibility check with other TPM chips after all. Agree with you! Look my pics. Chinese interface of TPM version 2.0 in device manager of control panel And the prompt under windowshello setting was not supposed to be which it should be. Edited October 11, 2020 by user from keepass Link to comment Share on other sites More sharing options...
Pratyush Sharma Posted October 12, 2020 Report Share Posted October 12, 2020 Hi @Bob___ @user from keepass, Thanks for writing back in. We want a little input from your side so please follow these steps: Go to Start Menu > type "Powershell" > right-click on "Windows Powershell" icon > select "Run as Administrator". Now run these three commands and share results over PM or on support@enpass.io: Get-Tpm Get-TpmSupportedFeature -FeatureList "Key Attestation" Get-TpmEndorsementKeyInfo -Hash "Sha256" Get-TpmEndorsementKeyInfo Thanks for your co-operation. Link to comment Share on other sites More sharing options...
FuN_KeY Posted October 24, 2020 Report Share Posted October 24, 2020 @Pratyush Sharma I do have the exact same problem, but with an XPS 13 9370. It has a TPM 2.0 and it is enabled. Find bellow the outputs to the command you asked: PS C:\Windows\system32> Get-Tpm TpmPresent : True TpmReady : True TpmEnabled : True TpmActivated : True TpmOwned : True RestartPending : True ManufacturerId : 1314145024 ManufacturerIdTxt : NTC ManufacturerVersion : 7.2.0.1 ManufacturerVersionFull20 : 7.2.0.1 ManagedAuthLevel : Full OwnerAuth : OwnerClearDisabled : False AutoProvisioning : Enabled LockedOut : False LockoutHealTime : 2 hours LockoutCount : 0 LockoutMax : 32 SelfTest : {} PS C:\Windows\system32> Get-TpmSupportedFeature -FeatureList "Key Attestation" key attestation PS C:\Windows\system32> Get-TpmEndorsementKeyInfo -HashAlgorithm "sha256" IsPresent : True PublicKey : System.Security.Cryptography.AsnEncodedData PublicKeyHash : dd2ce7d9ae2451fbf5f391081d20a66e59d2d50f7033da542d6dc0186ac8f4d3 ManufacturerCertificates : {[Subject] TPMManufacturer=id:4E544300 + TPMModel=NPCT75x + TPMVersion=id:72 [Issuer] CN=Nuvoton TPM Root CA 2111 + O=Nuvoton Technology Corporation + C=TW [Serial Number] 525621C8FC0FDF5A5684 [Not Before] 26.10.2017 05:43:46 [Not After] 22.10.2037 05:43:46 [Thumbprint] CCD4B6E247B78D0E1002C580FE8075DE1E418784 } AdditionalCertificates : {} PS C:\Windows\system32> Get-TpmEndorsementKeyInfo IsPresent : True PublicKey : System.Security.Cryptography.AsnEncodedData PublicKeyHash : ManufacturerCertificates : {[Subject] TPMManufacturer=id:4E544300 + TPMModel=NPCT75x + TPMVersion=id:72 [Issuer] CN=Nuvoton TPM Root CA 2111 + O=Nuvoton Technology Corporation + C=TW [Serial Number] 525621C8FC0FDF5A5684 [Not Before] 26.10.2017 05:43:46 [Not After] 22.10.2037 05:43:46 [Thumbprint] CCD4B6E247B78D0E1002C580FE8075DE1E418784 } AdditionalCertificates : {} PS C:\Windows\system32> Link to comment Share on other sites More sharing options...
Pratyush Sharma Posted October 26, 2020 Report Share Posted October 26, 2020 Hi @FuN_KeY, Thanks for sharing the details. We have taken note of this and our team is now analyzing into the issue. Link to comment Share on other sites More sharing options...
Tebald Posted January 4, 2021 Report Share Posted January 4, 2021 Is there any news on this issue? I recently bought a TPM just for the purpose of using it with Windows Hello (already hava a Laptop thats fully supports Windwos Hello). It seems I have the same modul as FuN_KeY. Nuvuton 2.0 Link to comment Share on other sites More sharing options...
Pratyush Sharma Posted January 5, 2021 Report Share Posted January 5, 2021 Hi @Tebald, Welcome to the forums! We have sent you a personal message. Please check your inbox. Thanks! Link to comment Share on other sites More sharing options...
blade Posted January 10, 2021 Report Share Posted January 10, 2021 (edited) Hey guys, i think i got the same problem, first start and after a restart i have to enter the master pw ... after that windows hello works without any problem i use a amd tpm / with an usb fingerprint reader Quote PS C:\WINDOWS\system32> Get-Tpm TpmPresent : True TpmReady : True TpmEnabled : True TpmActivated : True TpmOwned : True RestartPending : True ManufacturerId : 1095582720 ManufacturerIdTxt : AMD ManufacturerVersion : 3.51.0.5 ManufacturerVersionFull20 : 3.51.0.5 ManagedAuthLevel : Full OwnerAuth : **************************** OwnerClearDisabled : False AutoProvisioning : Enabled LockedOut : False LockoutHealTime : 10 minutes LockoutCount : 0 LockoutMax : 31 SelfTest : {} PS C:\WINDOWS\system32> Get-TpmSupportedFeature -FeatureList "Key Attestation" key attestation PS C:\WINDOWS\system32> Get-TpmEndorsementKeyInfo -Hash "Sha256" IsPresent : True PublicKey : System.Security.Cryptography.AsnEncodedData PublicKeyHash : ************************************************************ ManufacturerCertificates : {} AdditionalCertificates : {[Subject] TPMVersion=id:00030001, TPMModel=AMD, TPMManufacturer=id:414D4400 [Issuer] CN=PRG-SSP, O=Advanced Micro Devices, S=CA, L=Santa Clara, C=US, OU=Engineering [Serial Number] ****************************** [Not Before] 15.10.2020 10:32:20 [Not After] 15.10.2045 10:32:20 [Thumbprint] E1CB7C9B1DBFADEFF0C6EC355EAAFD6728D9EC00 } PS C:\WINDOWS\system32> Get-TpmEndorsementKeyInfo IsPresent : True PublicKey : System.Security.Cryptography.AsnEncodedData PublicKeyHash : ManufacturerCertificates : {} AdditionalCertificates : {[Subject] TPMVersion=id:00030001, TPMModel=AMD, TPMManufacturer=id:414D4400 [Issuer] CN=PRG-SSP, O=Advanced Micro Devices, S=CA, L=Santa Clara, C=US, OU=Engineering [Serial Number] ********************************** [Not Before] 15.10.2020 10:32:20 [Not After] 15.10.2045 10:32:20 [Thumbprint] ********************************** } if there is any i can try or i can help, just pn me i'm open for experiments :-P edit: ah btw, i have ~2 month old dell amd laptop on this i dont have this problem here the log from the laptop: Quote PS C:\Windows\system32> Get-Tpm TpmPresent : True TpmReady : True TpmEnabled : True TpmActivated : True TpmOwned : True RestartPending : True ManufacturerId : 1095582720 ManufacturerIdTxt : AMD ManufacturerVersion : 3.42.0.5 ManufacturerVersionFull20 : 3.42.0.5 ManagedAuthLevel : Full OwnerAuth : OwnerClearDisabled : False AutoProvisioning : Enabled LockedOut : False LockoutHealTime : 2 hours LockoutCount : 0 LockoutMax : 32 SelfTest : {} PS C:\Windows\system32> Get-TpmSupportedFeature -FeatureList "Key Attestation" key attestation PS C:\Windows\system32> Get-TpmEndorsementKeyInfo -Hash "Sha256" IsPresent : True PublicKey : System.Security.Cryptography.AsnEncodedData PublicKeyHash : ************************************************ ManufacturerCertificates : {} AdditionalCertificates : {[Subject] TPMVersion=id:00030001, TPMModel=AMD, TPMManufacturer=id:414D4400 [Issuer] CN=PRG-RN, O=Advanced Micro Devices, S=CA, L=Santa Clara, C=US, OU=Engineering [Serial Number] ********************************** [Not Before] 30.11.2020 13:00:35 [Not After] 30.11.2045 13:00:35 [Thumbprint] ************************************* } PS C:\Windows\system32> Get-TpmEndorsementKeyInfo IsPresent : True PublicKey : System.Security.Cryptography.AsnEncodedData PublicKeyHash : ManufacturerCertificates : {} AdditionalCertificates : {[Subject] TPMVersion=id:00030001, TPMModel=AMD, TPMManufacturer=id:414D4400 [Issuer] CN=PRG-RN, O=Advanced Micro Devices, S=CA, L=Santa Clara, C=US, OU=Engineering [Serial Number] ********************************* [Not Before] 30.11.2020 13:00:35 [Not After] 30.11.2045 13:00:35 [Thumbprint] ********************************* } Edited January 10, 2021 by blade Link to comment Share on other sites More sharing options...
Garima Singh Posted January 11, 2021 Report Share Posted January 11, 2021 Hey @blade Welcome to the forums! We have sent you a personal message. Please check your inbox. Thanks! 1 Link to comment Share on other sites More sharing options...
Hartmut Posted January 26, 2021 Report Share Posted January 26, 2021 Are there news on this case? I want to use Enpass and checked it out before. Excepting that issue on this webpage everything else is fine: WindowsHelo works correctly while starting Win10-OS. But while starting Enpass now I have to use the MasterPassword. After the first initial start of Enpass the App can be unlocked by WindowsHelo. Link to comment Share on other sites More sharing options...
Niesfisch Posted January 28, 2021 Report Share Posted January 28, 2021 Hello, I have the same problem. My USB Fingerprint works with Windows Hello. Windows Login is ok but while starting Enpass i have to enter the Master Password. After that i can unlock Enpass with my Fingerprint Device. Enpass 6.5.2 (724) / Windows Store Version Link to comment Share on other sites More sharing options...
Garima Singh Posted January 29, 2021 Report Share Posted January 29, 2021 Hey @Niesfisch Welcome to the forums! To determine whether a device should support Full-time Windows Hello (which is only available with the Store version of Enpass), we rely on the API provided by the Microsoft. This is the only way to distinguish whether the security keys are generated by a legit Hardware TPM. There is little in the scope for any app to do in this case. Even with the external TPMs we cannot assure full-time support for Enpass until Windows Attestation API allows it. To test if your device is supported by Windows Attestation API, Microsoft has provided a test app which requires you to enable developer mode (which can be later turned off). Please follow the following steps and share the results with us. Turn ON Developer Mode, which is required for installing the App. Go to Windows Settings > Update & Security > For developers > Use developer features. Select Developer mode and allow the permissions it asks for. (Note: Remember to switch it back to default option Microsoft Store apps after installing the test app.) Switching to Developer mode may take a while. Please make sure it is done and proceed further. Now Install the test app. Download the zip from here and extract the contents. Double click on the file WindowsAttestationTest_1.0.0.0_x86.appxbundle to launch the installer. Allow the permission if it asks during installation. Launch the App and press the Start Test button in the App. Authenticate the Windows Hello dialog, and after it, the result will be shown in the App. Share the result and switch back to the Developer mode, as mentioned in Step 2. Thanks for your co-operation. Link to comment Share on other sites More sharing options...
paulsiu Posted February 1, 2021 Report Share Posted February 1, 2021 Hi, I have the latest Windows Hello, the latest enpass, and TPM 2.0. Yet when I restart my windows computer, I have to type in the master password and have to do it again if enpass crashes. I know this has been a recurring topic, but when will we have this issue resolved? Paul Link to comment Share on other sites More sharing options...
Pratyush Sharma Posted February 2, 2021 Report Share Posted February 2, 2021 Hi @paulsiu, I totally understand your concern and apologies for the trouble you are facing. To determine whether a device should support Full-time Windows Hello (which is only available with the Store version of Enpass), we rely on the API provided by the Microsoft. This is the only way to distinguish whether the security keys are generated by a legit Hardware TPM. There is little in the scope for any app to do in this case. Even with the external TPMs we cannot assure full-time support for Enpass until Windows Attestation API allows it. To test if your device is supported by Windows Attestation API, Microsoft has provided a test app which requires you to enable developer mode (which can be later turned off). Please follow the following steps and share the results with us. Turn ON Developer Mode, which is required for installing the App. Go to Windows Settings > Update & Security > For developers > Use developer features. Select Developer mode and allow the permissions it asks for. (Note: Remember to switch it back to default option Microsoft Store apps after installing the test app.) Switching to Developer mode may take a while. Please make sure it is done and proceed further. Now Install the test app. Download the zip from here and extract the contents. Double click on the file WindowsAttestationTest_1.0.0.0_x86.appxbundle to launch the installer. Allow the permission if it asks during installation. Launch the App and press the Start Test button in the App. Authenticate the Windows Hello dialog, and after it, the result will be shown in the App. Share the result with us on support@enpass.io and switch back to the Developer mode, as mentioned in Step 2. Thanks for your co-operation. Link to comment Share on other sites More sharing options...
singularity0821 Posted February 5, 2021 Report Share Posted February 5, 2021 (edited) I'm having the same issue. The test app logs the following: 15:04:20.0348384 HelloSupported::True 15:04:20.0448471 KCM::OpenStatus::Success 15:04:20.0448471 KeyRetrievalStatus::Success 15:04:20.0678668 GetAttestationStatus::NotSupported Windows Security Center lists Attestation as "Ready" though: Edited February 5, 2021 by singularity0821 Added screenshot Link to comment Share on other sites More sharing options...
Seger Posted February 8, 2021 Report Share Posted February 8, 2021 14:08:27.0294074 HelloSupported::True 14:08:27.0463620 KCM::OpenStatus::NotFound 14:08:27.0463620 KCM::OpenFailed::RequestingCreate. 14:08:36.3408149 KeyRetrievalStatus::Success 14:08:41.4531682 GetAttestationStatus::Success 14:08:43.3594864 PublicKeySignStatus::Success 14:08:43.3594864 PublicKey::0710b8157d73857aeaaeb9b2912926f8c879656e7887bda900e5f804f9bb12f5e993f0f36dfc7254de99938bad2b3adc6e504d081002ba8f2767f9a41b61045781f62715b5a5f766523cecc4cfc17094f02ae8e085552d99f60f6f96dbb52b7ead48e36d7b714ffa7e1a38a2d245e17450b9e6ca05955f4ee533ac6dc6637d68f473406f560e22d869b0ec9fa31c984434df06640b4db379ddfe0eba424468b8ac461070bff447cc557fe3c237a14a3fcbfb173a966fb8e06a71c07ff346d6e93db5b90b6b97d08b8146f5a000b81b4b0dd810a7741d2792d4df166ba9c057888bf8b2cb286948aad5826ae7a18e020accbe5c7252545e65ede12afb5b695e12 My device is a Surface Laptop 2 (Microsoft) and I constantly get the ("ok" it's me field). Since the latest update, Enpass goes into a continuous loop after Windows restart, Windows Hello does not start cleanly. Only quitting Enpass and restarting helps. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now