Use TPM with Windows Hello not working between restarts

Hi @oxalate - it's certainly good to hear that this has improved, if somewhat mysteriously! We'll keep working away at the support for this feature on our end. Thank you for the update. 👍

And now it's working for me. I've no idea what I did differently this time, but the TPM option is no longer greyed out, and the certutil -csp "Microsoft Passport Key Storage Provider" -key -v command now shows output NgcKeyImplType: 1 (0x1), indicating that Windows is using hardware TPM for the Windows Hello keys.

Hi @oxalate, thank you for letting us know about this. Could you send our Windows support team a brief email at support+windows@1Password.com? There, we can discuss the details of the setup and figure out what factors we might need to look at.

If possible, it would be great to have a diagnostic report from your 1Password for Windows app as well. We'll hope to see you over there!

I'm in the same boat as @bullfrogies above: AMD CPU, fTPM enabled in BIOS, Windows 10, Windows Hello PIN removed and then re-configured, and the TPM option is still greyed out in 1Password 8.6.1's Advanced settings screen.

When I run the Powershell command, I just get >> back; no NgcKeyImplType value is reported at all.

Hi @bullfrogies,

Did you remove all fingerprint and PIN as well? It doesn't migrate the keys unless everything is turned off first.

To confirm the Windows Hello keys are in the TPM hardware provider, can you do the following:

1. Click start and search for Powershell, open it
2. Enter the following command: certutil -csp "Microsoft Passport Key Storage Provider" -key -v | Select-String -Pattern "NgcKeyImplType"
3. Does it output 1 or 2?

It should show something like NgcKeyImplType: 1 (0x1) if it is in hardware TPM provider.

I am running a AMD chip as i have previously stated and have TPM enabled. I have updated to the nightly build and that option is still greyed out in the settings. I resetup the windows hello setup as well and that didn't change anything. TPM was enabled for months before I got my fingerprint reader to use with windows hello as well. What can i do to troubleshoot this?

We're really happy to hear that! Thanks for letting us know.

MikeT Thanks for the update, I've just tried the nightly release on my end and that seems to have sorted it! Tried a few restarts just to be sure, and it's working as expected 🥳

Hi folks,

The next beta update (available now in a nightly update (8.7.0-18)) will now enable support for AMD CPUs as well as virtual TPM.

Note that if you're still seeing the option being greyed out after this update, there may be a reason for this. Your current Windows Hello key may still be backed by software, not TPM even if you have TPM enabled.

The reason is that if you've enabled Windows Hello feature long before you enabled TPM in the BIOS or added a TPM chip to your system, Windows does not migrate the Hello key from the software to hardware side. To fix this, try to re-enroll your Windows Hello data by removing the current setup and re-enrolling it; that should be enough to create the new Windows Hello key in the hardware TPM. Which is when 1Password will enable its TPM settings for you.

Thank you, @BallistiX09!

ref: EFF-79986-818