Windows Trusted Platform Module Management Step-by-Step Guide
This Step-by-Step Guide provides the instructions necessary to use Trusted Platform Module (TPM) Management in a test lab environment.
What is Trusted Platform Module (TPM) Management?
Trusted Platform Module (TPM) Management is a new feature set in Windows Vista® and Microsoft® Windows Server® 2008 used to administer the TPM security hardware in your computer. The feature set includes the TPM Management console, and an API called TPM Base Services (TBS). This architecture provides an infrastructure that allows Windows®-based applications to use and share the TPM.
What is a Trusted Platform Module?
A TPM is a microchip designed to provide basic security-related functions, primarily involving encryption keys. The TPM is usually installed on the motherboard of a computer or laptop, and communicates with the rest of the system using a hardware bus.
Computers that incorporate a TPM have the ability to create cryptographic keys and encrypt them so that they can be decrypted only by the TPM. This process, often called "wrapping" or "binding" a key, can help protect the key from disclosure. Each TPM has a root "wrapping" key, called the Storage Root Key (SRK), which is stored within the TPM itself. The private portion of a key created in a TPM is never exposed to any other component, software, process, or person.
Computers that incorporate a TPM can also create a key that has not only been wrapped, but also tied to certain platform measurements. This type of key can only be unwrapped when those platform measurements have the same values that they had when the key was created. This process is called "sealing" the key to the TPM. Decrypting it is called "unsealing." The TPM can also seal and unseal data generated outside of the TPM. With this sealed key and software like Windows® BitLocker™ Drive Encryption, you can lock data until specific hardware or software conditions are met.
With a TPM, private portions of key pairs are kept separated from the memory controlled by the operating system. Keys can be sealed to the TPM, and certain assurances about the state of a system—that define its "trustworthiness"—can be made before the keys are unsealed and released for use. Because the TPM uses its own internal firmware and logic circuits for processing instructions, it does not rely upon the operating system and is not exposed to external software vulnerabilities.
Who should use this guide?
This guide is intended for the following audiences:
- IT planners and analysts who are evaluating the product.
- Security architects who are responsible for implementing trustworthy computing.
In this guide
- Requirements for TPM Management
- Key Scenarios for TPM Management
- Scenario 1: Initialize the TPM
- Scenario 2: Turn off and clear the TPM
- Scenario 3: Block or allow TPM commands
- Customer feedback
- Additional resources
Requirements for TPM Management
We recommend that you first use the steps provided in this guide in a test lab environment. A step-by-step guide is not necessarily meant to be used to deploy Windows Vista or Windows Server 2008 features without accompanying documentation (as listed in the Additional resources section) and should be used with discretion as a stand-alone document.
Preparing the test lab for TPM Management
The lab configuration needed for testing TPM Management is simply a client computer connected to an isolated network through a common hub or Layer 2 switch. The client must be running Windows Vista and be equipped with a compatible TPM (version 1.2) and Trusted Computing Group (TCG)–compliant BIOS. A portable USB flash drive is also recommended. Private IP addresses should be used throughout the test lab configuration.
Key scenarios for TPM Management
This guide covers the following scenarios for TPM Management:
- Scenario 1: Initialize the TPM
- Scenario 2: Turn off or clear the TPM
- Scenario 3: Block or allow TPM commands
Note
The three scenarios included in this guide are intended to help administrators become familiar with the TPM Management feature set of Windows Vista. They include the basic information and procedures administrators need to start configuring and deploying TPM-equipped computers within their networks. Information and procedures for advanced or customized TPM configurations are not included in this guide.
Scenario 1: Initialize the TPM
This scenario describes how to initialize the TPM on your computer. The initialization process involves turning on the TPM, and then setting ownership of the TPM. This scenario is written for administrators responsible for setting up TPM-equipped computers.
A physical presence is normally required to initialize a computer's TPM. However, a physical presence is not required if a computer is shipped with the TPM initialized. Remote initialization of the TPM is supported in Windows Vista, but information about and procedures for remote initialization are not included in this guide.
TPM Base Services (TBS) exposes a WMI class that allows the procedures in this scenario to be performed through scripting or from a WMI management console. Information about scripting TPM tasks is also not included in this guide.
Steps for initializing the TPM
To initialize the TPM on your computer, complete the following steps:
- Step 1: Turn on the TPM
- Step 2: Set ownership of the TPM
Step 1: Turn on the TPM
The TPM must be initialized before it can be used to help secure your computer. Step 1 contains the procedure for initializing a computer's TPM.
Computers manufactured to meet Windows Vista requirements include pre-startup BIOS functionality that makes it easy to initialize a computer's TPM through the TPM Initialization Wizard. When you start the TPM Initialization Wizard, you can determine whether the computer's TPM has been initialized or not.
The following procedure steps you through the process of starting the TPM Initialization Wizard and turning on the TPM.
To perform the following procedure, you must be logged on to a TPM-equipped computer with administrator credentials.
To start the TPM Initialization Wizard and turn on the TPM
Click Start, click All Programs, click Accessories, and then click Run.
Type tpm.msc in the Open box, and then press ENTER.
If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue. For more information, see Additional resources at the end of this document.
The TPM Management console is displayed.
In the Actions pane, click Initialize TPM. The TPM Initialization Wizard is started.
- If the TPM has never been turned on or is currently turned off, the TPM Initialization Wizard displays the Turn on the TPM Security Hardware page. Read the instructions on this page, and then go to step 6 of this procedure.
- If the TPM is already turned on, the TPM Initialization Wizard displays the Create the TPM owner password page. Continue with Step 2: Set ownership of the TPM later in this guide.
- If the TPM Initialization Wizard detects a BIOS that does not meet Windows Vista requirements, you cannot continue with the wizard, and you will be alerted to consult the computer manufacturer's documentation for instructions for initializing the TPM.
Click Shutdown (or Restart), and then follow the BIOS screen prompts.
After the computer restarts, but before you log on to Windows, you will be prompted to accept the reconfiguration of the TPM. This ensures that the user is physically present, and that it is not malicious software attempting to initialize the TPM.
Note
BIOS screen prompts and wording vary by computer manufacturer.
After logging on to Windows, right-click the Windows Defender icon in the notification area, point to Run blocked program, and then click TPM Initialization Wizard.
If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
Continue with Step 2: Set ownership of the TPM.
Step 2: Set ownership of the TPM
The TPM must also be owned before it can be used to help secure your computer. By setting ownership of the TPM, you are assigning a password that helps ensure only the authorized TPM owner can access and manage the TPM. The TPM password is also used to turn off the TPM if you no longer want to use it, or to clear the TPM if the computer is to be recycled.
The following procedure steps you through the process of setting ownership of the TPM using the TPM Initialization Wizard.
To perform the following procedure, you must be logged on to a TPM-equipped computer with administrator credentials.
To set ownership of the TPM
On the Create the TPM owner password page, click Automatically create the password (recommended).
In the Save your TPM owner password dialog box, click Save the password.
In the Save As dialog box, select a location to save the password, and then click Save. The password file is saved as computer_name.tpm.
Important
We highly recommend saving the TPM owner password to removable media.
- Click Print the password if you want to print a hard copy of your password.
Important
We highly recommend printing a hard copy of your TPM owner password and storing it in a safe location.
- Click Initialize.
Note
The process of initializing the TPM might take a few minutes to complete.
- Click Close.
Warning
Do not lose your password. If you do, you will be unable to make changes to your TPM that require the owner password unless you clear the TPM.
Scenario 2: Turn off or clear the TPM
This scenario covers two common tasks that administrators would perform during a reconfiguration or recycling of a TPM-equipped computer. These tasks are turning off the TPM and clearing the TPM.
Turn off the TPM
Some administrators might decide that some TPM-equipped computers in their network should be prevented from making full use of the capabilities that a TPM provides. The following procedure steps you through the process of turning off the TPM.
Note
A physical presence is not required to turn off the TPM if you have the TPM owner password.
To perform the following procedure, you must be logged on to a TPM-equipped computer with administrator credentials.
To turn off the TPM
Click Start, click All Programs, click Accessories, and then click Run.
Type tpm.msc in the Open box, and then press ENTER. The TPM Management console is displayed.
If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue. For more information, see Additional resources at the end of this document.
In the Actions pane, click Turn TPM Off.
In the Turn off the TPM security hardware dialog box, select a method for entering your password and turning off the TPM:
- If you have the removable media onto which you saved your TPM owner password, insert it and then click I have a backup file with the TPM owner password. In the Select backup file with the TPM owner password dialog box, click Browse to locate the .tpm file saved on your removable media, click Open, and then click Turn TPM Off.
- If you do not have the removable media onto which you saved your password, click I want to type the TPM owner password. In the Type your TPM owner password dialog box, enter your password (including dashes), and then click Turn TPM Off.
- If you do not know your TPM owner password, click I do not have the TPM owner password, and follow the instructions provided in the dialog box and subsequent BIOS screens to turn off the TPM without entering the password.
Note
You can turn off the TPM or perform a limited number of TPM management tasks without entering the TPM owner password by just being present at the computer.
The status of your TPM is displayed in the **Status** box in the results pane.
Clear the TPM
Clearing the TPM cancels the TPM ownership and resets it to factory defaults. This should be done when a TPM-equipped client computer is recycled, or when the TPM owner has lost the TPM owner password. The following procedure steps you through the process of clearing the TPM.
Note
A physical presence is not required to clear the TPM, if you have the TPM owner password.
To perform the following procedure, you must be logged on to a TPM-equipped computer with administrator credentials.
To clear the TPM
Click Start, click All Programs, click Accessories, and then click Run.
Type tpm.msc in the Open box, and then press ENTER. The TPM Management console is displayed.
If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue. For more information, see Additional resources at the end of this document.
Warning
Clearing the TPM resets it to factory defaults. You will lose all created keys and any data protected only by those keys.
In the Actions pane, click Clear TPM. If the TPM is turned off, turn on the TPM before clearing it. (The steps to turn on the TPM are provided in Step 1: Turn on the TPM.)
In the Clear the TPM security hardware dialog box, select a method for entering your password and clearing the TPM:
- If you have the removable media onto which you saved your TPM owner password, insert it and then click I have a backup file with the TPM owner password. In the Select backup file with the TPM owner password dialog box, click Browse to locate the .tpm file saved on your removable media, click Open, and then click Clear TPM.
- If you do not have the removable media onto which you saved your password, click I want to type the TPM owner password. In the Type your TPM owner password dialog box, enter your password (including dashes), and then click Clear TPM.
- If you do not know your TPM owner password, click I don't have the TPM owner password, and follow the instructions provided in the dialog box and subsequent BIOS screens to clear the TPM without entering the password.
Note
You can clear the TPM or perform a limited number of TPM management tasks without entering the TPM owner password by just being present at the computer.
The status of your TPM is displayed in the **Status** box in the results pane.
Scenario 3: Block or allow TPM commands
This scenario contains the procedure to block or allow a TPM command, which administrators can perform during either the setup or the reconfiguration of a TPM-equipped computer. TPM commands are managed through a child node of the TPM Management console named Command Management. Here, administrators can explore the commands available to the TPM. They can also block and allow those commands within the constraints of the Local Computer Policy and Group Policy settings.
To perform the following procedure, you must be logged on to a TPM-equipped computer with administrator credentials.
To block or allow TPM commands
Click Start, click All Programs, click Accessories, and then click Run.
Type tpm.msc in the Open box, and then press ENTER.
If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue. For more information, see Additional resources at the end of this document.
Click Command Management in the console tree. A list of TPM commands is displayed.
Select a command from the list that you want to block or allow.
In the Actions pane, click either Block Selected Command or Allow Selected Command as needed.
Note
By using Group Policy domain administrators can prevent specific TPM commands from being blocked, or from being allowed. Group Policy settings can also be used to prevent any changes to the blocked command list from being made locally. Settings from Group Policy or the Local Computer Policy cannot be overridden in the TPM Management Console.
Customer feedback
Because TPM Management is a new feature set in Windows Server 2008 and Windows Vista, we are very interested in your feedback on your experiences with TPM Management, problems you encountered and the usefulness of the documentation. General feedback can be sent to tpminfo@microsoft.com. Please note, however, that individual responses are not possible.
For help with TPM Management, as with any Microsoft Windows component, please choose one of the support options listed on the Microsoft Help and Support Web site (https://go.microsoft.com/fwlink/?LinkID=76619).
Additional resources
The following resources are helpful with TPM Management:
- BitLocker Drive Encryption team blog (https://go.microsoft.com/fwlink/?LinkId=66461)
- User Account Control (https://go.microsoft.com/fwlink/?LinkId=82373)