Windows - Software Lifecycle - Install 1Password

What the 1Password deployment Worklet does

This Automox Worklet™ deploys 1Password on Windows endpoints by pulling the latest 64-bit machine-wide MSI from the 1Password CDN at https://downloads.1password.com/win/1PasswordSetup-latest.msi and executing it silently. The evaluation phase queries the Windows registry for an existing 1Password DisplayName entry under HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall and the 32-bit view under HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall. Endpoints already running 1Password exit with code 0 and are reported compliant, so a recurring policy lands as a no-op on the laptops that pass and only downloads the MSI on the laptops where the DisplayName entry is missing.

The Worklet stages the MSI under C:\ProgramData\amagent\WorkletCache\WSE-665, runs msiexec.exe with the /i, /qn, /norestart, and /l*v switches, and deletes the staged installer when the run completes. The installed binary lands under C:\Program Files\1Password\app\<version>\1Password.exe, with the machine-wide build making the vault and browser-extension bridge available to every user profile on the endpoint. You can confirm the installed build with Get-Package -Name '1Password*' or by reading the DisplayVersion value from the same registry path the evaluation script uses.

Because the installer is pulled live from the vendor CDN on every remediation run, endpoints receive the current release without you needing to repackage the MSI in a software library. Pair the Worklet with an Automox policy schedule and FixNow for on-demand deployment to a specific endpoint group when a new build is required ahead of the normal cadence.

Why standardize on 1Password as the fleet password vault

Credential reuse is a common contributor to account compromise on Windows fleets. When the organization has not selected a password manager, users default to browser-saved passwords, shared spreadsheets, or personal password managers. Each of those paths is a discrete data-exfiltration surface for an attacker who lands on the laptop. Deploying 1Password machine-wide gives every user profile a vetted, end-to-end-encrypted vault and the browser extensions to autofill from it, so the convenient path for the user matches your security policy.

Apply this Worklet to the Windows workstation group on the same cadence as your security-baseline policies, and the 1Password rollout that started as a security-team initiative reaches contractor laptops, lab workstations, and asset-tag-only machines that normally sit outside MDM enrollment.

How 1Password deployment and version detection work

1. Evaluation phase: The PowerShell evaluation script opens the HKLM registry hive with the architecture-appropriate registry view, enumerates subkeys under SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall and SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall, and matches each DisplayName value against '1Password'. If a match is found the script writes '1Password is already installed' and exits 0; if not, it writes '1Password was not detected. Flagging for remediation.' and exits 2, which queues the endpoint for remediation.

2. Remediation phase: The remediation script creates C:\ProgramData\amagent\WorkletCache\WSE-665 if it does not already exist, then uses System.Net.WebClient.DownloadFile to pull 1PasswordSetup-latest.msi from https://downloads.1password.com/win/1PasswordSetup-latest.msi. It starts msiexec.exe with /i, the path to the staged 1Password.msi, /l*v pointed at 1Password_install.log in the same cache directory, /qn, and /norestart, and waits for the process to complete. The script deletes the staged MSI after the install attempt, and on exception it writes Write-Error messages naming the failed line and log path, then exits with code 1 so the failure surfaces in Automox activity logs.

1Password deployment requirements

• Windows 10, Windows 11, or Windows Server 2016 and later

• 64-bit Windows; the Worklet pulls the machine-wide 64-bit MSI from the 1Password CDN

• Local administrator context for the Automox agent (the default agent context already meets this)

• Outbound HTTPS to downloads.1password.com for the MSI fetch; proxy-protected fleets need an allowlist entry

• At least 500 MB free under C:\ProgramData\amagent\WorkletCache\WSE-665 for the staged installer and verbose install log

• PowerShell 5.1 or later (default on every supported Windows version)

Expected endpoint state after 1Password deployment

After a successful remediation run, the endpoint has the 1Password binary installed at C:\Program Files\1Password\app\<version>\1Password.exe and an Uninstall registry entry with DisplayName '1Password' and a current DisplayVersion. Validate with Get-Package -Name '1Password*' or by querying the registry directly: Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*' | Where-Object DisplayName -Like '1Password*' | Select DisplayName, DisplayVersion. The verbose install log at C:\ProgramData\amagent\WorkletCache\WSE-665\1Password_install.log captures every MSI action and the final exit code if you need to diagnose a failed run.

Subsequent evaluations report the endpoint as compliant without re-running the install, because the registry lookup finds 1Password already present. End users see the standalone 1Password app in the Start menu and the 1Password browser extension available across Edge, Chrome, and Firefox profiles on the machine, since the machine-wide install path serves every user account on the endpoint rather than installing per-user. The evaluation matches on DisplayName only, so it does not compare versions. To force a re-install or upgrade to a new build, uninstall 1Password first or run the remediation directly as a FixNow task against the target endpoint group.