Use the TPM with windows hello greyed out? [1Password 8.6.1 is out with improved TPM support}

tmakaro do you still have an email conversation open with us at this point? If not, our Windows team would be happy to look into this further for you. You can find us at support+windows@1Password.com. I hope this is helpful!

(And if you do have an open conversation with us, feel free to drop the conversation ID here - it looks like this: [#AAA-11111-11] . That way we can close the loop a bit quicker.)

Hey, that's great RealAct! Fantastic news. 🥳

What you've described here in terms of the Windows Hello reset is what we'd expect from our own testing too, so it sounds like everything is now working as expected. Thank you for letting us know, and we hope you enjoy the TPM integration!

Well I ended up buying a hardware TPM 2.0 module, and now it's all working as expected. I did have to reset Windows Hello, reboot the PC and enter my password one more time before I was able to use Windows Hello with 1Password. But that was it, it's been working like a charm since.

Ok, so after deleting and re-enabling my Windows Hello pin the has now given me the option to check the box:

However, if I tick this box, then I cannot use Windows Hello to unlock 1Password at all. With it ticked, (and after restarting 1password), I don't get the option to unlock 1Password with my pin. It forces me to enter my master password and only AFTER that does it prompt me to enter my Windows Hello pin which doesn't matter because 1Password has already unlocked. I also cannot use Windows Hello to unlock 1Password after relocking (but not restarting) 1Password.

If I disabled, the tick box, then I can use my pin to unlock 1Password for subsequent unlocks (but not the first one of course).

Thanks for including those details @"S.Malacarne"!

@thesun, we appreciate the feedback and update. We're happy to hear resetting Windows Hello and re-enrolling fixed things up for you.

Please let us know if you have any other questions and have a great day!

Thanks Jack_P_1P! I was able to verify using the link provided by @"S.Malacarne" that my Windows Hello key wasn't stored in the TPM. Resetting Windows Hello and re-enrolling fixed it, the 1PW nightly now gives me the option to use the TPM. Might be useful for users if 1PW can check for this condition. I'm pretty surprised that my Windows Hello key wasn't stored in the TPM as this is a recent laptop that to the best that I can remember shipped with the fTPM enabled.

i fix this with this command in a PS shell:

certutil -DeleteHelloContainer
logoff
after that i reboot and i have to reactivate windows hello again (pin + fingerprint)

found this solution here (where you can find the instruction to check if your TPM is used or not):
https://helgeklein.com/blog/checking-windows-hello-for-business-whfb-key-storage-tpm-hardware-or-software/

That's great info @"S.Malacarne" I'm installing a hardware TMP 2.0 chip hopefully this weekend and that's very handy to reset my Windows Hello.

Much appreciated.

he reason is that if you've enabled Windows Hello feature long before you enabled TPM in the BIOS or added a TPM chip to your system, Windows does not migrate the Hello key from the software to hardware side. To fix this, try to re-enroll your Windows Hello data by removing the current setup and re-enrolling it; that should be enough to create the new Windows Hello key in the hardware TPM. Which is when 1Password will enable its TPM settings for you.

Jack

i fix this with this command in a PS shell:


certutil -DeleteHelloContainer
logoff


after that i reboot and i have to reactivate windows hello again (pin + fingerprint)

found this solution here (where you can find the instruction to check if your TPM is used or not):
https://helgeklein.com/blog/checking-windows-hello-for-business-whfb-key-storage-tpm-hardware-or-software/

thats likely what happened to me then perhaps. the reinstall from 10 to 11 inadvertently "migrated" it over as it effectively re-enrolled. either way, im good now and its a glorious feature but wider support and making it more robust are always a win.

Hey @thesun / RealAct / klepp0906 / tmakaro / @orien:

The next beta update (available now in a nightly update [8.7.0-18]) will enable support for more TPM situations!

Note that if you're still seeing the option grayed out after this update, there may be a reason for this. Your current Windows Hello key may still be backed by software, not the TPM, even if you have the TPM enabled.

The reason is that if you've enabled Windows Hello feature long before you enabled TPM in the BIOS or added a TPM chip to your system, Windows does not migrate the Hello key from the software to hardware side. To fix this, try to re-enroll your Windows Hello data by removing the current setup and re-enrolling it; that should be enough to create the new Windows Hello key in the hardware TPM. Which is when 1Password will enable its TPM settings for you.

Jack