Jump to content
Enpass Discussion Forum

Windows Hello doesn't work on system boot, must restart Enpass


PGTipz
 Share

Recommended Posts

Hi @Terri Breining,

Sorry for the inconvenience caused to you.

We have released a beta update for the Windows OS including fix for this issue and will soon be releasing the stable version. Meanwhile, if you are interested in joining the beta version, please share your Microsoft ID with me via PM or support@enpass.io. We would love to have your feedback on the beta version.

Link to comment
Share on other sites

Unfortunately, I haven't been able to test the beta yet because my notebook is broken and will be repaired.

On 3/15/2021 at 2:38 PM, dan45 said:

hi @Pratyush Sharmahow can I get beta-versions?

Try out Enpass beta

On 3/12/2021 at 9:59 PM, gpf said:

Thanks for the suggestion, I'll try that out. Is the layout and functionality the same in that version?

The only difference I found is the program icon.

  • Thanks 1
Link to comment
Share on other sites

  • 1 month later...

Hi @singularity0821,

Sorry for the inconvenience caused to you.

Whether the full-time Window Hello will work on any device totally depends on the Windows itself.

To determine the compatibility of the device to support Full-time Windows Hello (feature is only available with Enpass Store version), Enpass relies on this API provided by the Microsoft . It is the only way to distinguish whether the security keys are generated by a legit Hardware TPM. There is little Enpass can do in this case. Although for external TPM is available in the market we cannot ensure that they will support the given API.

Link to comment
Share on other sites

  • 1 month later...

I am also having the same issue where Enpass will not unlock using Windows Hello after the first time it is started/restarted.

Enpass Security Screen

image.png.4a1cc1b683ab89216341c38668857248.png

 

Below are my system details:

OS: Windows 10 Pro 20H2 19042.1052 x64
Enpass Version: 6.6.1 (804) from the Microsoft Store

 

Security Processor Details

image.png.0a5bbee75cba0ab63a3f0ae3daa10f9a.png

 

Get-TPM

TpmPresent                : True
TpmReady                  : True
TpmEnabled                : True
TpmActivated              : True
TpmOwned                  : True
RestartPending            : True
ManufacturerId            : 1229870147
ManufacturerIdTxt         : INTC
ManufacturerVersion       : 403.1.0.0
ManufacturerVersionFull20 : 403.1.0.0

ManagedAuthLevel          : Full
OwnerAuth                 :
OwnerClearDisabled        : False
AutoProvisioning          : Enabled
LockedOut                 : False
LockoutHealTime           : 2 hours
LockoutCount              : 0
LockoutMax                : 32
SelfTest                  : {}

 

Get-TpmSupportedFeature -FeatureList "Key Attestation"

key attestation

 

Get-TpmEndorsementKeyInfo

IsPresent                : True
PublicKey                : System.Security.Cryptography.AsnEncodedData
PublicKeyHash            :
ManufacturerCertificates : {}
AdditionalCertificates   : {[Subject]
                             TPMVersion=id:00020000, TPMModel=CNL, TPMManufacturer=id:494E5443

                           [Issuer]
                             CN=www.intel.com, OU=TPM EK intermediate for CNL_EPID_POST_B1LP_PROD_2 pid:9, O=Intel
                           Corporation, L=Santa Clara, S=CA, C=US

                           [Serial Number]
                             ****************************************

                           [Not Before]
                             13/2/2018 8:00:00 AM

                           [Not After]
                             1/1/2050 7:59:59 AM

                           [Thumbprint]
                             ****************************************
                           }

 

Get-TpmEndorsementKeyInfo -Hash "Sha256"

IsPresent                : True
PublicKey                : System.Security.Cryptography.AsnEncodedData
PublicKeyHash            : ****************************************************************
ManufacturerCertificates : {}
AdditionalCertificates   : {[Subject]
                             TPMVersion=id:00020000, TPMModel=CNL, TPMManufacturer=id:494E5443

                           [Issuer]
                             CN=www.intel.com, OU=TPM EK intermediate for CNL_EPID_POST_B1LP_PROD_2 pid:9, O=Intel
                           Corporation, L=Santa Clara, S=CA, C=US

                           [Serial Number]
                             ****************************************

                           [Not Before]
                             13/2/2018 8:00:00 AM

                           [Not After]
                             1/1/2050 7:59:59 AM

                           [Thumbprint]
                             ****************************************
                           }

 

Output from the WindowsAttestationTest_1.0.0.0_x86 App

21:33:38.4189779 HelloSupported::True
21:33:38.4239986 KCM::OpenStatus::NotFound
21:33:38.4259780 KCM::OpenFailed::RequestingCreate.
21:33:41.0279789 KeyRetrievalStatus::Success
21:33:43.1271809 GetAttestationStatus::Success
21:33:43.4383245 PublicKeySignStatus::Success
21:33:43.4383245 PublicKey::********************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************

 

Will you be able to assist please? 

I have attempted the following but the issue still persists:

1. Clear the TPM both from Windows and the BIOS

2. Re-enroll Windows Hello.

3. Cleared Enpass data and restart from fresh.

 

Thank you.

Edited by Plexion
Link to comment
Share on other sites

On 6/29/2021 at 2:27 PM, Anshu kumar said:

Hi @Plexion,

As mentioned by @Pratyush in the post above, it is the Windows itself which decides whether Enpass can be always unlocked using Windows Hello.

To determine whether your device have support Full-time Windows Hello, please have a look at these troubleshooting steps mentioned by @Garima Singh

Hope this helps!

Interestingly Bitwarden does support full-time Windows Hello, while Enpass does not. So I'm not sure if it's an issue with our devices.

Edited by singularity0821
Link to comment
Share on other sites

2 hours ago, Anshu kumar said:

Hi @Plexion,

As mentioned by @Pratyush in the post above, it is the Windows itself which decides whether Enpass can be always unlocked using Windows Hello.

To determine whether your device have support Full-time Windows Hello, please have a look at these troubleshooting steps mentioned by @Garima Singh

Hope this helps!

 

Hi @Anshu kumar

If you have read through my entire post, you will notice that I have gone through all 3 pages of this thread, and provided all the information your team has requested for throughout, including those highlighted in the link you have provided.

Kindly please check my previous post once again, for all the information requested, including the output from the test app. Windows Hello is said to be supported by the test app.

Edited by Plexion
Link to comment
Share on other sites

  • 2 weeks later...
  • 1 month later...

I am also having the problem of Windows Hello not working when first launching the app after first boot. However this problem only started to happen when I had to reimage my laptop. Before reimaging, it worked as expected and Windows Hello would always work, even after reboot. This tells me that my hardware does support the ability to do Full Time Windows Hello, and I can confirm that the laptop has an OEM TPM 2.0 chip that came with the laptop (not a TPM added after the fact). This tells me that it is a problem with the Enpass App, and not with my hardware.

I am using the 6.6.3 (836) version of the app from the Windows Store on Windows 10 21H1. Below is the results from the WindowsAttestationTest app:

 

21:25:40.0438434 HelloSupported::True
21:25:40.0578458 KCM::OpenStatus::NotFound
21:25:40.0588455 KCM::OpenFailed::RequestingCreate.
21:25:46.1298155 KeyRetrievalStatus::Success
21:25:48.0390590 GetAttestationStatus::Success
21:25:48.3560603 PublicKeySignStatus::Success
21:25:48.3560603 

If you need additional information to help troubleshoot and resolve this issue, I will gladly assist.

Thank you.

Edited by Rojma
Link to comment
Share on other sites

  • 2 months later...

Hello @Anshu kumar & @Pratyush Sharma there have been no replies on this for 2 1/2 months. I now have a third machine which was working fine that after reimaging now no longer works. I have to put in the password after reboot, and only then can I start using Windows Hello. Before reimaging I did not have to do this and I was able to authenticate using Windows Hello after any reboot. I will be more than happy to assist on troubleshooting the issue and providing any needed data.

Link to comment
Share on other sites

Hi @Rojma

Apologies for the delay in response. Enpass really appreciates your patience. Our team is continuosly working on the concern to get it fixed. Just to make sure your data is synced and saved, on your windows Enpass application, please create a manual backup first, then un-install the application. After that please reinstall the application and restore your data.

Will update this thread as soon as I get any further updates.

Link to comment
Share on other sites

Same with my laptop. I have Windows Hello and TPM 2.0 and the latest version 6.7.2 of Enpass, but I also have to insert my Password after every restart. Why do you call it a brand new feature, if it doesn't work for most users? 

And btw I did a factory reset of my machine and installed Enpass completely fresh on it.

Link to comment
Share on other sites

  • 3 weeks later...

Not sure what change was introduced in the latest version, according to the change log, the browser inline autofill was added.

However, the Windows Hello feature is finally working as it should have been on version 6.7.4 (934) on Windows 10. You will need to disable and re-enable Windows Hello authentication in the Enpass app to achieve this.

Hope this will not be reversed in the future updates.

Edited by Plexion
  • Like 3
Link to comment
Share on other sites

I tried again to uninstall Enpass + the browser extension, restart laptop and then download Microsoft-Store-version and also after that .exe-file. Both the latest versions, and both have no support for Windows Hello. I have to manually insert my master password after every restart, after that Windows Hello works, but the website says, it's full Windows Hello support.

What else can I try or how could you help me?

I'm really disappointed because I knew it worked with a previous version...

Link to comment
Share on other sites

  • 3 weeks later...

I can confirm that after upgrading to version 6.7.4 (934), and then disabling followed by reenabling Windows Hello in the EnPass app, that Windows Hello is now working as expected. After either completely exiting out of the app or after a reboot of the PC, EnPass allows me to continue to use Windows Hello without having to reenter the master password. Thank you for fixing this.

  • Like 1
Link to comment
Share on other sites


I have noticed a new behaviour on my desktop PC. Full Windows Hello now works on the same PC on one user account and not on another. That means the missing functionality on the other account can not be hardware related.

Edited by Mathew
Link to comment
Share on other sites

  • 2 months later...

@Anshu kumar@Abhishek Dewan the problem is not completely solved yet.

I was able to get Enpass + TPM working on a few laptops (Intel based), but it refuses to work on AMD fTPM.

It used to work a while back (~6 months ago). I had to reinstall Enpass at some point and was never able to get it working again (I am suspecting a regression here). I just did a fresh install of Windows 11, cleared TPM, ... and it is still not working

Windows 11 22000.527

Enpass 6.7.4 (934)

Get-TPM

TpmPresent                : True
TpmReady                  : True
TpmEnabled                : True
TpmActivated              : True
TpmOwned                  : True
RestartPending            : True
ManufacturerId            : 1095582720
ManufacturerIdTxt         : AMD
ManufacturerVersion       : 3.58.0.5
ManufacturerVersionFull20 : 3.58.0.5

ManagedAuthLevel          : Full
OwnerAuth                 :
OwnerClearDisabled        : False
AutoProvisioning          : Enabled
LockedOut                 : False
LockoutHealTime           : 2 hours
LockoutCount              : 0
LockoutMax                : 32
SelfTest                  : {}

Get-TpmSupportedFeature -FeatureList "Key Attestation"

key attestation

Get-TpmEndorsementKeyInfo -Hash "Sha256"

IsPresent                : True
PublicKey                : System.Security.Cryptography.AsnEncodedData
PublicKeyHash            : 66ea35255c7311f1a7ac3c5b015526d70a3edba8bf9d658bb6a0d00982a536a7
ManufacturerCertificates : {}
AdditionalCertificates   : {[Subject]
                             TPMVersion=id:00030001, TPMModel=AMD, TPMManufacturer=id:414D4400

                           [Issuer]
                             CN=PRG-SSP, O=Advanced Micro Devices, S=CA, L=Santa Clara, C=US, OU=Engineering

                           [Serial Number]
                             075DDC8753AEEC2FFB9560A9485C3765

                           [Not Before]
                             7/22/2021 9:15:13 AM

                           [Not After]
                             7/22/2046 9:15:13 AM

                           [Thumbprint]
                             B1FB33A21E82F3C4CA1BCD3D1CA434C751C10B8F
                           }

 

image.thumb.png.50d7cd9ac7a3e37cd496627a40b68b8b.png

image.png.9149e667944f1eec4d822fb6b32d0459.png

Edited by FuN_KeY
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...