Updating TPM firmware. Need to uninstall 1PW first?
Short version of my question: Should I un-install 1PW and Windows Hello (biometric & PIN settings) before upgrading my laptop firmware if 1PW currently appears to be using a software-based "token / key"?
Background: I have a 5-1/2 yr old HP Spectre x360 laptop (purchased early 2017). It has TPM 2.0, but per device manager, it wasn't "installed" until 2020 (or perhaps it was re-installed, I don't remember). I previously had no use for managing certificates up until recently (home use only), and it was not setup for use on a managed professional network (MS Exchange Server, Azure, etc), so I paid no attention to this detail. I also did not use GPG/PGP, etc, until very recently (ProtonMail, etc), but am slowly expanding my security profile, starting with 1PW and authenticators / YubiKeys & getting away from Text / SMS authentication.
In researching 1PW, I came across a couple of threads in the 1PW Community RE: TPM and Windows Hello login (apparently TPM has become much more important lately as it is a stated pre-req for upgrading to Windows 11, although some have found workarounds by tweaking the install environment). This caused me to look into my own TPM functionality. The option to use TPM with Windows Hello is "grayed out" (not available) in the 1PW app security settings, suggesting TPM is not enabled or otherwise unavailable, and that 1PW is using a software key/token.
Further checking within Settings and BIOS actually showed TPM is fully enabled / available. I then discovered my laptop has the Infineon (IFX) TPM with firmware v. 5.40, and within Settings it recommended I needed to update the TPM BIOS. While researching info on doing this, I then read elsewhere that 6 months after this laptop was produced (4/'17) a significant security issue was discovered with this particular TPM's firmware and it was updated a short time later (10-11/'17) to v. 5.62+) with a firmware update. 5 years later and apparently I never got the memo (even though Windows and HP support are on auto-update).
Using various commands with CERTUTIL in PowerShell, it appears I only have 3 certificates in the store ("Microsoft Passport Key Storage Provider"), which all appear to be software based (not hardware / TPM based), including my Windows Live login (the other two are identified as "Fido2 authenticator" related, and are most likely from my YubiKeys (used for both MS and Google, as well as a half dozen other accounts).
I cannot seem to find anything that appears to be a 1PW certificate by using the CERTUTIL command. I've also looked through all of the certificates available through MCC snap-in viewer and still cannot find a cert that appears to be from 1PW. Perhaps I am looking in the wrong places (unless one of the FIDO2 Auth entries in MS Passport Key Storage Provider is in fact for 1PW).
Since my initial setup of using Win Hello long predates the use of 1PW, and it was probably initially setup prior to even switching on/installing TPM service, it would explain why the Win Hello certificate/key is software based. As a relatively low profile target, fortunately this seems to have worked to my advantage.
So, should I follow the steps listed at the top of this question, or is it more advisable to simply go ahead and install the Firmware update, re-boot, then go through the steps to "uninstall Windows Hello" (delete the facial recognition and PIN settings), re-boot again and re-install it (hoping Windows will then utilize the hardware-based TPM function)? Or will updating the firmware while 1PW is installed screw up its installation and possibly lock me out of accessing the program?
Thank you.
RC
For reference, from past related threads:
https://reddit.com/r/1Password/comments/tfu103/use_the_trusted_platform_module_with_windows/
1Password Version: 8.10.0
Extension Version: Not Provided
OS Version: Win 10
Browser:_ Not Provided
Comments
-
To add clarity to my opening comment, while a check of Settings ( / Updates & Security / Windows Security / Device Security / Security Processor / Security Processor Details & / Security Processor Troubleshooting) and BIOS show that TPM is fully enabled / available, using the steps previously mentioned in earlier posts (RE the use of CERTUTIL in Powershell (won't work in CMD Prompt) and the("Run" / ) MMC snap-in viewer), I can find no direct evidence that any services (keys / tokens / certificates) are actually using the TPM hardware security service currently. If someone has a clearer way of verifying this, I'm all ears. (Hence why it seems just going ahead and installing the TPM firmware update first and then switching over all the software based security items later won't hurt anything, vs if TPM was already being fully utilized, where it would present problems recovering lost access once those hardware-based security items were over-written & lost unless those keys / tokens / certificates were withdrawn and de-activated first).
0 -
Hello @RCxRC,
Thanks for your detailed message! You mentioned:
1Password will continue to operate as it does now and you can continue to access with your account password. Windows. You can complete any updates necessary firmware updates - no need to uninstall 1Password 8 for Windows.
Since my initial setup of using Win Hello long predates the use of 1PW, and it was probably initially setup prior to even switching on/installing TPM service, it would explain why the Win Hello certificate/key is software based.
This would explain why the TPM option is greyed out and Windows Hello ley being software based. Should you still see troubles after the updates with this option greyed out. As noted in a previous thread, please try to re-enroll the Windows Hello data by removing all the current options setup, and re-adding all of your Windows Hello options, such as face, fingerprint and PIN. This should move the key to the hardware backed TPM.
I hope this helps, but if you continue to have troubles, just let us know!
0