How to Control Passkeys and Passkey Providers in Windows 11

Passwords are slowly being replaced by passkeys. In Windows 11, you can store passkeys and protect them with Windows Hello (PIN, fingerprint, face, or security key).

What many people don’t know is that you can also control where these passkeys are stored and which providers Windows is allowed to use.

In this post, you’ll learn:

What passkey providers are in Windows 11
How to manage them in Settings
How to enable or disable “This Windows device” with a registry key
How providers like 1Password are stored
How to list all passkey providers with PowerShell
How to test passkeys quickly

What Are Passkey Providers in Windows 11?

When you try to sign in with a passkey, Windows may show you several options, such as:

This Windows device (Windows Hello)
iPhone / iPad
Android device
Security key (FIDO2 hardware key)
Third-party passkey managers like 1Password or Bitwarden

Each of these is a passkey provider. Windows 11 uses a plugin model so that these providers can plug into the system and show up in the passkey prompt.

The exact list you see can differ from device to device, depending on:

What hardware you have
What apps you’ve installed
Which plugins are enabled

Where to Manage Passkey Providers in Windows 11

You manage passkeys and providers from the Accounts section in Settings.

Open Settings.
Go to Accounts.
Click Passkeys.
Select Advanced options.

Here you can:

See which providers are available.
Turn some options on or off (depending on the provider).
Control whether the device itself can store passkeys or not.

This is the user-friendly view. Behind the scenes, Windows uses registry keys and plugins to control this behavior. That’s what we’ll look at next.

Enable or Disable “This Windows Device” via Registry

The option “This Windows device” decides if your PC can store passkeys locally. If you want to force users to use only external providers (like a security key or 1Password), you can disable this.

⚠️ Editing the registry can break things if you make a mistake. Export a backup or create a restore point before changing anything.

Registry Path

The setting lives under the current user hive:

Computer\HKEY_CURRENT_USER\Software\Microsoft\Passkeys
Value name: LocalToggleStatus
Type: REG_DWORD

Meaning of Values

0 = Disabled – this Windows device is not allowed to store passkeys.
1 = Enabled – this Windows device is allowed to store passkeys.

How to Change It

Press Win + R, type regedit, and press Enter.
Go to: HKEY_CURRENT_USER\Software\Microsoft\Passkeys
In the right pane:
- Find LocalToggleStatus.
- If it doesn’t exist, right-click and create a new DWORD (32-bit) Value called LocalToggleStatus.
Set the value to:
- 1 to enable local passkey storage.
- 0 to disable it.
Sign out and sign back in (or restart) so Windows picks up the change.

Once disabled, “This Windows device” should no longer be used as a passkey provider for that user.

How 1Password and Other Plugins Are Stored

Third-party passkey providers such as 1Password integrate with Windows as FIDO plugins. Their configuration is stored under a registry path that contains:

The user SID (Security Identifier)
A plugin ID (a GUID)

A typical path looks like this:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FIDO\S-1-...userSID...\Plugins\{pluginID}
Value: State

The State value is used by Windows and the plugin to track whether the provider is enabled or in a specific state. The exact behavior depends on the provider, but knowing this path helps with:

Troubleshooting when a provider doesn’t show up
Auditing which passkey plugins are installed for a user

Usually, the provider’s own app manages these settings, so you don’t need to edit them manually unless you’re doing advanced troubleshooting.

List All Passkey Providers with PowerShell

If you want to see all passkey providers registered for the current user, you can use a simple PowerShell script. This is useful for admins who want a quick overview of:

Provider names
AAGUIDs
GUIDs used by Windows

PowerShell Script

$userSid = [System.Security.Principal.WindowsIdentity]::GetCurrent().User.Value
$pluginsPath = "HKLM:\SOFTWARE\Microsoft\FIDO\$userSid\Plugins"

Get-ChildItem -Path $pluginsPath -ErrorAction SilentlyContinue | ForEach-Object {
    $props = Get-ItemProperty -Path $_.PSPath
    [PSCustomObject]@{
        Name         = $props.Name
        AAGUID       = $props.AaGuid
        ProviderGUID = $_.PSChildName
    }
} | Format-Table -AutoSize

How to Run It

Right-click Start and open Windows Terminal (Admin) or PowerShell (Admin).
Paste the script and press Enter.
PowerShell will output a table with:
- Name – usually the provider’s display name.
- AAGUID – the authenticator GUID for FIDO/WebAuthn.
- ProviderGUID – the plugin’s GUID from the registry.

This is a quick way to confirm that providers like 1Password, Bitwarden, or others are correctly registered.

How Windows Remembers the Last Used Provider

Windows also keeps track of which provider you used most recently. When you go to sign in with a passkey again, it can automatically suggest the same provider first.

This makes the experience smoother:

Use 1Password once → it’s likely suggested next time.
Switch to a security key → that might become the default in the next prompt.

You don’t usually need to configure this; it just explains why the order of options can change over time.

How to Test Your Passkeys

You don’t have to test on real accounts if you don’t want to. There are public test sites for WebAuthn and passkeys. One of the most popular is:

WebAuthn.io

On a test site like this, you can:

Register a new passkey with any provider (Windows device, security key, 1Password, etc.).
Try signing in again to check that everything works.
Switch providers to see how Windows shows you different options.

This is a safe way to test:

Whether “This Windows device” is enabled or disabled as expected.
Whether your third-party passkey manager is active.
How Windows behaves when multiple providers are available.

When This Is Useful

These advanced passkey settings are especially handy if you:

Manage shared or sensitive devices and want to block local passkey storage.
Prefer that users rely on a hardware security key or password manager instead of the local device.
Need to audit which passkey providers are active for troubleshooting or compliance.
Want to understand why certain options appear (or don’t appear) in the Windows passkey prompt.

Wrap-Up

Windows 11 doesn’t just support passkeys—it gives you control over how and where they are stored:

Use Settings > Accounts > Passkeys > Advanced options for basic management.
Use the LocalToggleStatus registry value to enable or disable “This Windows device” as a passkey provider.
Look under HKLM\SOFTWARE\Microsoft\FIDO\<userSID>\Plugins to see how third-party providers like 1Password are integrated.
Run the PowerShell script to list all providers and their IDs.
Test everything safely using a site like WebAuthn.io.

With these tools, you can fine-tune passkey behavior on Windows 11 so it fits your security policies and your way of working.

X Facebook LinkedIn Copy Email Pinterest Reddit Telegram ChatGPT SMS

How to Fix Windows Printer Error 0x0000011b After Patch Tuesday (Windows 10 & Windows 11)

Remove Image Backgrounds in Windows 11: 3 Easy Methods

How to Disable and Re-Enable Reserved Storage in Windows 11: Step-by-Step Guide

Comprehensive Guide to Configuring Mailbox Moderation and Permissions in Microsoft 365 Exchange Online

Windows 11 Setup Now Lets You Skip the Update Phase and Reach the Desktop Faster

Leave a Reply Cancel reply