Jump to content
Enpass Discussion Forum

Windows Hello doesn't work on system boot, must restart Enpass


Recommended Posts

I have a few devices and other family members with Enpass on Windows with the latest 6.5.0 version (via the Windows store) and when the devices restart or if i close/re-open Enpass it doesn't offer Windows Hello. I maybe mistaken, but i was under the impression this was a feature in the new version.

I have Windows Hello on but says Master password is required every time you restart - is there a setting i am missing?

tyaEvToprQ.png

Link to post
Share on other sites
  • Replies 59
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

Hey All, Thanks for the patience. I'm glad to share that the stable version of the Enpass (v6.6.1) with the Windows Hello fixes has been released. Please update the Enpass app and share your feed

Posted Images

3 hours ago, Garima Singh said:

Hey @PGTipz

It seems that your device does not support full-time Windows Hello. Please refer to this FAQ to know more about full-time Windows Hello in Enpass.

Hope this helps!

 

Hi @Garima Singh

I have downloaded the Windows desktop version which does not show the message "Master password is required every time you restart Enpass" but this also does not allow Windows Hello at startup or restart of Enpass (see the 3rd screenshot where i close then re-open Enpass).

 

I have checked my devices (one currently using a HP Zbook 15 G3 Windows Enterprise) all with latest Windows Updates are not the affected on the TPM list so unsure how to fix it.

 

8FLW95ISsO.png

H24OdnGr8I.png

wSxby4beAf.png

Link to post
Share on other sites

I have a similar problem with my Windows 10 PC. I extra bought an ASUS TPM-M 2.0 (it is a Infineon TPM chip) module to upgrade TPM for my desktop. The TPM-module is also correctly recognized by the Windows 10 system settings and is evaluated as ready for operation. I have already reset the TPM module (content deleted) and checked if the latest TPM firmware is installed on the module (it is he latest firmware). Nevertheless Enpass 6.50 (700) starts when restarting Windows 10 in the mode that I always have to type in the Enpass Master password first.

After that (as long as the PC is running) I can open the Enpass app by finger scan with Windows Hello, but this was already possible without the TPM module.
What else could be the reason that Windows Hello does not work immediately after restarting the Windows 10 PC?

Link to post
Share on other sites

Hey @PGTipz & @Bob

To determine whether the device should support Full-time Windows Hello(feature is only available with Enpass Store version), Enpass relies on the API provided by the Microsoft in this link.

This is the only way to distinguish whether the security keys are generated by a legit Hardware TPM. There is little Enpass can do in this case.
Although external TPM is available in the market we cannot ensure that they will support the given API.

Hope this helps!

Link to post
Share on other sites
7 hours ago, Garima Singh said:

Hey @PGTipz & @Bob

To determine whether the device should support Full-time Windows Hello(feature is only available with Enpass Store version), Enpass relies on the API provided by the Microsoft in this link.

This is the only way to distinguish whether the security keys are generated by a legit Hardware TPM. There is little Enpass can do in this case.
Although external TPM is available in the market we cannot ensure that they will support the given API.

Hope this helps!

Hi Garima,

I am not a developer or programmer. Can you or anyone else tell me how I can run this expression under Windows 10:
public IAsyncOperation<KeyCredentialAttestationResult> GetAttestationAsync();

Link to post
Share on other sites
  • 2 weeks later...
On 9/23/2020 at 8:19 AM, Garima Singh said:

Hey @PGTipz & @Bob

To determine whether the device should support Full-time Windows Hello(feature is only available with Enpass Store version), Enpass relies on the API provided by the Microsoft in this link.

This is the only way to distinguish whether the security keys are generated by a legit Hardware TPM. There is little Enpass can do in this case.
Although external TPM is available in the market we cannot ensure that they will support the given API.

Hope this helps!

Ok thank you. Most devices don't have TPM and my HP laptop does but it's version 1.2 so that will explain that.

Will there be support for older TPM versions?

Edited by PGTipz
Link to post
Share on other sites

Full Time Windows Hello doesn't work for either my PC nor my Surface Book 2. Both of them have TPM 2.0 and Bitlocker and other Windows Hello features are working fine so I'm not really sure what I'm supposed to look at when trying to debug the problem. The link to the Microsoft API doesn't help either...that's just a function that needs some script to output anything useful... :/

Link to post
Share on other sites

Hey,

On 10/3/2020 at 4:48 PM, PGTipz said:

Most devices don't have TPM and my HP laptop does but it's version 1.2 so that will explain that.

Will there be support for older TPM versions?

@PGTipz Sorry to say no, currently we don't have any plan to support for older TPM versions as the minimum requirement to use windows hello feature for full time is TPM 2.0. 

@Stahlreck Please try updating TPM drivers or check if resetting TPM helps.

Thanks!

Link to post
Share on other sites

tpm.thumb.png.e4fbb13b872aa4b1ce3e99ece37d7825.png

Even with a TPM 2.0 compatible chip Windows Hello does not work directly when starting Enpass (Store Version 6.5.0 (700)) I still have to login with my password once and after that (if Enpass is not used for a while) I can login with Windows Hello. But this was possible before I plugged the TPM chip on my motherboard and activated it.

I can only confirm what the previous users have already written, that in all other use cases Windows Hello works without problems.

My request to the Enpass team: Please check the implementation of this feature again. Maybe there has to be a compatibility check with other TPM chips after all.

 

Link to post
Share on other sites
On 10/8/2020 at 7:21 PM, Bob___ said:

tpm.thumb.png.e4fbb13b872aa4b1ce3e99ece37d7825.png

Even with a TPM 2.0 compatible chip Windows Hello does not work directly when starting Enpass (Store Version 6.5.0 (700)) I still have to login with my password once and after that (if Enpass is not used for a while) I can login with Windows Hello. But this was possible before I plugged the TPM chip on my motherboard and activated it.

I can only confirm what the previous users have already written, that in all other use cases Windows Hello works without problems.

 

My request to the Enpass team: Please check the implementation of this feature again. Maybe there has to be a compatibility check with other TPM chips after all.

 

Agree with you! Look my pics.

Snipaste_2020-10-10_15-39-04.png.6df2614f058d7b3b6f7d858e1ca125d8.pngChinese interface of TPM version 2.0 in device manager of control panel

Snipaste_2020-10-10_15-43-34.png.59686f836708f8ed088fa3ead991d77a.pngAnd the prompt under windowshello setting was not supposed to be which it should be.

Edited by user from keepass
Link to post
Share on other sites

Hi @Bob___ @user from keepass,

Thanks for writing back in.

We want a little input from your side so please follow these steps: Go to Start Menu > type "Powershell" > right-click on "Windows Powershell" icon > select "Run as Administrator".

Now run these three commands and share results over PM or on support@enpass.io:

  • Get-Tpm
  • Get-TpmSupportedFeature -FeatureList "Key Attestation"
  • Get-TpmEndorsementKeyInfo -Hash "Sha256"
  • Get-TpmEndorsementKeyInfo

Thanks for your co-operation.

Link to post
Share on other sites
  • 2 weeks later...

@Pratyush Sharma I do have the exact same problem, but with an XPS 13 9370. It has a TPM 2.0 and it is enabled.

Find bellow the outputs to the command you asked:

PS C:\Windows\system32> Get-Tpm


TpmPresent                : True
TpmReady                  : True
TpmEnabled                : True
TpmActivated              : True
TpmOwned                  : True
RestartPending            : True
ManufacturerId            : 1314145024
ManufacturerIdTxt         : NTC
ManufacturerVersion       : 7.2.0.1
ManufacturerVersionFull20 : 7.2.0.1

ManagedAuthLevel          : Full
OwnerAuth                 :
OwnerClearDisabled        : False
AutoProvisioning          : Enabled
LockedOut                 : False
LockoutHealTime           : 2 hours
LockoutCount              : 0
LockoutMax                : 32
SelfTest                  : {}



PS C:\Windows\system32> Get-TpmSupportedFeature -FeatureList "Key Attestation"
key attestation
PS C:\Windows\system32> Get-TpmEndorsementKeyInfo -HashAlgorithm "sha256"


IsPresent                : True
PublicKey                : System.Security.Cryptography.AsnEncodedData
PublicKeyHash            : dd2ce7d9ae2451fbf5f391081d20a66e59d2d50f7033da542d6dc0186ac8f4d3
ManufacturerCertificates : {[Subject]
                             TPMManufacturer=id:4E544300 + TPMModel=NPCT75x + TPMVersion=id:72

                           [Issuer]
                             CN=Nuvoton TPM Root CA 2111 + O=Nuvoton Technology Corporation + C=TW

                           [Serial Number]
                             525621C8FC0FDF5A5684

                           [Not Before]
                             26.10.2017 05:43:46

                           [Not After]
                             22.10.2037 05:43:46

                           [Thumbprint]
                             CCD4B6E247B78D0E1002C580FE8075DE1E418784
                           }
AdditionalCertificates   : {}



PS C:\Windows\system32> Get-TpmEndorsementKeyInfo


IsPresent                : True
PublicKey                : System.Security.Cryptography.AsnEncodedData
PublicKeyHash            :
ManufacturerCertificates : {[Subject]
                             TPMManufacturer=id:4E544300 + TPMModel=NPCT75x + TPMVersion=id:72

                           [Issuer]
                             CN=Nuvoton TPM Root CA 2111 + O=Nuvoton Technology Corporation + C=TW

                           [Serial Number]
                             525621C8FC0FDF5A5684

                           [Not Before]
                             26.10.2017 05:43:46

                           [Not After]
                             22.10.2037 05:43:46

                           [Thumbprint]
                             CCD4B6E247B78D0E1002C580FE8075DE1E418784
                           }
AdditionalCertificates   : {}



PS C:\Windows\system32>

 

Link to post
Share on other sites
  • 2 months later...

Is there any news on this issue? I recently bought a TPM just for the purpose of using it with Windows Hello (already hava a Laptop thats fully supports Windwos Hello). It seems I have the same modul as FuN_KeY.

Nuvuton 2.0

 

Link to post
Share on other sites

Hey guys, 

i think i got the same problem, first start and after a restart i have to enter the master pw ... after that windows hello works without any problem

i use a amd tpm / with an usb fingerprint reader

Quote

PS C:\WINDOWS\system32> Get-Tpm


TpmPresent                : True
TpmReady                  : True
TpmEnabled                : True
TpmActivated              : True
TpmOwned                  : True
RestartPending            : True
ManufacturerId            : 1095582720
ManufacturerIdTxt         : AMD
ManufacturerVersion       : 3.51.0.5
ManufacturerVersionFull20 : 3.51.0.5

ManagedAuthLevel          : Full
OwnerAuth                 : ****************************
OwnerClearDisabled        : False
AutoProvisioning          : Enabled
LockedOut                 : False
LockoutHealTime           : 10 minutes
LockoutCount              : 0
LockoutMax                : 31
SelfTest                  : {}

PS C:\WINDOWS\system32> Get-TpmSupportedFeature -FeatureList "Key Attestation"
key attestation
PS C:\WINDOWS\system32> Get-TpmEndorsementKeyInfo -Hash "Sha256"


IsPresent                : True
PublicKey                : System.Security.Cryptography.AsnEncodedData
PublicKeyHash            : ************************************************************
ManufacturerCertificates : {}
AdditionalCertificates   : {[Subject]
                             TPMVersion=id:00030001, TPMModel=AMD, TPMManufacturer=id:414D4400

                           [Issuer]
                             CN=PRG-SSP, O=Advanced Micro Devices, S=CA, L=Santa Clara, C=US, OU=Engineering

                           [Serial Number]
                             ******************************

                           [Not Before]
                             15.10.2020 10:32:20

                           [Not After]
                             15.10.2045 10:32:20

                           [Thumbprint]
                             E1CB7C9B1DBFADEFF0C6EC355EAAFD6728D9EC00
                           }

PS C:\WINDOWS\system32> Get-TpmEndorsementKeyInfo


IsPresent                : True
PublicKey                : System.Security.Cryptography.AsnEncodedData
PublicKeyHash            :
ManufacturerCertificates : {}
AdditionalCertificates   : {[Subject]
                             TPMVersion=id:00030001, TPMModel=AMD, TPMManufacturer=id:414D4400

                           [Issuer]
                             CN=PRG-SSP, O=Advanced Micro Devices, S=CA, L=Santa Clara, C=US, OU=Engineering

                           [Serial Number]
                             **********************************

                           [Not Before]
                             15.10.2020 10:32:20

                           [Not After]
                             15.10.2045 10:32:20

                           [Thumbprint]
                             **********************************
                           }

if there is any i can try or i can help, just pn me ;) i'm open for experiments :-P 

 

edit: ah btw, i have ~2 month old dell amd laptop on this i dont have this problem :)

here the log from the laptop:

Quote

PS C:\Windows\system32> Get-Tpm


TpmPresent                : True
TpmReady                  : True
TpmEnabled                : True
TpmActivated              : True
TpmOwned                  : True
RestartPending            : True
ManufacturerId            : 1095582720
ManufacturerIdTxt         : AMD
ManufacturerVersion       : 3.42.0.5
ManufacturerVersionFull20 : 3.42.0.5

ManagedAuthLevel          : Full
OwnerAuth                 :
OwnerClearDisabled        : False
AutoProvisioning          : Enabled
LockedOut                 : False
LockoutHealTime           : 2 hours
LockoutCount              : 0
LockoutMax                : 32
SelfTest                  : {}

PS C:\Windows\system32> Get-TpmSupportedFeature -FeatureList "Key Attestation"
key attestation
PS C:\Windows\system32> Get-TpmEndorsementKeyInfo -Hash "Sha256"


IsPresent                : True
PublicKey                : System.Security.Cryptography.AsnEncodedData
PublicKeyHash            : ************************************************
ManufacturerCertificates : {}
AdditionalCertificates   : {[Subject]
                             TPMVersion=id:00030001, TPMModel=AMD, TPMManufacturer=id:414D4400

                           [Issuer]
                             CN=PRG-RN, O=Advanced Micro Devices, S=CA, L=Santa Clara, C=US, OU=Engineering

                           [Serial Number]
                             **********************************

                           [Not Before]
                             30.11.2020 13:00:35

                           [Not After]
                             30.11.2045 13:00:35

                           [Thumbprint]
                             *************************************
                           }
PS C:\Windows\system32> Get-TpmEndorsementKeyInfo


IsPresent                : True
PublicKey                : System.Security.Cryptography.AsnEncodedData
PublicKeyHash            :
ManufacturerCertificates : {}
AdditionalCertificates   : {[Subject]
                             TPMVersion=id:00030001, TPMModel=AMD, TPMManufacturer=id:414D4400

                           [Issuer]
                             CN=PRG-RN, O=Advanced Micro Devices, S=CA, L=Santa Clara, C=US, OU=Engineering

                           [Serial Number]
                             *********************************

                           [Not Before]
                             30.11.2020 13:00:35

                           [Not After]
                             30.11.2045 13:00:35

                           [Thumbprint]
                             *********************************
                           }


 

 

Edited by blade
Link to post
Share on other sites
  • 3 weeks later...

Are there news on this case? I want to use Enpass and checked it out before. Excepting that issue on this webpage everything else is fine: WindowsHelo works correctly while starting  Win10-OS. But while starting Enpass now I have to use the MasterPassword. After the first initial start of Enpass the App can be unlocked by WindowsHelo.

Link to post
Share on other sites

Hello,

I have the same problem. My USB Fingerprint works with Windows Hello. Windows Login is ok but while starting Enpass i have to enter the Master Password. After that i can unlock Enpass with my Fingerprint Device. Enpass 6.5.2 (724) / Windows Store Version

Link to post
Share on other sites

Hey @Niesfisch

Welcome to the forums!

To determine whether a device should support Full-time Windows Hello (which is only available with the Store version of Enpass), we rely on the API provided by the Microsoft. This is the only way to distinguish whether the security keys are generated by a legit Hardware TPM. There is little in the scope for any app to do in this case. Even with the external TPMs we cannot assure full-time support for Enpass until Windows Attestation API allows it.

To test if your device is supported by Windows Attestation API, Microsoft has provided a test app which requires you to enable developer mode (which can be later turned off).

Please follow the following steps and share the results with us.

  1. Turn ON Developer Mode, which is required for installing the App. 
  2. Go to Windows Settings > Update & Security > For developers > Use developer features. Select Developer mode and allow the permissions it asks for.  (Note: Remember to switch it back to default option Microsoft Store apps after installing the test app.) 
  3. Switching to Developer mode may take a while. Please make sure it is done and proceed further. 
  4. Now Install the test app. 
  5. Download the zip from here and extract the contents. 
  6. Double click on the file WindowsAttestationTest_1.0.0.0_x86.appxbundle to launch the installer. 
  7. Allow the permission if it asks during installation. 
  8. Launch the App and press the Start Test button in the App. 
  9. Authenticate the Windows Hello dialog, and after it, the result will be shown in the App. 

 Share the result and switch back to the Developer mode, as mentioned in Step 2.

 Thanks for your co-operation.

Link to post
Share on other sites

Hi,

I have the latest Windows Hello, the latest enpass, and TPM 2.0. Yet when I restart my windows computer, I have to type in the master password and have to do it again if enpass crashes. I know this has been a recurring topic, but when will we have this issue resolved?

Paul

 

Link to post
Share on other sites

Hi @paulsiu,

I totally understand your concern and apologies for the trouble you are facing.

To determine whether a device should support Full-time Windows Hello (which is only available with the Store version of Enpass), we rely on the API provided by the Microsoft. This is the only way to distinguish whether the security keys are generated by a legit Hardware TPM. There is little in the scope for any app to do in this case. Even with the external TPMs we cannot assure full-time support for Enpass until Windows Attestation API allows it.

To test if your device is supported by Windows Attestation API, Microsoft has provided a test app which requires you to enable developer mode (which can be later turned off).

Please follow the following steps and share the results with us.

  1. Turn ON Developer Mode, which is required for installing the App. 
  2. Go to Windows Settings > Update & Security > For developers > Use developer features. Select Developer mode and allow the permissions it asks for.  (Note: Remember to switch it back to default option Microsoft Store apps after installing the test app.) 
  3. Switching to Developer mode may take a while. Please make sure it is done and proceed further. 
  4. Now Install the test app. 
  5. Download the zip from here and extract the contents. 
  6. Double click on the file WindowsAttestationTest_1.0.0.0_x86.appxbundle to launch the installer. 
  7. Allow the permission if it asks during installation. 
  8. Launch the App and press the Start Test button in the App. 
  9. Authenticate the Windows Hello dialog, and after it, the result will be shown in the App. 

 Share the result with us on support@enpass.io and switch back to the Developer mode, as mentioned in Step 2.

 Thanks for your co-operation.

Link to post
Share on other sites

I'm having the same issue. The test app logs the following:

15:04:20.0348384 HelloSupported::True
15:04:20.0448471 KCM::OpenStatus::Success
15:04:20.0448471 KeyRetrievalStatus::Success
15:04:20.0678668 GetAttestationStatus::NotSupported

Windows Security Center lists Attestation as "Ready" though:

image.png.333f1b9ef0a37a941a19a605b508284a.png

Edited by singularity0821
Added screenshot
Link to post
Share on other sites

14:08:27.0294074 HelloSupported::True
14:08:27.0463620 KCM::OpenStatus::NotFound
14:08:27.0463620 KCM::OpenFailed::RequestingCreate.
14:08:36.3408149 KeyRetrievalStatus::Success
14:08:41.4531682 GetAttestationStatus::Success
14:08:43.3594864 PublicKeySignStatus::Success
14:08:43.3594864 PublicKey::0710b8157d73857aeaaeb9b2912926f8c879656e7887bda900e5f804f9bb12f5e993f0f36dfc7254de99938bad2b3adc6e504d081002ba8f2767f9a41b61045781f62715b5a5f766523cecc4cfc17094f02ae8e085552d99f60f6f96dbb52b7ead48e36d7b714ffa7e1a38a2d245e17450b9e6ca05955f4ee533ac6dc6637d68f473406f560e22d869b0ec9fa31c984434df06640b4db379ddfe0eba424468b8ac461070bff447cc557fe3c237a14a3fcbfb173a966fb8e06a71c07ff346d6e93db5b90b6b97d08b8146f5a000b81b4b0dd810a7741d2792d4df166ba9c057888bf8b2cb286948aad5826ae7a18e020accbe5c7252545e65ede12afb5b695e12
 

My device is a Surface Laptop 2 (Microsoft) and I constantly get the ("ok" it's me field). Since the latest update, Enpass goes into a continuous loop after Windows restart, Windows Hello does not start cleanly. Only quitting Enpass and restarting helps.

Enpass.PNG.9baf610fdbc5e04ea6e6d89c3a86d3b4.PNG

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...