Compatibility Issue – Netwrix PPE Client blocking biometric authentication IDX Access

What is a one sentence summary of your feature request?

Compatibility Issue – Netwrix PPE Client and IDX Access Biometric Authentication

Please describe your idea in detail. What is your problem, why do you feel this idea is the best solution, etc.

I would like to report a technical issue identified during the deployment of Netwrix Password Policy Enforcer (PPE) Client in our environment, which is impacting biometric authentication on end-user devices.
Environment:

Operating System: Windows 11
Components installed:

Netwrix PPE Client 11.0.6.8
IDX Access (biometric fingerprint authentication – Credential Provider)
IDX Version: MBAS ver 1.8.4.3.7

Network Information:

Known port in use: 8443
Additional ports: Currently unknown

Scope:
Call Center workstations and selected branch office devices
Issue Description:
After installing the Netwrix PPE Client, biometric authentication (fingerprint) stops working on affected machines:

The IDX Credential Provider is no longer invoked during logon
No authentication events are registered by the biometric component
Users are only prompted for password authentication

This behavior is consistent across multiple devices. Additionally:

How do you currently solve the challenges you have by not having this feature?

On systems without Netwrix installed, biometric authentication works as expected
After uninstalling Netwrix PPE Client, fingerprint authentication is restored

Request:
Based on the above, we kindly request your support to confirm whether this is a known compatibility issue and to provide a fix or guidance. Additionally, we request an updated version of the Netwrix PPE agent that ensures compatibility with third-party Credential Providers such as IDX Access.
We appreciate your support and look forward to your guidance.

Upload any supporting images that you think should be considered in this idea.

Diagrama IDX Access.png1475×830 79.1 KB

Hi @Oscar. Thanks for your feedback. Unfortunately credential providers don’t work together the way you want them to by default. They can often be made to work together, but one of them needs to know about the other one in order to “wrap and filter” it. Wrapping and filtering is a technique used to work with and also hide the other credential provider so that Windows (and the user) thinks it’s one credential provider, but it has the features from both.

PPE automatically wraps and filters some credential providers, but this is not one of them. Blindly wrapping and filtering all credential providers is risky, so the PPE client only wraps the ones we know are compatible. Some credential providers have the wrapping feature disabled by default, which may be the case for the IDX client. I searched for information on the authID web site, but didn’t find instructions for this. Can you please open a ticket with authID to see if their client can be configured to wrap and filter a third-party credential provider? If they need more information from us, then we will be happy to work with them.

If it can’t, then please open a support ticket with Netwrix https://customer.netwrix.com/sign_in.html?rf=tickets.html

We will try to add compatibility for you, but we will need more information from you. If the IDX client is doing something unusual behind the scenes, then we may also need to get some information from authID.