Hello,
I’m starting an MSP and recently did a trial deployment of Bitwarden in a small business environment using Windows Hello for Business.
I also use Bitwarden personally, so I really want to be able to recommend it and deploy it for my customers. Overall, I like the product, but I ran into an onboarding and support issue that makes me hesitant to standardize on it for managed clients.
In my testing, the settings needed for a smooth Windows Hello unlock experience are user-specific. It is not enough to configure Bitwarden once on a computer and have it work for every employee who signs into that device. Each Windows user profile has its own Bitwarden desktop settings, browser extension settings, and biometric unlock setup.
To get the expected experience, each user has to manually configure several things themselves:
-
Enable unlock with Windows Hello in the Bitwarden desktop app
-
Enable browser integration in the desktop app
-
Enable unlock with biometrics in the browser extension
-
Approve the browser extension connection from the desktop app
-
Understand that the desktop app and browser extension are separate unlock experiences
I have seen some workarounds for deploying default Bitwarden settings, but in my testing those do not solve this problem. They do not automatically enable Windows Hello unlock, browser integration, or the browser extension biometric unlock flow for each user. The end user still has to complete those steps manually.
For a single technical user, this is manageable. For an MSP deploying Bitwarden across multiple businesses, shared computers, replacement computers, and non-technical employees, this creates a lot of support overhead. I would have to walk each employee through the settings, explain what each option does, and make sure they complete the setup correctly under their own Windows profile.
That makes it hard to recommend Bitwarden to customers, even though I personally like using it. I do not want to deploy something that I already know will cause a lot of grief and eat up a lot of time teaching users which settings to enable and how to use it correctly.
Am I missing something?
Is there currently any supported way to centrally deploy or enforce these settings per user using Intune, ADMX, registry settings, configuration profiles, enterprise policy, or another supported method?
The main things I would like to control are:
-
Enable Windows Hello / biometric unlock for each user in the desktop app
-
Enable browser integration for each user
-
Enable biometric unlock for the browser extension
-
Reduce or eliminate the manual approval/setup steps required from each end user
-
Make the experience consistent when a user signs into a new computer or a different shared computer
If this is not currently possible, is the expected behavior that each end user must manually enable these settings every time they use Bitwarden under a new Windows profile or on a new computer?
I also wanted to ask about the desktop app and browser extension unlock behavior. From a user’s perspective, it is confusing that unlocking the desktop app does not also unlock the browser extension. Users expect that if they unlock “Bitwarden,” it should be unlocked everywhere on that computer. Instead, they often have to unlock the desktop app and then separately unlock the browser extension.
Is there a technical or security reason the desktop app vault and browser extension vault cannot share the same unlocked session?
I understand there may be browser security limitations involved, but from an MSP/end-user support perspective, the current behavior adds friction and creates confusion for non-technical users.
I’d appreciate any clarification on whether this can be centrally managed today, whether there are best practices for MSP deployments, or whether this is something that would need to be a feature request.