Troubleshooting Common Issues

This section provides solutions for common issues encountered during setup and usage of Enterprise Passkey with Third-Party Passkey Provider.

Administrator Setup Issues

Entra ID Configuration Problems

App Registration Issues

• Problem: Cannot create app registration
• Solution: Ensure you have Global Admin access to the Entra ID tenant
• Verification: Check your permissions in Entra ID > Users > Your Profile > Assigned roles

API Permissions Not Working

• Problem: Entra API permissions are not being granted or HYPR apps are unable to communicate with Entra
• Solution:
  1. Ensure you click "Grant admin consent" after adding permissions
  2. Verify you have Global Admin or Application Administrator role
  3. Check that the permissions are correctly added to both Application and Delegated permissions

FIDO2 Authentication Method Not Available

• Problem: FIDO2 Security Key option is not visible in Authentication methods
• Solution:
  1. Ensure you have appropriate Entra ID licensing
  2. Check that the feature is enabled in your tenant
  3. Verify you're looking in the correct location: Authentication methods > Policies > FIDO2 Security Key

HYPR Control Center™ Configuration Issues

Feature Flags Not Saving

• Problem: Feature flags are not persisting after clicking Update
• Solution:
  1. Ensure you have appropriate permissions in HYPR Control Center™
  2. Check that you're clicking "Update" and confirming the changes
  3. Verify you're in the correct tenant context

Integration Creation Fails

• Problem: Cannot create Entra ID integration
• Solution:
  1. Verify all required feature flags are enabled globally
  2. Check that the client ID, client secret, and tenant ID are correct
  3. Ensure the app registration has all required permissions
  4. Verify the client secret has not expired

Magic Link Generation Issues

• Problem: Cannot create Magic Links for users
• Solution:
  1. Ensure the user email exists in Entra ID
  2. Verify the user has appropriate permissions
  3. Check that the workstation settings are configured correctly

User Experience Issues

Mobile App Problems

Passkey Provider Not Enabled

• Problem: HYPR passkey provider is not available in device settings
• Solution:
  • iOS: Settings > General > Passwords > Enable HYPR toggle
  • Android: Settings > Security > Passkeys > Enable HYPR toggle
  • Ensure device biometrics are set up

QR Code Scanning Issues

• Problem: Difficulties or inability to scan QR codes with mobile app
• Solution:
  1. Grant camera permissions to HYPR One™ app
  2. Ensure good lighting conditions
  3. Hold device steady and align QR code properly
  4. Try refreshing the QR code on the workstation

Workstation Issues

FIDO2 Security Key Tile Not Visible

• Problem: FIDO2 Security Key option not showing on Windows login screen
• Solution:
  1. Verify registry key is set: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FIDO\EnableFIDODeviceLogon = 1
  2. Restart the computer after registry changes
  3. Ensure the workstation is Entra-joined or hybrid-joined
  4. Check that HYPR Passwordless for Windows™ is installed correctly

HYPR Passwordless for Windows™ Installation Issues

• Problem: Installation fails or doesn't complete
• Solution:
  1. Run installer as Administrator
  2. Ensure both MSI and hypr.json files are in the same directory
  3. Check that the hypr.json file is from the correct tenant
  4. Verify Windows version compatibility (Windows 10/11)

Pairing Process Fails

• Problem: Cannot pair mobile device with workstation
• Solution:
  1. Ensure both devices are on the same network
  2. Check that appropriate passkey settings are enabled on mobile
  3. Verify mobile device biometrics are set up
  4. Ensure HYPR One™ app is version 10.5.0 or later
  5. Try restarting both devices

Common Pairing Issues

If No Passkey Appears in My Passkeys After Pairing

If users don't see their passkey after pairing, check the following:

1. Confirm Credential Provider: Verify the mobile Credential Provider is enabled in HYPR One™, and that HYPR is enabled as a credential provider in the Passkey settings of your mobile device
2. Check Biometrics: Ensure device biometrics are set up; passkeys require biometrics
3. Verify Account Type: Must login as Entra cloud-only or hybrid account (not local Windows account)
4. Check Network Connectivity: Ensure both devices have stable internet connection
5. Verify Entra Join Status: Run dsregcmd /status to check workstation join status

Common Pairing Issues

• Camera Access: Ensure mobile device camera permission is enabled for QR code scanning
• Bluetooth/Proximity: Check that Bluetooth and proximity features are working
• Network Connectivity: Verify both devices have internet connectivity
• Version Compatibility: Ensure HYPR Passwordless for Windows™ 10.5.0+ and current HYPR One™ mobile app version
• Account Type: Must login as Entra cloud-only or hybrid account (not local Windows account)
• Biometrics Required: Mobile device biometrics must be enabled for passkey functionality
• Credential Provider: Users may be prompted to enable the mobile Credential Provider during first-time setup

Entra ID Join Status Verification

Checking Workstation Status

Use the following command to check the status of a Windows workstation:

dsregcmd /status

This command displays detailed information about the device's Entra ID join status and any potential issues.

Common Join Status Descriptors

• AzureAdJoined: Should show "YES" for Entra-joined workstations
• DomainJoined: Should show "YES" for hybrid-joined workstations
• WorkplaceJoined: Should show "YES" for Entra-joined workstations
• WamDefaultSet: Should show "YES" for properly configured workstations

Known Issues and Limitations

Microsoft Entra ID Limitations

• Multiple Entra Accounts: Microsoft has known issues with signing in with security keys containing multiple Microsoft Entra accounts
• Unsupported Scenarios: Review known issues and FAQs

HYPR Enterprise Passkey Limitations

• One Passkey Per Device: The HYPR One™ mobile app supports only one Entra passkey credential per device
• Active Directory Joined: Not supported by Microsoft for FIDO2 security keys
• Administrative Accounts: Additional steps required to support administrative accounts

Hybrid Joined Workstation Requirements

For hybrid-joined workstations, ensure:

• Domain Controller: Patch level requirements are met
• AES256_HMAC_SHA1: Must be enabled (required)
• Entra AD Kerberos: Configure Active Directory and Entra to support Entra AD Kerberos

Getting Additional Support

HYPR Support Resources

• Email: support@hypr.com
• Support Portal: support.hypr.com
• Documentation: HYPR Documentation Portal

Microsoft Support Resources

• Entra ID Documentation: Microsoft Entra ID Authentication Methods
• FIDO2 Security Keys: Microsoft FIDO2 Security Key Documentation
• Troubleshooting Guide: Microsoft Passwordless Authentication Troubleshooting

Log Collection

When contacting support, be ready to provide the following information:

1. Workstation Details: Windows version, Entra join status (dsregcmd /status output)
2. Mobile Device: iOS/Android version, HYPR One™ app version
3. Error Messages: Screenshots or exact error text
4. Steps Taken: What you've already tried to resolve the issue
5. Environment: Entra-joined vs hybrid-joined workstation

Need Help?

If you encounter issues during setup or need additional assistance, contact HYPR Support at support@hypr.com or visit our support portal at support.hypr.com.

Other Parts of this Guide

• Administrator Configuration
• User Experience