benitocereno Posted November 9, 2016 Report Share Posted November 9, 2016 Hello, Any plans to support desktops with TPM 2.0 for full time Windows Hello? Unlocking after initial master password works fine, but I thought with TPM I would get full time support. Thanks for your help! -Benitocereno Link to comment Share on other sites More sharing options...
Vinod Kumar Posted November 10, 2016 Report Share Posted November 10, 2016 Hi @benitocereno, We use full time hello only when encryption keys are generated on Hardware TPM. We use standard Hello API provided by Microsoft. The API provides us something called attestation information to acquire cryptographic proof that the key is generated on the TPM. Please go to security settings in Enpass, than turn off and on again. If a warning is shown it means that generated keys are not TPM bound. Hence, we can't use these keys for security reasons and Windows full-time Hello unlocking feature won't be available on this device. Link to comment Share on other sites More sharing options...
benitocereno Posted November 10, 2016 Author Report Share Posted November 10, 2016 Thank you Vinod! In my case, it did not work when I toggled it. However, I had previously been using a PIN with windows before I activated the TPM. This made me think that maybe my current PIN/passport were not the hardware-generated key from the TPM, since I had not set a new PIN since I activated the TPM on my bios. So, I removed my existing Windows PIN/Hello, created a new PIN, then toggled the setting in Enpass. Worked like a champ! Appreciate your quick response and help. Now it's working perfectly. Link to comment Share on other sites More sharing options...
Andre Posted November 16, 2016 Report Share Posted November 16, 2016 Thanks Vinod but what do you mean with to turn security settings in Enpass on and off there is no setting on / off setting in my version Link to comment Share on other sites More sharing options...
Anshu kumar Posted November 17, 2016 Report Share Posted November 17, 2016 Hi @Andre, I would like to let you know that the Hello support is only available for the app which is downloaded from Windows Store. So please download Enpass from Windows Store and try again. Cheers! Link to comment Share on other sites More sharing options...
Andre Posted November 19, 2016 Report Share Posted November 19, 2016 Anshu, Thanks for your mail but .... I first downloaded a trial of the program from Windows store (version 5.2) that did not work then looking around on Enpass site I saw they had a 5.3 version so I tried it maybe the problem would have been fixed ..... seems it is not !!!!! Link to comment Share on other sites More sharing options...
Anshu kumar Posted November 21, 2016 Report Share Posted November 21, 2016 Hi @Andre, Sorry for the confusion! Please download Enpass from Windows Store and refer the attached screenshots to enable Windows Hello. Link to comment Share on other sites More sharing options...
Paradoxon101 Posted December 7, 2016 Report Share Posted December 7, 2016 Hello, your app is really great! Unfortunately, your TPM 2.0 does not work! I have now bought a TPM 2.0 module, and it works also under Windows 10, unfortunately not in the app.TPM-2.0 What can I do to make the app work with Windows Hello? Link to comment Share on other sites More sharing options...
Paradoxon101 Posted December 7, 2016 Report Share Posted December 7, 2016 I have validated it with this script: https://gallery.technet.microsoft.com/scriptcenter/Script-to-list-TPM-chip-7e651c27 Link to comment Share on other sites More sharing options...
Anshu kumar Posted December 8, 2016 Report Share Posted December 8, 2016 Hi @Paradoxon101, Thanks for writing in. Please refer this answer : On 10/11/2016 at 4:57 PM, Vinod Kumar said: We use full time hello only when encryption keys are generated on Hardware TPM. We use standard Hello API provided by Microsoft. The API provides us something called attestation information to acquire cryptographic proof that the key is generated on the TPM. Please go to security settings in Enpass, than turn off and on again. If a warning is shown it means that generated keys are not TPM bound. Hence, we can't use these keys for security reasons and Windows full-time Hello unlocking feature won't be available on this device. Hope this helps! Cheers! Link to comment Share on other sites More sharing options...
Paradoxon101 Posted December 12, 2016 Report Share Posted December 12, 2016 Excuse me, but your TPM test "only when encryption keys are generated on Hardware TPM" is useless! This test can be bypassed very easily! I simply use a Windows Hello USB Fingerprint Reader to setup Enpass. Now i can use my simple Windows Hello PIN to unlock Enpass without TPM! Now you can remove your chicane ... Link to comment Share on other sites More sharing options...
Vinod Kumar Posted December 13, 2016 Report Share Posted December 13, 2016 @Paradoxon101 Really? You mean to say, you are able to use full time hello with Enpass ( That doesn't asks you master password when you start Enpass app a fresh) with USB fingerprint reader? Also let me know which USB Fingerprint Reader are you using? Link to comment Share on other sites More sharing options...
Airstar Posted February 19, 2017 Report Share Posted February 19, 2017 Lenovo Thinkpad T530 with builtin factory fingerprint reader. TPM module v1.2 is seen in device manager. TPM is activated in the Bios. Windows Hello works perfectly in Win10 login etc But ENPASS when tryin the On -> Off -> On always says "due to hardware restrictions.. etc" and only logins with Hello after entering the master password once manually. Whats wrong? I tried also to setup Hello again but still the same warning in ENPASS. ENPASS would be perfect if you could instruct how to get the fingerprint to work? Is there a test app / site or something that could give more information, whats missing or setup wrong? I'm also willing to help and test if you need someone with Thinkpad. These Thinkpads are really common, does anyone use T420, T430, T520 or T530 with ENPASS, does it work for you? Link to comment Share on other sites More sharing options...
Airstar Posted February 19, 2017 Report Share Posted February 19, 2017 Found this http://windowsitpro.com/security/checking-status-trusted-platform-module-command-line And tried, the results are: C:\WINDOWS\system32>wmic /namespace:\\root\cimv2\security\microsofttpm path win32_tpm get IsEnabled_InitialValue IsEnabled_InitialValue TRUE C:\WINDOWS\system32>wmic /namespace:\\root\cimv2\security\microsofttpm path win32_tpm get IsActivated_InitialValue IsActivated_InitialValue TRUE TPM 1.2 is older than 2.0 but the 2.0 is required for NEW hardware from July 2016 onwards so surely TPM 1.2 should also work with older laptops? Link to comment Share on other sites More sharing options...
Vinod Kumar Posted February 21, 2017 Report Share Posted February 21, 2017 Hi @Airstar, Yes, you're right that TPM 2.0 is required for new hardware but api support for TPM 1.2 has its own limitations, and the one which is restricting the Full time Hello support on Enpass is lack of TPM key attestation info when asked for using the Microsoft provided APIs. TPM key attestation is a protocol that cryptographically proves that a key is TPM-bound. This type of attestation can be used to guarantee that a certain cryptographic operation occurred in the TPM of a particular computer. We use KeyCredentialManager.RequestCreateAsync() API to get authenticated encryption keys to protect the Master password. Now, we need to check where those keys are stored. It can be on a Hardware TPM or a simulated software TPM. To get this attestation information, we use GetAttestationAsync(), which is generated by the TPM chip. Unfortunately, Above api attestation information is only available TPM 2.0 or higher. So, in case of TPM 1.2 (one in your laptop) or a simulated software one, there will be no attestation information. We have no means to distinguish between a TPM 1.2 or software TPM. So limitation of API is the only reason that we support full-time Hello unlocking only on devices where keys guaranteed to be bound to hardware TPM. You can read about the related information in section 3.1 and 3.4 on https://docs.microsoft.com/en-us/windows/uwp/security/microsoft-passport#311-attestation Hope it helps! Link to comment Share on other sites More sharing options...
Recommended Posts