Use the TPM with windows hello greyed out? [1Password 8.6.1 is out with improved TPM support}
So i checked the update notes today (to clear that awful red badge that you guys totally need to make auto clear after a certain amount of time or something) and saw that awesome feature added. Decided to go digging for and enable it. Well i found it, problem is the option is greyed out. checked if TPM was present/enabled
what do I have to do to get that setting on? :P
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Comments
-
I'm experiencing the same issue on 1P 8.6 with TPM enabled on W11.
0 -
Hi folks! Thank you for letting us know about these issues, I'll be happy to look into it for you. 👋
Could you send us a short email at support+windows@1Password.com, with a link to this discussion so that we know it's you? We are following up with individual folks who encounter issues with the TPM integration, so that we can understand what specific setups the issues occur on and how we can best help. This does involve discussing specifics of your system, which means for the sake of security and privacy that we'll need to do it by email, rather than in a public forum. Thank you!
@klepp0906 what red badge are you referring to? That sounds like something that might need attention. 👀
0 -
@PeterG_1P email incoming. I'm referring to the notification badge for "what's new"
its nice to have a link to the patch notes, that's appreciated. however with the rate of releases being what it is and the only means of clearing it (that im aware of) being actually clicking it, the prospect becomes tiring.
0 -
I have this same issue. I will email support+windows@1Password.com now.
0 -
Support told me my pc didn’t support it. Oddly enough I was reformatting due to a permissions issue affecting Adobe and wouldn’t ya know, it now works. I upgraded from 10 to 11 though. Didn’t want to but since I was formatting anyways. Sigh.
Anyhow either support was wrong or windows 10 doesn’t support it but 11 does. It’s good now though.
0 -
I also have this issue. The "Use the trusted platform module with Windows Hello" option is grayed out under settings. I guess I'll be e-mailing support as well.
0 -
Support told me that it may have something to do with the fTPM on AMD boards and that they are working with Microsoft to resolve it.
@klepp0906 @RealAct Are either of you on AMD systems?
0 -
That’s a negative. Intel. Asus board.
0 -
Support told me that it may have something to do with the fTPM on AMD boards and that they are working with Microsoft to resolve it.
@klepp0906 @RealAct Are either of you on AMD systems?
Hi,
No, I have an Intel Core i7-8700K Processor and an MSI MPG Z390M Gaming Edge AC LGA1151 Motherboard.
0 -
Also having this issue on a AMD laptop with firmware TPM on a Ryzen 5900HS. My AMD desktop with discrete TPM works fine, Ryzen 5950X and X570 chipset.
0 -
Hey @thesun / @RealAct / @klepp0906 / @tmakaro / @orien:
The next beta update (available now in a nightly update [8.7.0-18]) will enable support for more TPM situations!
Note that if you're still seeing the option grayed out after this update, there may be a reason for this. Your current Windows Hello key may still be backed by software, not the TPM, even if you have the TPM enabled.
The reason is that if you've enabled Windows Hello feature long before you enabled TPM in the BIOS or added a TPM chip to your system, Windows does not migrate the Hello key from the software to hardware side. To fix this, try to re-enroll your Windows Hello data by removing the current setup and re-enrolling it; that should be enough to create the new Windows Hello key in the hardware TPM. Which is when 1Password will enable its TPM settings for you.
Jack
0 -
thats likely what happened to me then perhaps. the reinstall from 10 to 11 inadvertently "migrated" it over as it effectively re-enrolled. either way, im good now and its a glorious feature but wider support and making it more robust are always a win.
0 -
he reason is that if you've enabled Windows Hello feature long before you enabled TPM in the BIOS or added a TPM chip to your system, Windows does not migrate the Hello key from the software to hardware side. To fix this, try to re-enroll your Windows Hello data by removing the current setup and re-enrolling it; that should be enough to create the new Windows Hello key in the hardware TPM. Which is when 1Password will enable its TPM settings for you.
Jack
i fix this with this command in a PS shell:
certutil -DeleteHelloContainer logoff
after that i reboot and i have to reactivate windows hello again (pin + fingerprint)
found this solution here (where you can find the instruction to check if your TPM is used or not):
https://helgeklein.com/blog/checking-windows-hello-for-business-whfb-key-storage-tpm-hardware-or-software/0 -
i fix this with this command in a PS shell:
certutil -DeleteHelloContainer
logoff
after that i reboot and i have to reactivate windows hello again (pin + fingerprint)found this solution here (where you can find the instruction to check if your TPM is used or not):
https://helgeklein.com/blog/checking-windows-hello-for-business-whfb-key-storage-tpm-hardware-or-software/That's great info @S.Malacarne I'm installing a hardware TMP 2.0 chip hopefully this weekend and that's very handy to reset my Windows Hello.
Much appreciated.
0 -
Thanks @Jack.P_1P! I was able to verify using the link provided by @S.Malacarne that my Windows Hello key wasn't stored in the TPM. Resetting Windows Hello and re-enrolling fixed it, the 1PW nightly now gives me the option to use the TPM. Might be useful for users if 1PW can check for this condition. I'm pretty surprised that my Windows Hello key wasn't stored in the TPM as this is a recent laptop that to the best that I can remember shipped with the fTPM enabled.
0 -
Thanks for including those details @S.Malacarne!
@thesun, we appreciate the feedback and update. We're happy to hear resetting Windows Hello and re-enrolling fixed things up for you.
Please let us know if you have any other questions and have a great day!
0 -
Ok, so after deleting and re-enabling my Windows Hello pin the has now given me the option to check the box:
However, if I tick this box, then I cannot use Windows Hello to unlock 1Password at all. With it ticked, (and after restarting 1password), I don't get the option to unlock 1Password with my pin. It forces me to enter my master password and only AFTER that does it prompt me to enter my Windows Hello pin which doesn't matter because 1Password has already unlocked. I also cannot use Windows Hello to unlock 1Password after relocking (but not restarting) 1Password.
If I disabled, the tick box, then I can use my pin to unlock 1Password for subsequent unlocks (but not the first one of course).
0 -
Well I ended up buying a hardware TPM 2.0 module, and now it's all working as expected. I did have to reset Windows Hello, reboot the PC and enter my password one more time before I was able to use Windows Hello with 1Password. But that was it, it's been working like a charm since.
0 -
Hey, that's great @RealAct! Fantastic news. 🥳
What you've described here in terms of the Windows Hello reset is what we'd expect from our own testing too, so it sounds like everything is now working as expected. Thank you for letting us know, and we hope you enjoy the TPM integration!
0 -
@tmakaro do you still have an email conversation open with us at this point? If not, our Windows team would be happy to look into this further for you. You can find us at support+windows@1Password.com. I hope this is helpful!
(And if you do have an open conversation with us, feel free to drop the conversation ID here - it looks like this: [#AAA-11111-11] . That way we can close the loop a bit quicker.)
0 -
@PeterG_1P The 8.6.1 seems to have fixed the issue. It appears to be working as expected.
0 -
Looks like it has stopped working properly. It was working for a few weeks, but now when I launch 1Password for the first time it gives me the "You need to enter your account password before you can use Windows Hello" prompt and once I enter my password it then unlocks AND prompts me for my pin despite being unlocked already.
I tried disabling and re-enabling "Use the TPM with WIndows Hello", but that didn't work. I'm still on 8.6.1 and I haven't made any changes to Windows Hello.
0 -
And it started working properly again.
0 -
It seems to be a hit-and-miss, sometimes works, sometimes it doesn't. I have a supported hardware TPM 2.0 chip as I stated above. Not sure exactly what might be wrong, but sometimes after reboot or a shut-down of the system and restart, it forces me to enter the password again.
0 -
Hey @RealAct and @tmakaro, thanks for the updates. We're aware of some cases where users are being prompted to enter their account password again as you've described. Some conditions that may be causing this include Windows updates, BIOS updates, using fast startup, and changing some Windows settings which may result in the TPM state being invalidated on the next restart.
Our developers are continuing to investigate and we'll be sure to share any updates.
Ali
0 -
@ali.hazime yeah, it must be that, I'm on the Windows 11 Insider Preview channel, so I do get lots of updates almost weekly. Perhaps for normal Windows 10 and 11 users with regular Windows installs on supported hardware the situation is better, which is good.
0 -
My big problem is that when this feature stops working, and I have to use my password, it doesn't fix itself there after. It will NOT let me use my window Hello pin at all anymore (like when 1password auto-locks). Sometimes, turning this feature off/on again fixes it, but not always. I have been fighting with it for the past 20 minutes to get it to work properly again. I might just turn it off permanently until you fix this.
0 -
Hi @tmakaro! I'm sorry for the delay in response and to hear of the continued issues with Enhanced Windows Hello.
If you temporarily disable the TPM option, you should have the returned functionality as before where 1Password will only require your account password after completely closing the 1Password app or you reboot your device. You should be receiving the Windows Hello prompt on those subsequent unlocks. Please let us know if you not seeing this expected behaviour.
As Ali mentioned, we're continuing to investigate and make improvements, but we unfortunately do not have any additional news to share at this time. We'll be updating as we do. Thanks for your patience!
0
