deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-28 13:17:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge pull request #148 from gastocco/patch-1

Browse Source 
Updates About New Behavior for TPM Owner Password
This commit is contained in:
Justin Hall 2016-08-25 15:21:29 -07:00 committed by GitHub
commit 09bbe79006
2 changed files with 12 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
windows/keep-secure/change-the-tpm-owner-password.md
View File

@ -17,11 +17,13 @@ author: brianlic-msft
This topic for the IT professional describes how to change the password or PIN for the owner of the Trusted Platform Module (TPM) that is installed on your system.
## About the TPM owner password
The owner of the TPM is the user who possesses the owner password and is able to set it and change it. Only one owner password exists per TPM. The owner of the TPM can make full use of TPM capabilities. When an owner is set, no other user or software can claim ownership of the TPM. Only the TPM owner can enable, disable, or clear the TPM without having physical access to the computer, for example, by using the command-line tools remotely. Taking ownership of the TPM can be performed as part of the initialization process. Ownership can change when you share the password or clear your ownership of the TPM so someone else can initialize it.
Starting with Windows 10, version 1607 , Windows will not retain the TPM owner password when provisioning the TPM. The password will be set to a random high entropy value and then discarded.
Applications, including BitLocker Drive Encryption, can automatically start the initialization process. If you enable BitLocker without manually initializing the TPM, the TPM owner password is automatically created and saved in the same location as the BitLocker recovery password.
The TPM owner password can be saved as a file on a removable storage device, or on another computer. The password can also be printed. The TPM MMC gives the TPM owner the sole ability to choose the appropriate option to type the password or to use the saved password.
As with any password, you should change your TPM owner password if you suspect that it has become compromised and is no longer a secret.
In order to retain the TPM owner password, you will need to set the registry key 'HKLM\Software\Policies\Microsoft\TPM' [REG_DWORD] 'OSManagedAuthLevel' to 4. The default value for this key is 2, and unless it is changed to 4 before the TPM is provisioned, the owner password will not be saved. Microsoft strongly recommends that you do not change the default value of this registry key in order to retain the owner password.
Only one owner password exists for each TPM. The TPM owner password allows the ability to enable, disable, or clear the TPM without having physical access to the computer, for example, by using the command-line tools remotely. The TPM owner password also allows manipulation of the TPM dictionary attack logic. Taking ownership of the TPM is performed by Windows as part of the provisioning process on each boot. Ownership can change when you share the password or clear your ownership of the TPM so someone else can initialize it.
Without the owner password you can still perform all the preceding actions by means of a physical presence confirmation from UEFI.
**Other TPM management options**
@ -31,7 +33,7 @@ Instead of changing your owner password, you can also use the following options
>**Important:**  Clearing the TPM can result in the loss of data. To avoid data loss, make sure you have a backup or recovery method for any data protected or encrypted by the TPM.
 
- **Turn off the TPM**   If you want to keep all existing keys and data intact, and you want to disable the services that are provided by the TPM, you can turn it off. For more info, see [Initialize and Configure Ownership of the TPM](initialize-and-configure-ownership-of-the-tpm.md#bkmk-onoff).
- **Turn off the TPM**   If you want to keep all existing keys and data intact, and you want to disable the services that are provided by the TPM, you can turn it off. For more info, see [Initialize and Configure Ownership of the TPM](initialize-and-configure-ownership-of-the-tpm.md#bkmk-onoff). This option is only available for TPM 1.2.
## Change the TPM owner password
@ -39,6 +41,8 @@ The following procedure provides the steps that are necessary to change the TPM
**To change the TPM owner password**
If you have opted specifically to preserve the TPM owner password, you can use the saved password to change to a new password.
1. Open the TPM MMC (tpm.msc). If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**.
2. In the **Actions** pane, click **Change Owner Password**.
3. In the **Manage the TPM security hardware** dialog box, select a method to enter your current TPM owner password.

6
windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md
View File

@ -106,13 +106,13 @@ Some systems may have multiple TPMs and the active TPM may be toggled in the BIO
## <a href="" id="bkmk-onoff"></a>Turn on or turn off the TPM
Normally, the TPM is turned on as part of the TPM initialization process. You do not normally need to turn the TPM on or off. However, if necessary you can do so by using the TPM MMC.
Normally, the TPM is turned on as part of the TPM initialization process. You do not normally need to turn the TPM on or off. However, if necessary you can do so by using the TPM MMC. This option is only available with TPM 1.2 and does not apply to TPM 2.0.
### <a href="" id="turn-on-the-tpm-"></a>Turn on the TPM
If the TPM has been initialized but has never been used, or if you want to use the TPM after you have turned it off, you can use the following procedure to turn on the TPM.
**To turn on the TPM**
**To turn on the TPM (TPM 1.2 Only)**
1. Open the TPM MMC (tpm.msc).
2. In the **Action** pane, click **Turn TPM On** to display the **Turn on the TPM Security Hardware** page. Read the instructions on this page.
@ -125,7 +125,7 @@ If the TPM has been initialized but has never been used, or if you want to use t
If you want to stop using the services that are provided by the TPM, you can use the TPM MMC to turn off the TPM. If you have the TPM owner password, physical access to the computer is not required to turn off the TPM. If you do not have the TPM owner password, you must have physical access to the
computer to turn off the TPM.
**To turn off the TPM**
**To turn off the TPM (TPM 1.2 only)**
1. Open the TPM MMC (tpm.msc).
2. In the **Action** pane, click **Turn TPM Off** to display the **Turn off the TPM security hardware** page.