Use TPM with Windows Hello not working between restarts

BallistiX09
BallistiX09
Community Member
in Desktop betas (Mac, Windows, and Linux)

I'm trying to use the new functionality in version 8.6 which allows use of the Windows TPM, which then allows using Windows Hello to unlock the desktop app after a system restart, instead of using a password.

It doesn't seem to be working for me at all though. I'm sure it did work once, but since then, I'm prompted for my password on the first launch after a restart. As soon as I enter the password and the app unlocks, the Windows Hello popup appears and verifies me, and then disappears.

I'm fully up to date with the desktop app and with Windows. I read that the TPM data needs to be set after a system update, but this is happening even without any updates being installed before or after a restart. Not sure if this is an issue with the latest beta or if it's something going wrong on my end!

1Password Version: 8.7.0 (80700002)
Extension Version: 2.3.0
OS Version: Windows 11 (22000.588)

Comments

  • ENabLiTe
    ENabLiTe
    Community Member

    I basically have the same issue. 1Password keeps asking me the password. After unlocking, a Windows Hello popup showed up and did nothing. I have tried beta and nightly version, but none of them worked.

  • gussic
    gussic
    Community Member

    Confirming I also have the same issue on multiple computers. The reference I was given by support is ALL-72966-442 - suggest you give them this so they can link the issues and hopefully get to the bottom of this.

  • BallistiX09
    BallistiX09
    Community Member

    @gussic Thanks, I'll try that out, hopefully they'll be able to get it sorted soonish!

  • Jack.P_1P
    Jack.P_1P

    Hi @BallistiX09:

    Thanks for writing in! As @gussic mentioned (thanks for the assist! 😎), this is something we're aware of, and investigating. In short, we're aware of some incompatibilities with certain TPM setups, such as AMD Ryzen's fTPM and VMWare's vTPM. If you'd like to share some specifics of your setup so we can work to investigate and add your information to our compatibility information, send us a brief email at support+windows@1password.com including a link to this thread and your username, as well as the name of your CPU and any TPM details you know about your system offhand. We'll likely ask you to run some diagnostic commands to figure out what exactly could be the cause of your specific setup not behaving as expected.

    Just as an additional note, your support ID (for example: [#ABC-12345-678]) is specific to you, and a different person referencing it in an email can result in issues on our end.

    Jack

  • BallistiX09
    BallistiX09
    Community Member

    @Jack.P_1P Ahhhh right, yeah it's an AMD processor I've got so that would probably make sense! No worries, I'll send over an email with the details. Thanks!

  • gussic
    gussic
    Community Member

    Mine is an Intel processor, so not sure why I'm having issues.

  • bullfrogies
    bullfrogies
    Community Member

    I have an amd 5900x and have fTPM enabled. I am running windows 11. In windows it states I have tpm 2.0 enabled. I can’t turn on the option for tpm, it is just greyed out. I would really like to use this feature.

  • gussic
    gussic
    Community Member
    edited March 2022

    @bullfrogies

    I have an amd 5900x and have fTPM enabled. I am running windows 11. In windows it states I have tpm 2.0 enabled. I can’t turn on the option for tpm, it is just greyed out. I would really like to use this feature.

    Time to upgrade to an Intel processor, or better yet, get a Mac - native TouchID support, that basically never fails ;-)

  • ag_mike_d
    ag_mike_d

    Thank you, @BallistiX09!

    ref: EFF-79986-818

  • MikeT
    MikeT

    Hi folks,

    The next beta update (available now in a nightly update (8.7.0-18)) will now enable support for AMD CPUs as well as virtual TPM.

    Note that if you're still seeing the option being greyed out after this update, there may be a reason for this. Your current Windows Hello key may still be backed by software, not TPM even if you have TPM enabled.

    The reason is that if you've enabled Windows Hello feature long before you enabled TPM in the BIOS or added a TPM chip to your system, Windows does not migrate the Hello key from the software to hardware side. To fix this, try to re-enroll your Windows Hello data by removing the current setup and re-enrolling it; that should be enough to create the new Windows Hello key in the hardware TPM. Which is when 1Password will enable its TPM settings for you.

  • BallistiX09
    BallistiX09
    Community Member

    @MikeT Thanks for the update, I've just tried the nightly release on my end and that seems to have sorted it! Tried a few restarts just to be sure, and it's working as expected 🥳

  • MikeT
    MikeT

    We're really happy to hear that! Thanks for letting us know.

  • bullfrogies
    bullfrogies
    Community Member

    I am running a AMD chip as i have previously stated and have TPM enabled. I have updated to the nightly build and that option is still greyed out in the settings. I resetup the windows hello setup as well and that didn't change anything. TPM was enabled for months before I got my fingerprint reader to use with windows hello as well. What can i do to troubleshoot this?

  • MikeT
    MikeT
    edited March 2022

    Hi @bullfrogies,

    Did you remove all fingerprint and PIN as well? It doesn't migrate the keys unless everything is turned off first.

    To confirm the Windows Hello keys are in the TPM hardware provider, can you do the following:

    1. Click start and search for Powershell, open it
    2. Enter the following command: certutil -csp "Microsoft Passport Key Storage Provider" -key -v | Select-String -Pattern "NgcKeyImplType"
    3. Does it output 1 or 2?

    It should show something like NgcKeyImplType: 1 (0x1) if it is in hardware TPM provider.

  • oxalate
    oxalate
    Community Member

    I'm in the same boat as @bullfrogies above: AMD CPU, fTPM enabled in BIOS, Windows 10, Windows Hello PIN removed and then re-configured, and the TPM option is still greyed out in 1Password 8.6.1's Advanced settings screen.

    When I run the Powershell command, I just get >> back; no NgcKeyImplType value is reported at all.

  • PeterG_1P
    PeterG_1P
    edited April 2022

    Hi @oxalate, thank you for letting us know about this. Could you send our Windows support team a brief email at support+windows@1Password.com? There, we can discuss the details of the setup and figure out what factors we might need to look at.

    If possible, it would be great to have a diagnostic report from your 1Password for Windows app as well. We'll hope to see you over there!

  • oxalate
    oxalate
    Community Member

    And now it's working for me. I've no idea what I did differently this time, but the TPM option is no longer greyed out, and the certutil -csp "Microsoft Passport Key Storage Provider" -key -v command now shows output NgcKeyImplType: 1 (0x1), indicating that Windows is using hardware TPM for the Windows Hello keys.

  • PeterG_1P
    PeterG_1P

    Hi @oxalate - it's certainly good to hear that this has improved, if somewhat mysteriously! We'll keep working away at the support for this feature on our end. Thank you for the update. 👍

This discussion has been closed.