Twingate Client for Windows requiring authentication after every reboot

It looks like this was asked and never answered here: Windows: Authentication after ever reboot

I’ve installed the Twingate client on several Windows 10 and Windows 11 devices. The most recent one, however, requests authentication every time the system is rebooted.

That’s not the case on any other device - the others only require it the default of every 4 days.

How do I fix the issue on this one device?

Hi @Mike,

is this behavior you are observing across multiple users on a specific version of Windows or only for specific Users?

This difference in behavior is usually due to Twingate Resource assignment and the policies that protect those resources.

A typical implementation scheme for Windows is that some Twingate Resources are actually accessed by the OS (without the User necessarily knowing). This is often the case for Domain Controllers and some Active Directory traffic.

We recommend implementing Windows Start Before Logon for those Resources by placing them behind we it called a “Device Only” Policy: that is a policy that does not require user authentication but does require device verification.

One user.

She’s been using Twingate ‘normally’ like the rest of us for a few months. We recently purchased her a new computer, configured it just like the old one as far as I can tell, but the new unit is requiring Twingate authentication every time it is restarted.

I’ve made no changes to access policies for her resources.

I will look into the SBL, but is there a way to let the OS access AD resources through a “Device Only Policy” but still require users to authenticate to access user-specific resources? On a shared remote device, the OS will always need access to the remote DCs, but different users will have different resource access permissions.

hi @Mike!

Yes, actually that is precisely the best practice: Only put DCs behind a “Device Only” policy and put the rest of your resources behind policies that require authentication, MFA, etc.

The idea is to only put Resources that are needed by the devices themselves (and not by users directly) behind Device Only policies.