github-starred/vaultwarden
2
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-05-24 09:03:15 -05:00
Code Issues 307 Packages Projects Releases 83 Wiki Activity

[GH-ISSUE #6470] feat: Windows Hello feature flag #15233

New Issue
Closed
opened 2026-04-23 07:05:37 -05:00 by GiteaMirror · 13 comments
GiteaMirror commented 2026-04-23 07:05:37 -05:00
Owner
Copy Link

Originally created by @kroese on GitHub (Nov 13, 2025).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/6470

Prerequisites

Vaultwarden Support String

The new Windows Hello implementation in the latest Bitwarden client needs a feature flag set by the server:

Please note this is a feature flagged roll-out. The release does contain the code, but the updated version will only be able to use the re-written Windows-hello unlock after the feature-flag is enabled server-side.

For self-hosted this also means that the re-written Window-hello unlock is not supported yet, until a further update removing the feature flag / enabling it by default.

So please implement this flag in Vaultwarden.

Vaultwarden Build Version

N/A

Deployment method

Official Container Image

Custom deployment method

No response

Reverse Proxy

N/A

Host/Server Operating System

Linux

Operating System Version

N/A

Clients

Desktop

Client Version

No response

Steps To Reproduce

See above

Expected Result

Biometric authentication on startup

Actual Result

Disabled

Logs

Screenshots or Videos

No response

Additional Context

No response

Originally created by @kroese on GitHub (Nov 13, 2025). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/6470 ### Prerequisites - [x] I have searched the existing **Closed _AND_ Open** [Issues](https://github.com/dani-garcia/vaultwarden/issues?q=is%3Aissue%20) **_AND_** [Discussions](https://github.com/dani-garcia/vaultwarden/discussions?discussions_q=) - [x] I have searched and read the [documentation](https://github.com/dani-garcia/vaultwarden/wiki/) ### Vaultwarden Support String The new Windows Hello implementation in the latest Bitwarden client needs a feature flag set by the server: > Please note this is a feature flagged roll-out. The release does contain the code, but the updated version will only be able to use the re-written Windows-hello unlock after the feature-flag is enabled server-side. > > For self-hosted this also means that the re-written Window-hello unlock is not supported yet, until a further update removing the feature flag / enabling it by default. So please implement this flag in Vaultwarden. ### Vaultwarden Build Version N/A ### Deployment method Official Container Image ### Custom deployment method _No response_ ### Reverse Proxy N/A ### Host/Server Operating System Linux ### Operating System Version N/A ### Clients Desktop ### Client Version _No response_ ### Steps To Reproduce See above ### Expected Result Biometric authentication on startup ### Actual Result Disabled ### Logs ```text ``` ### Screenshots or Videos _No response_ ### Additional Context _No response_
GiteaMirror added the bug label 2026-04-23 07:05:37 -05:00
GiteaMirror commented 2026-04-23 07:05:39 -05:00
Author
Owner
Copy Link

@dfunkt commented on GitHub (Nov 14, 2025):

This should be the one: https://github.com/dani-garcia/vaultwarden/pull/6468

<!-- gh-comment-id:3531833140 --> @dfunkt commented on GitHub (Nov 14, 2025): This should be the one: https://github.com/dani-garcia/vaultwarden/pull/6468
GiteaMirror commented 2026-04-23 07:05:39 -05:00
Author
Owner
Copy Link

@ypxun commented on GitHub (Nov 15, 2025):

It's quite strange: I've upgraded the desktop client to version 2025.11.0, pulled the latest test version of the vaultwarden image, and added the environment variable "pm-25373-windows-biometrics-v2", but I still can't use Windows Hello to unlock the Bitwarden client right after startup—it still requires the master password. Here's my compose and .env file.

services:
  vaultwarden:
    image: vaultwarden/server:testing
    container_name: vaultwarden
    restart: always
    environment:
      - ADMIN_TOKEN=${ADMIN_TOKEN}
      - WEBSOCKET_ENABLED=${WEBSOCKET_ENABLED}
      - SIGNUPS_ALLOWED=${SIGNUPS_ALLOWED}
      - INVITATIONS_ALLOWED=${INVITATIONS_ALLOWED}
      - EXPERIMENTAL_CLIENT_FEATURE_FLAGS=${EXPERIMENTAL_CLIENT_FEATURE_FLAGS}
      - TZ=${TZ}
    volumes:
      - /root/data/docker/data/vaultwarden/:/data/
    ports:
      - 43172:80
networks: {}

...
EXPERIMENTAL_CLIENT_FEATURE_FLAGS=inline-menu-positioning-improvements,inline-menu-totp,ssh-agent,ssh-key-vault-item,pm-25373-windows-biometrics-v2,export-attachments,anon-addy-self-host-alias,simple-login-self-host-alias,mutual-tls
...
<!-- gh-comment-id:3535721851 --> @ypxun commented on GitHub (Nov 15, 2025): It's quite strange: I've upgraded the desktop client to version 2025.11.0, pulled the latest test version of the vaultwarden image, and added the environment variable "pm-25373-windows-biometrics-v2", but I still can't use Windows Hello to unlock the Bitwarden client right after startup—it still requires the master password. Here's my compose and .env file. ```yaml services: vaultwarden: image: vaultwarden/server:testing container_name: vaultwarden restart: always environment: - ADMIN_TOKEN=${ADMIN_TOKEN} - WEBSOCKET_ENABLED=${WEBSOCKET_ENABLED} - SIGNUPS_ALLOWED=${SIGNUPS_ALLOWED} - INVITATIONS_ALLOWED=${INVITATIONS_ALLOWED} - EXPERIMENTAL_CLIENT_FEATURE_FLAGS=${EXPERIMENTAL_CLIENT_FEATURE_FLAGS} - TZ=${TZ} volumes: - /root/data/docker/data/vaultwarden/:/data/ ports: - 43172:80 networks: {} ``` ```.env ... EXPERIMENTAL_CLIENT_FEATURE_FLAGS=inline-menu-positioning-improvements,inline-menu-totp,ssh-agent,ssh-key-vault-item,pm-25373-windows-biometrics-v2,export-attachments,anon-addy-self-host-alias,simple-login-self-host-alias,mutual-tls ... ```
GiteaMirror commented 2026-04-23 07:05:40 -05:00
Author
Owner
Copy Link

@stefan0xC commented on GitHub (Nov 15, 2025):

@ypxun I think you might have to clear the cache of your Desktop Client (e.g. logout and login again) so it bothers to check for the new config.

<!-- gh-comment-id:3536056441 --> @stefan0xC commented on GitHub (Nov 15, 2025): @ypxun I think you might have to clear the cache of your Desktop Client (e.g. logout and login again) so it bothers to check for the new config.
GiteaMirror commented 2026-04-23 07:05:40 -05:00
Author
Owner
Copy Link

@ypxun commented on GitHub (Nov 15, 2025):

@ypxun I think you might have to clear the cache of your Desktop Client (e.g. logout and login again) so it bothers to check for the new config.

@stefan0xC Thanks a lot for the suggestion. I tried everything you mentioned—logging out, quitting the app, restarting, even uninstalling and reinstalling Bitwarden. But weird enough, none of that worked. By the way, are you able to unlock Bitwarden with Windows Hello the first time you open it after a system reboot?

<!-- gh-comment-id:3536489375 --> @ypxun commented on GitHub (Nov 15, 2025): > [@ypxun](https://github.com/ypxun) I think you might have to clear the cache of your Desktop Client (e.g. logout and login again) so it bothers to check for the new config. @stefan0xC Thanks a lot for the suggestion. I tried everything you mentioned—logging out, quitting the app, restarting, even uninstalling and reinstalling Bitwarden. But weird enough, none of that worked. By the way, are you able to unlock Bitwarden with Windows Hello the first time you open it after a system reboot?
GiteaMirror commented 2026-04-23 07:05:41 -05:00
Author
Owner
Copy Link

@stefan0xC commented on GitHub (Nov 15, 2025):

I don't use Windows at home so I can't test it. Can you check /api/config if it includes the flag you set?
Also according to https://bitwarden.com/help/biometrics/#set-up-biometrics-for-desktop-app the Bitwarden desktop app has to be installed from Bitwarden Downloads and not the Microsoft Store.

<!-- gh-comment-id:3536495452 --> @stefan0xC commented on GitHub (Nov 15, 2025): I don't use Windows at home so I can't test it. Can you check `/api/config` if it includes the flag you set? Also according to https://bitwarden.com/help/biometrics/#set-up-biometrics-for-desktop-app the Bitwarden desktop app has to be installed from [Bitwarden Downloads](https://bitwarden.com/download/#downloads-desktop) and not the Microsoft Store.
GiteaMirror commented 2026-04-23 07:05:42 -05:00
Author
Owner
Copy Link

@ypxun commented on GitHub (Nov 15, 2025):

I don't use Windows at home so I can't test it. Can you check /api/config if it includes the flag you set? Also according to https://bitwarden.com/help/biometrics/#set-up-biometrics-for-desktop-app the Bitwarden desktop app has to be installed from Bitwarden Downloads and not the Microsoft Store.

Got it, all worked! Turns out I'd missed the new "Require master password or PIN on app restart" option in settings. All I had to do was uncheck that box (it's enabled by default) and now it's fixed.

<!-- gh-comment-id:3536503983 --> @ypxun commented on GitHub (Nov 15, 2025): > I don't use Windows at home so I can't test it. Can you check `/api/config` if it includes the flag you set? Also according to https://bitwarden.com/help/biometrics/#set-up-biometrics-for-desktop-app the Bitwarden desktop app has to be installed from [Bitwarden Downloads](https://bitwarden.com/download/#downloads-desktop) and not the Microsoft Store. Got it, all worked! Turns out I'd missed the new "Require master password or PIN on app restart" option in settings. All I had to do was uncheck that box (it's enabled by default) and now it's fixed.
GiteaMirror commented 2026-04-23 07:05:43 -05:00
Author
Owner
Copy Link

@Muska-Ami commented on GitHub (Nov 16, 2025):

Edit: The option appeared after serveral hours.

I've add experimental flag to my Vaultwarden, and confirmed it's appeared on /api/config:

{
  "environment": {
    "api": "http://localhost/api",
    "cloudRegion": null,
    "identity": "http://localhost/identity",
    "notifications": "http://localhost/notifications",
    "sso": "",
    "vault": "http://localhost"
  },
  "featureStates": {
    "duo-redirect": true,
    "email-verification": true,
    "enable-pm-flight-recorder": true,
    "mobile-error-reporting": true,
    "pm-25373-windows-biometrics-v2": true,
    "unauth-ui-refresh": true
  },
  "gitHash": "319d9821",
  "object": "config",
  "push": {
    "pushTechnology": 0,
    "vapidPublicKey": null
  },
  "server": {
    "name": "Vaultwarden",
    "url": "https://github.com/dani-garcia/vaultwarden"
  },
  "settings": {
    "disableUserRegistration": false
  },
  "version": "2025.6.0"
}

Then I tried to logout, login and even reinstall Bitwarden client, but the Require master password or PIN on app restart option does not appear on client-side 🤔.

Image
<!-- gh-comment-id:3538218607 --> @Muska-Ami commented on GitHub (Nov 16, 2025): Edit: The option appeared after serveral hours. I've add experimental flag to my Vaultwarden, and confirmed it's appeared on `/api/config`: ```json { "environment": { "api": "http://localhost/api", "cloudRegion": null, "identity": "http://localhost/identity", "notifications": "http://localhost/notifications", "sso": "", "vault": "http://localhost" }, "featureStates": { "duo-redirect": true, "email-verification": true, "enable-pm-flight-recorder": true, "mobile-error-reporting": true, "pm-25373-windows-biometrics-v2": true, "unauth-ui-refresh": true }, "gitHash": "319d9821", "object": "config", "push": { "pushTechnology": 0, "vapidPublicKey": null }, "server": { "name": "Vaultwarden", "url": "https://github.com/dani-garcia/vaultwarden" }, "settings": { "disableUserRegistration": false }, "version": "2025.6.0" } ``` Then I tried to logout, login and even reinstall Bitwarden client, but the `Require master password or PIN on app restart` option does not appear on client-side :thinking:. <img width="500" height="146" alt="Image" src="https://github.com/user-attachments/assets/a35de9e7-f665-4666-bfe4-d24fd51caefa" />
GiteaMirror commented 2026-04-23 07:05:43 -05:00
Author
Owner
Copy Link

@MrVenerabilis commented on GitHub (Nov 17, 2025):

Hello everyone,
I just found out about "feature flags."
I use Vaultwarden Docker on UnRAID.

It's quite strange: I've upgraded the desktop client to version 2025.11.0, pulled the latest test version of the vaultwarden image, and added the environment variable "pm-25373-windows-biometrics-v2", but I still can't use Windows Hello to unlock the Bitwarden client right after startup—it still requires the master password. Here's my compose and .env file.

services:
vaultwarden:
image: vaultwarden/server:testing
container_name: vaultwarden
restart: always
environment:
- ADMIN_TOKEN=${ADMIN_TOKEN}
- WEBSOCKET_ENABLED=${WEBSOCKET_ENABLED}
- SIGNUPS_ALLOWED=${SIGNUPS_ALLOWED}
- INVITATIONS_ALLOWED=${INVITATIONS_ALLOWED}
- EXPERIMENTAL_CLIENT_FEATURE_FLAGS=${EXPERIMENTAL_CLIENT_FEATURE_FLAGS}
- TZ=${TZ}
volumes:
- /root/data/docker/data/vaultwarden/:/data/
ports:
- 43172:80
networks: {}
...
EXPERIMENTAL_CLIENT_FEATURE_FLAGS=inline-menu-positioning-improvements,inline-menu-totp,ssh-agent,ssh-key-vault-item,pm-25373-windows-biometrics-v2,export-attachments,anon-addy-self-host-alias,simple-login-self-host-alias,mutual-tls
...

I can put every feature flag there except the new Windows Hello one.
When I add the Windows Hello feature flag to the variable, Docker starts but loads infinitely. Also I cant open the console or the logs.

What am I missing?

<!-- gh-comment-id:3541628118 --> @MrVenerabilis commented on GitHub (Nov 17, 2025): Hello everyone, I just found out about "feature flags." I use Vaultwarden Docker on UnRAID. > It's quite strange: I've upgraded the desktop client to version 2025.11.0, pulled the latest test version of the vaultwarden image, and added the environment variable "pm-25373-windows-biometrics-v2", but I still can't use Windows Hello to unlock the Bitwarden client right after startup—it still requires the master password. Here's my compose and .env file. > > services: > vaultwarden: > image: vaultwarden/server:testing > container_name: vaultwarden > restart: always > environment: > - ADMIN_TOKEN=${ADMIN_TOKEN} > - WEBSOCKET_ENABLED=${WEBSOCKET_ENABLED} > - SIGNUPS_ALLOWED=${SIGNUPS_ALLOWED} > - INVITATIONS_ALLOWED=${INVITATIONS_ALLOWED} > - EXPERIMENTAL_CLIENT_FEATURE_FLAGS=${EXPERIMENTAL_CLIENT_FEATURE_FLAGS} > - TZ=${TZ} > volumes: > - /root/data/docker/data/vaultwarden/:/data/ > ports: > - 43172:80 > networks: {} > ... > EXPERIMENTAL_CLIENT_FEATURE_FLAGS=inline-menu-positioning-improvements,inline-menu-totp,ssh-agent,ssh-key-vault-item,pm-25373-windows-biometrics-v2,export-attachments,anon-addy-self-host-alias,simple-login-self-host-alias,mutual-tls > ... I can put every feature flag there except the new Windows Hello one. When I add the Windows Hello feature flag to the variable, Docker starts but loads infinitely. Also I cant open the console or the logs. What am I missing?
GiteaMirror commented 2026-04-23 07:05:43 -05:00
Author
Owner
Copy Link

@Muska-Ami commented on GitHub (Nov 17, 2025):

@MrVenerabilis Maybe you should pull the latest test Docker image by docker pull command and recreate the container.

<!-- gh-comment-id:3541660930 --> @Muska-Ami commented on GitHub (Nov 17, 2025): @MrVenerabilis Maybe you should pull the latest test Docker image by `docker pull` command and recreate the container.
GiteaMirror commented 2026-04-23 07:05:44 -05:00
Author
Owner
Copy Link

@MrVenerabilis commented on GitHub (Nov 17, 2025):

@Muska-Ami The ":testing" did it for me. Now I can unlock the App with biometrics on app start. Thank you!

<!-- gh-comment-id:3542152210 --> @MrVenerabilis commented on GitHub (Nov 17, 2025): @Muska-Ami The ":testing" did it for me. Now I can unlock the App with biometrics on app start. Thank you!
GiteaMirror commented 2026-04-23 07:05:44 -05:00
Author
Owner
Copy Link

@blackstormlab commented on GitHub (Nov 19, 2025):

sorry to add nothing to the conversation here but any idea when this will pushed in an update?

this is a serious QOL feature and i prefer not running my main vault on a testing build but i did test it and it worked.

<!-- gh-comment-id:3550479404 --> @blackstormlab commented on GitHub (Nov 19, 2025): sorry to add nothing to the conversation here but any idea when this will pushed in an update? this is a serious QOL feature and i prefer not running my main vault on a testing build but i did test it and it worked.
GiteaMirror commented 2026-04-23 07:05:45 -05:00
Author
Owner
Copy Link

@BlackDex commented on GitHub (Nov 19, 2025):

sorry to add nothing to the conversation here but any idea when this will pushed in an update?

No, we do not have any roadmap or release schedule.

<!-- gh-comment-id:3550904274 --> @BlackDex commented on GitHub (Nov 19, 2025): > sorry to add nothing to the conversation here but any idea when this will pushed in an update? > No, we do not have any roadmap or release schedule.
GiteaMirror commented 2026-04-23 07:05:45 -05:00
Author
Owner
Copy Link

@BlackDex commented on GitHub (Nov 23, 2025):

Closing this as it's resolved via #6468

You might need to fully clear/uninstall the client before the client does a re-check on the config endpoint.

<!-- gh-comment-id:3567853504 --> @BlackDex commented on GitHub (Nov 23, 2025): Closing this as it's resolved via #6468 You might need to fully clear/uninstall the client before the client does a re-check on the `config` endpoint.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
better for forum
bug
documentation
duplicate
enhancement
future Vault
good first issue
help wanted
low priority
notes
pull-request
Mirrored from GitHub Pull Request
 question
SSO
Third party
troubleshooting
wontfix
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/vaultwarden#15233
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?