Windows Hello not being used after a restart

Hi folks,

We are continuously improving our Windows Hello with TPM support in each 1Password update as we continue to work with customers that have reported issues with us while also working with Microsoft.

There are two main issues we're aware;

1. Customers that have enrolled with Windows Hello before they enabled TPM (via BIOS/EFI or new hardware), upgrade Windows to 10/11 and/or was configured by IT via group policy

In this case, this is because Windows Hello keys are not in the TPM hardware container that 1Password needs to make it work as the Windows Hello keys were enrolled in the software container instead, this was what tripped us to think TPM was enabled but in reality, the currently enrolled Windows Hello system wasn't using the TPM yet. There isn't a way to migrate these keys from software to hardware automatically, this is a manual process that that has to be done. We're looking to add a support document on this in our settings to clarify this.

The fix for this would be what TheDoctor40 mentioned;

1. Turn off Windows Hello + TPM option first in 1Password, quit and start 1Password as it needs an app restart to disable this. (same for enabling it)
2. Disable all of Windows Hello options in Windows settings and reboot
3. Re-enroll Windows Hello support in Windows settings
4. Enable the 1Password's Windows Hello + TPM support, lock and quit the app. Restart, enter the account password and then authenticate with Windows Hello to start using Hello.

We're still trying to bypass the need to do an app restart + enter account password after enabling the TPM option, we hope to refine this in future updates.

2. Reboots can reset the Windows Hello support in 1Password

This is something that we're working with Microsoft on right now and we're collecting data on this. At the moment, we have some data that shows that on certain computers, restarting instead of shutting down, the TPM state does in fact change. This is why 1Password sometime, or consistently on some setups, resets back to normal account password; if the TPM state has changed, 1Password has to ignore and clear its TPM keys and switch back to the normal unlock process to generate a new TPM key after unlocking.

There is an option in Windows power settings that may be responsible for this and we're currently testing this with affected customers to see its full impact at the moment.

If you want to help us test this as well, please email us at support+windows@1password.com and in the email, please include the following:

1. Your forum username:
2. The link to this thread: https://1password.community/discussion/128316/windows-hello-not-being-used-after-a-restart#latest
3. In the body, mention that you want to help us test a Windows power setting change to see if 1Password and Windows Hello can work across reboots