From 6854478cbda260fa94b6b6e197771c35c1fe066f Mon Sep 17 00:00:00 2001 From: gastocco Date: Thu, 25 Aug 2016 12:06:07 -0700 Subject: [PATCH 1/5] Update to TPM On/Off Re: TPM 1.2 The option to turn on or off the TPM only applies to TPM 1.2. --- .../initialize-and-configure-ownership-of-the-tpm.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md b/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md index a1d2220641..1317cf6385 100644 --- a/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md +++ b/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md @@ -106,13 +106,13 @@ Some systems may have multiple TPMs and the active TPM may be toggled in the BIO ## Turn on or turn off the TPM -Normally, the TPM is turned on as part of the TPM initialization process. You do not normally need to turn the TPM on or off. However, if necessary you can do so by using the TPM MMC. +Normally, the TPM is turned on as part of the TPM initialization process. You do not normally need to turn the TPM on or off. However, if necessary you can do so by using the TPM MMC. This option is only available with TPM 1.2 and does not apply to TPM 2.0. ### Turn on the TPM If the TPM has been initialized but has never been used, or if you want to use the TPM after you have turned it off, you can use the following procedure to turn on the TPM. -**To turn on the TPM** +**To turn on the TPM (TPM 1.2 Only)** 1. Open the TPM MMC (tpm.msc). 2. In the **Action** pane, click **Turn TPM On** to display the **Turn on the TPM Security Hardware** page. Read the instructions on this page. @@ -125,7 +125,7 @@ If the TPM has been initialized but has never been used, or if you want to use t If you want to stop using the services that are provided by the TPM, you can use the TPM MMC to turn off the TPM. If you have the TPM owner password, physical access to the computer is not required to turn off the TPM. If you do not have the TPM owner password, you must have physical access to the computer to turn off the TPM. -**To turn off the TPM** +**To turn off the TPM (TPM 1.2 only)** 1. Open the TPM MMC (tpm.msc). 2. In the **Action** pane, click **Turn TPM Off** to display the **Turn off the TPM security hardware** page. From 5801353e06dfeff4307ae5e3e42189e209735bf4 Mon Sep 17 00:00:00 2001 From: gastocco Date: Thu, 25 Aug 2016 13:20:17 -0700 Subject: [PATCH 2/5] Clarifications about Owner Password on Windows 10 --- .../keep-secure/change-the-tpm-owner-password.md | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/windows/keep-secure/change-the-tpm-owner-password.md b/windows/keep-secure/change-the-tpm-owner-password.md index ba11bc7a8c..f4c2e824a5 100644 --- a/windows/keep-secure/change-the-tpm-owner-password.md +++ b/windows/keep-secure/change-the-tpm-owner-password.md @@ -16,12 +16,14 @@ author: brianlic-msft This topic for the IT professional describes how to change the password or PIN for the owner of the Trusted Platform Module (TPM) that is installed on your system. -## About the TPM owner password -The owner of the TPM is the user who possesses the owner password and is able to set it and change it. Only one owner password exists per TPM. The owner of the TPM can make full use of TPM capabilities. When an owner is set, no other user or software can claim ownership of the TPM. Only the TPM owner can enable, disable, or clear the TPM without having physical access to the computer, for example, by using the command-line tools remotely. Taking ownership of the TPM can be performed as part of the initialization process. Ownership can change when you share the password or clear your ownership of the TPM so someone else can initialize it. +## About the TPM Owner Password +Starting with Windows 10 Anniversary Edition, Windows will not retain the TPM Owner Password when provisioning the TPM. The password will be set to a random high entropy value and then discarded. -Applications, including BitLocker Drive Encryption, can automatically start the initialization process. If you enable BitLocker without manually initializing the TPM, the TPM owner password is automatically created and saved in the same location as the BitLocker recovery password. -The TPM owner password can be saved as a file on a removable storage device, or on another computer. The password can also be printed. The TPM MMC gives the TPM owner the sole ability to choose the appropriate option to type the password or to use the saved password. -As with any password, you should change your TPM owner password if you suspect that it has become compromised and is no longer a secret. +In order to retain the TPM Owner Password, you will need to set the registry key 'HKLM\Software\Policies\Microsoft\TPM' [REG_DWORD] 'OSManagedAuthLevel' to 4. The default value for this key is 2, and unless changed to 4 before the TPM is provisioned the Owner Password will not be saved. Microsoft strongly recommends that you do not change the default value of this registry key in order to retain the Owner Password. + +Only one Owner Password exists per TPM. The TPM Owner Password allows the ability to enable, disable, or clear the TPM without having physical access to the computer, for example, by using the command-line tools remotely. The TPM Owner Password also allows manipulation of the TPM Dictionary Attack logic. Taking ownership of the TPM is performed by Windows as part of the provisioning process on each boot. Ownership can change when you share the password or clear your ownership of the TPM so someone else can initialize it. + +Without the Owner Password you can still perform all the above actions via a physical presence confirmation from UEFI. **Other TPM management options** @@ -31,7 +33,7 @@ Instead of changing your owner password, you can also use the following options >**Important:**  Clearing the TPM can result in the loss of data. To avoid data loss, make sure you have a backup or recovery method for any data protected or encrypted by the TPM.   -- **Turn off the TPM**   If you want to keep all existing keys and data intact, and you want to disable the services that are provided by the TPM, you can turn it off. For more info, see [Initialize and Configure Ownership of the TPM](initialize-and-configure-ownership-of-the-tpm.md#bkmk-onoff). +- **Turn off the TPM**   If you want to keep all existing keys and data intact, and you want to disable the services that are provided by the TPM, you can turn it off. For more info, see [Initialize and Configure Ownership of the TPM](initialize-and-configure-ownership-of-the-tpm.md#bkmk-onoff). This option is only available for TPM 1.2. ## Change the TPM owner password @@ -39,6 +41,8 @@ The following procedure provides the steps that are necessary to change the TPM **To change the TPM owner password** +If you have opted specifically to preserve the TPM Owner Password, you can use the saved Password to change to a new Password. + 1. Open the TPM MMC (tpm.msc). If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**. 2. In the **Actions** pane, click **Change Owner Password**. 3. In the **Manage the TPM security hardware** dialog box, select a method to enter your current TPM owner password. From d21e0de31e4216bbe504d3bc2f2694e2809cc1ec Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Thu, 25 Aug 2016 15:14:23 -0700 Subject: [PATCH 3/5] Update change-the-tpm-owner-password.md --- windows/keep-secure/change-the-tpm-owner-password.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/keep-secure/change-the-tpm-owner-password.md b/windows/keep-secure/change-the-tpm-owner-password.md index f4c2e824a5..fcae2ec4ba 100644 --- a/windows/keep-secure/change-the-tpm-owner-password.md +++ b/windows/keep-secure/change-the-tpm-owner-password.md @@ -16,14 +16,14 @@ author: brianlic-msft This topic for the IT professional describes how to change the password or PIN for the owner of the Trusted Platform Module (TPM) that is installed on your system. -## About the TPM Owner Password -Starting with Windows 10 Anniversary Edition, Windows will not retain the TPM Owner Password when provisioning the TPM. The password will be set to a random high entropy value and then discarded. +## About the TPM owner password +Starting with Windows 10, version 1607 , Windows will not retain the TPM owner password when provisioning the TPM. The password will be set to a random high entropy value and then discarded. -In order to retain the TPM Owner Password, you will need to set the registry key 'HKLM\Software\Policies\Microsoft\TPM' [REG_DWORD] 'OSManagedAuthLevel' to 4. The default value for this key is 2, and unless changed to 4 before the TPM is provisioned the Owner Password will not be saved. Microsoft strongly recommends that you do not change the default value of this registry key in order to retain the Owner Password. +In order to retain the TPM owner password, you will need to set the registry key 'HKLM\Software\Policies\Microsoft\TPM' [REG_DWORD] 'OSManagedAuthLevel' to 4. The default value for this key is 2, and unless it is changed to 4 before the TPM is provisioned, the owner password will not be saved. Microsoft strongly recommends that you do not change the default value of this registry key in order to retain the owner password. -Only one Owner Password exists per TPM. The TPM Owner Password allows the ability to enable, disable, or clear the TPM without having physical access to the computer, for example, by using the command-line tools remotely. The TPM Owner Password also allows manipulation of the TPM Dictionary Attack logic. Taking ownership of the TPM is performed by Windows as part of the provisioning process on each boot. Ownership can change when you share the password or clear your ownership of the TPM so someone else can initialize it. +Only one owner password exists for each TPM. The TPM owner password allows the ability to enable, disable, or clear the TPM without having physical access to the computer, for example, by using the command-line tools remotely. The TPM owner password also allows manipulation of the TPM dictionary attack logic. Taking ownership of the TPM is performed by Windows as part of the provisioning process on each boot. Ownership can change when you share the password or clear your ownership of the TPM so someone else can initialize it. -Without the Owner Password you can still perform all the above actions via a physical presence confirmation from UEFI. +Without the owner password you can still perform all the preceding actions by means of a physical presence confirmation from UEFI. **Other TPM management options** @@ -41,7 +41,7 @@ The following procedure provides the steps that are necessary to change the TPM **To change the TPM owner password** -If you have opted specifically to preserve the TPM Owner Password, you can use the saved Password to change to a new Password. +If you have opted specifically to preserve the TPM owner password, you can use the saved password to change to a new password. 1. Open the TPM MMC (tpm.msc). If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**. 2. In the **Actions** pane, click **Change Owner Password**. From 8d311701f285916f26a774318948f7eaecdefc6a Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Thu, 25 Aug 2016 15:18:54 -0700 Subject: [PATCH 4/5] Copyedits In my two commits. I changed anniversary to Windows 10 version 1607. That's the name that marketing asked us to use for docs. I changed owner password to lower case bc it's not a proper noun. --- windows/keep-secure/change-the-tpm-owner-password.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/change-the-tpm-owner-password.md b/windows/keep-secure/change-the-tpm-owner-password.md index fcae2ec4ba..50d9175eb2 100644 --- a/windows/keep-secure/change-the-tpm-owner-password.md +++ b/windows/keep-secure/change-the-tpm-owner-password.md @@ -33,7 +33,7 @@ Instead of changing your owner password, you can also use the following options >**Important:**  Clearing the TPM can result in the loss of data. To avoid data loss, make sure you have a backup or recovery method for any data protected or encrypted by the TPM.   -- **Turn off the TPM**   If you want to keep all existing keys and data intact, and you want to disable the services that are provided by the TPM, you can turn it off. For more info, see [Initialize and Configure Ownership of the TPM](initialize-and-configure-ownership-of-the-tpm.md#bkmk-onoff). This option is only available for TPM 1.2. +- **Turn off the TPM**   If you want to keep all existing keys and data intact, and you want to disable the services that are provided by the TPM, you can turn it off. For more info, see [Initialize and Configure Ownership of the TPM](initialize-and-configure-ownership-of-the-tpm.md#bkmk-onoff). This option is only available for TPM 1.2. ## Change the TPM owner password From 7d1f9ce3c26d2fd3a43c42a7fece9e07f83b52f4 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Thu, 25 Aug 2016 15:20:56 -0700 Subject: [PATCH 5/5] Copyedits Just removed an extra space --- .../initialize-and-configure-ownership-of-the-tpm.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md b/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md index 1317cf6385..694171d845 100644 --- a/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md +++ b/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md @@ -106,7 +106,7 @@ Some systems may have multiple TPMs and the active TPM may be toggled in the BIO ## Turn on or turn off the TPM -Normally, the TPM is turned on as part of the TPM initialization process. You do not normally need to turn the TPM on or off. However, if necessary you can do so by using the TPM MMC. This option is only available with TPM 1.2 and does not apply to TPM 2.0. +Normally, the TPM is turned on as part of the TPM initialization process. You do not normally need to turn the TPM on or off. However, if necessary you can do so by using the TPM MMC. This option is only available with TPM 1.2 and does not apply to TPM 2.0. ### Turn on the TPM