deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-17 11:23:45 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/master' into vs-10202987

Browse Source
This commit is contained in:
LizRoss
2017-01-06 14:57:48 -08:00
parent d57caba8e6 0d756a2785
commit 3dc9420566
32 changed files with 651 additions and 1596 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
windows/keep-secure/TOC.md
View File

@ -696,16 +696,16 @@
##### [Smart Cards Debugging Information](smart-card-debugging-information.md)
##### [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md)
##### [Smart Card Events](smart-card-events.md)
### [Trusted Platform Module](trusted-platform-module-overview.md)
### [Trusted Platform Module](trusted-platform-module-top-node.md)
#### [Trusted Platform Module Overview](trusted-platform-module-overview.md)
#### [TPM fundamentals](tpm-fundamentals.md)
#### [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md)
#### [AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md)
#### [Backup the TPM recovery Information to AD DS](backup-tpm-recovery-information-to-ad-ds.md)
#### [Back up the TPM recovery information to AD DS](backup-tpm-recovery-information-to-ad-ds.md)
#### [Manage TPM commands](manage-tpm-commands.md)
#### [Manage TPM lockout](manage-tpm-lockout.md)
#### [Change the TPM owner password](change-the-tpm-owner-password.md)
#### [Initialize and configure ownership of the TPM](initialize-and-configure-ownership-of-the-tpm.md)
#### [Switch PCR banks on TPM 2.0 devices](switch-pcr-banks-on-tpm-2-0-devices.md)
#### [View status, clear, or troubleshoot the TPM](initialize-and-configure-ownership-of-the-tpm.md)
#### [Understanding PCR banks on TPM 2.0 devices](switch-pcr-banks-on-tpm-2-0-devices.md)
#### [TPM recommendations](tpm-recommendations.md)
### [User Account Control](user-account-control-overview.md)
#### [How User Account Control works](how-user-account-control-works.md)

288
windows/keep-secure/ad-ds-schema-extensions-to-support-tpm-backup.md
View File

@ -1,289 +1,5 @@
---
title: AD DS schema extensions to support TPM backup (Windows 10)
description: This topic provides more details about this change and provides template schema extensions that you can incorporate into your organization.
ms.assetid: beb7097c-e674-4eab-b8e2-6f67c85d1f3f
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
title: AD DS schema extensions to support TPM backup
redirect_url: https://technet.microsoft.com/library/jj635854.aspx
---
# AD DS schema extensions to support TPM backup
**Applies to**
- Windows 10, version 1511
- Windows 10, version 1507
**Does not apply to**
- Windows 10, version 1607 or later
This topic provides more details about this change and provides template schema extensions that you can incorporate into your organization.
## Why a schema extension is needed
The TPM owner authorization value is now stored in a separate object which is linked to the Computer object. This value was stored as a property in the Computer object itself for the default Windows Server 2008 R2 schema. Windows Server 2012 domain controllers have the default schema to backup TPM owner authorization information in the separate object. If you are not upgrading your domain controller to Windows Server 2012, you need to extend the schema to support this change. If Active Directory backup of the TPM owner authorization value is enabled in a Windows Server 2008 R2 environment without extending the schema, the TPM provisioning will fail and the TPM will remain in a Not Ready state for computers running Windows 8. The following are the two schema extensions that you can use to bring your Windows Server 2008 R2 domain to parity with Windows Server 2012:
### <a href="" id="tpmschemaextension-ldf-"></a>TpmSchemaExtension.ldf
This schema extension brings parity with the Windows Server 2012 schema and is required if you want to store the TPM owner authorization value for a computer running Windows 8 in a Windows Server 2008 R2 AD DS domain. With this extension the TPM owner authorization information will be stored in a separate TPM object linked to the corresponding computer object.
``` syntax
#===============================================================================
#
# Active Directory Domain Services schema extension for
# BitLocker Drive Encryption and Trusted Platform Module (TPM) recovery
#
# This file contains attributes and class objects that enable Windows Server
# 2008 and Windows Server 2008 R2 domain controllers to store TPM recovery
# information in a new, TPM-specific location.
#
# Change History:
# 07/2010 - Created
#
# To extend the schema, use the LDIFDE tool on the schema master of the forest.
#
# Sample command:
# ldifde -i -v -f TPMSchemaExtension.ldf -c "DC=X" "DC=nttest,dc=microsoft,dc=com" -k -j .
#
# For more information on LDIFDE tool, see
# http://support.microsoft.com/default.aspx?scid=kb;en-us;237677
#
#===============================================================================
#===============================================================================
# New schema attributes
#===============================================================================
#
# ms-TPM-Srk-Pub-Thumbprint
# GUID: 19d706eb-4d76-44a2-85d6-1c342be3be37
#
dn: CN=ms-TPM-Srk-Pub-Thumbprint,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msTPM-SrkPubThumbprint
adminDisplayName: TPM-SrkPubThumbprint
adminDescription: This attribute contains the thumbprint of the SrkPub corresponding to a particular TPM. This helps to index the TPM devices in the directory.
attributeId: 1.2.840.113556.1.4.2107
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
searchFlags: 11
schemaIdGuid:: 6wbXGXZNokSF1hw0K+O+Nw==
showInAdvancedViewOnly: TRUE
isMemberOfPartialAttributeSet: FALSE
rangeUpper: 20
#
# ms-TPM-Owner-Information-Temp
# GUID: c894809d-b513-4ff8-8811-f4f43f5ac7bc
#
dn: CN=ms-TPM-Owner-Information-Temp,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msTPM-OwnerInformationTemp
adminDisplayName: TPM-OwnerInformationTemp
adminDescription: This attribute contains temporary owner information for a particular TPM.
attributeId: 1.2.840.113556.1.4.2108
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
searchFlags: 640
rangeUpper: 128
schemaIdGuid:: nYCUyBO1+E+IEfT0P1rHvA==
showInAdvancedViewOnly: TRUE
isMemberOfPartialAttributeSet: FALSE
#
# ms-TPM-Tpm-Information-For-Computer
# GUID: ea1b7b93-5e48-46d5-bc6c-4df4fda78a35
#
dn: CN=ms-TPM-Tpm-Information-For-Computer,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msTPM-TpmInformationForComputer
adminDisplayName: TPM-TpmInformationForComputer
adminDescription: This attribute links a Computer object to a TPM object.
attributeId: 1.2.840.113556.1.4.2109
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: TRUE
searchFlags: 16
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: k3sb6khe1Ua8bE30/aeKNQ==
showInAdvancedViewOnly: TRUE
isMemberOfPartialAttributeSet: FALSE
linkId: 2182
#
# ms-TPM-TpmInformation-For-Computer-BL
# GUID: 14fa84c9-8ecd-4348-bc91-6d3ced472ab7
#
dn: CN=ms-TPM-Tpm-Information-For-Computer-BL,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msTPM-TpmInformationForComputerBL
adminDisplayName: TPM-TpmInformationForComputerBL
adminDescription: This attribute links a TPM object to the Computer objects associated with it.
attributeId: 1.2.840.113556.1.4.2110
attributeSyntax: 2.5.5.1
omSyntax: 127
isSingleValued: FALSE
searchFlags: 0
omObjectClass:: KwwCh3McAIVK
schemaIdGuid:: yYT6FM2OSEO8kW087Ucqtw==
showInAdvancedViewOnly: TRUE
systemOnly: TRUE
linkId: 2183
#
# Commit the new attributes
#
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
#
# Modify the Computer schema to support the TPM link
#
dn: CN=computer,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: mayContain
mayContain: msTPM-TpmInformationForComputer
-
#
# Commit the modification to the computer class
#
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
#===============================================================================
# New schema classes
#===============================================================================
#
# ms-TPM-Information-Objects-Container
# GUID: e027a8bd-6456-45de-90a3-38593877ee74
#
dn: CN=ms-TPM-Information-Objects-Container,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: msTPM-InformationObjectsContainer
adminDisplayName: TPM-InformationObjectsContainer
adminDescription: Container for TPM objects.
governsID: 1.2.840.113556.1.5.276
objectClassCategory: 1
subClassOf: top
systemMustContain: cn
systemPossSuperiors: domain
systemPossSuperiors: domainDNS
schemaIdGUID:: vagn4FZk3kWQozhZOHfudA==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;LOLCCCRP;;;DC)
defaultHidingValue: TRUE
defaultObjectCategory: CN=ms-TPM-Information-Objects-Container,CN=Schema,CN=Configuration,DC=X
#
# ms-TPM-Information-Object
# GUID: 85045b6a-47a6-4243-a7cc-6890701f662c
#
# NOTE: If the 'defaultSecurityDescriptor' value below is changed,
# also change the other '.ldf' files in this directory, as appropriate.
#
dn: CN=ms-TPM-Information-Object,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: msTPM-InformationObject
adminDisplayName: TPM-InformationObject
adminDescription: This class contains recovery information for a Trusted Platform Module (TPM) device.
governsID: 1.2.840.113556.1.5.275
objectClassCategory: 1
subClassOf: top
systemMustContain: msTPM-OwnerInformation
systemMayContain: msTPM-SrkPubThumbprint
systemMayContain: msTPM-OwnerInformationTemp
systemPossSuperiors: 1.2.840.113556.1.5.276
schemaIdGUID:: alsEhaZHQ0KnzGiQcB9mLA==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLO;;;DC)(A;;WP;;;CO)
defaultHidingValue: TRUE
defaultObjectCategory: CN=ms-TPM-Information-Object,CN=Schema,CN=Configuration,DC=X
#
# NOTE: If the 'defaultSecurityDescriptor' value above is changed,
# also change the other '.ldf' files in this directory, as appropriate.
#
#
# Commit the new TPM object class
#
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
#===============================================================================
# New objects
#===============================================================================
#
# Add the TPM container to its location in the directory
#
dn: CN=TPM Devices,DC=X
changetype: add
objectClass: msTPM-InformationObjectsContainer
```
You should be aware that only the Computer object that has created the TPM object can update it. This means that any subsequent updates to the TPM objects will not succeed in dual boot scenarios or scenarios where the computer is reimaged resulting in a new AD computer object being created. If you are planning to support such scenarios, you will need to update the schema further as shown in the schema extension example, TpmSchemaExtensionACLChanges.ldf.
### TpmSchemaExtensionACLChanges.ldf
This schema update modifies the ACLs on the TPM object to be less restrictive so that any subsequent operating system which takes ownership of the computer object can update the owner authorization value in AD DS.
> **Important**  After implementing this schema update, any computer in the domain can update the OwnerAuth of the TPM object (although it cannot read the OwnerAuth). When using this extension, perform a regular backup of the TPM objects and enable auditing to track the changes for these objects.
 
``` syntax
#===============================================================================
#
# Active Directory Domain Services schema extension for
# BitLocker Drive Encryption and Trusted Platform Module (TPM) recovery
#
# This file modifies a class object that enables Windows Server 2008
# and Windows Server 2008 R2 domain controllers to store TPM recovery
# information in a new, TPM-specific location.
#
# This file converts the standard schema extension in which only the creator
# of an 'ms-TPM-Information-Object' can write to the object to the Open
# schema extension in which any Domain Computer can write to the object.
#
# This conversion does not apply to any 'ms-TPM-Information-Object' that
# was created before the conversion.
#
# Change History:
# 12/2011 - Created
#
# To change the schema, use the LDIFDE tool on the schema master of the forest.
#
# Sample command:
# ldifde -i -v -f TpmSchemaExtensionACLChanges.ldf
# -c "DC=X" "DC=nttest,dc=microsoft,dc=com" -k -j .
#
# For more information on LDIFDE tool, see
# http://support.microsoft.com/default.aspx?scid=kb;en-us;237677
#
#===============================================================================
#
# Modify the TPM-Information-Object class schema 'defaultSecurityDescriptor' to
# allow any Domain Computer to write its properties (including the TPM OwnerAuth
# value) from allowing only the creating Computer object to write its properties
#
# NOTE: Keep any changes to the 'defaultSecurityDescriptor' value in synchronization
# with the value in the TPM-Information-Object class description in the
# 'TpmSchemaExtension.ldf' file
#
dn: CN=ms-TPM-Information-Object,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: defaultSecurityDescriptor
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPWPLO;;;DC)
-
#
# Commit the modification to the TPM-Information-Object schema
#
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
```
 
 

553
windows/keep-secure/backup-tpm-recovery-information-to-ad-ds.md
View File

@ -1,6 +1,6 @@
---
title: Backup the TPM recovery Information to AD DS (Windows 10)
description: This topic for the IT professional describes how to back up a computers Trusted Platform Module (TPM) information to Active Directory Domain Services (AD DS) so that you can use AD DS to administer the TPM from a remote computer.
title: Back up the TPM recovery information to AD DS (Windows 10)
description: This topic for the IT professional describes backup of Trusted Platform Module (TPM) information.
ms.assetid: 62bcec80-96a1-464e-8b3f-d177a7565ac5
ms.prod: w10
ms.mktglfcycl: deploy
@ -9,556 +9,19 @@ ms.pagetype: security
author: brianlic-msft
---
# Backup the TPM recovery Information to AD DS
# Back up the TPM recovery information to AD DS
**Applies to**
- Windows 10, version 1511
- Windows 10, version 1507
**Does not apply to**
- Windows 10, version 1607 or later
This topic for the IT professional describes how to back up a computers Trusted Platform Module (TPM) information to Active Directory Domain Services (AD DS) so that you can use AD DS to administer the TPM from a remote computer.
- Windows 10, version 1607 or later
## About administering TPM remotely
With Windows 10, versions 1511 and 1507, you can back up a computers Trusted Platform Module (TPM) information to Active Directory Domain Services (AD DS). By doing this, you can use AD DS to administer the TPM from a remote computer. The procedure is the same as it was for Windows 8.1. For more information, see [Backup the TPM Recovery Information to AD DS](https://technet.microsoft.com/library/dn466534(v=ws.11).aspx).
Backing up the TPM owner information for a computer allows administrators in a domain to remotely configure the TPM security hardware on the local computer. For example, administrators might want to reset the TPM to the manufacturers defaults when they decommission or repurpose computers, without having to be present at the computer.
## Related topics
You can use AD DS to store TPM owner information for use in recovery situations where the TPM owner has forgotten the password or where you must take control of the TPM. There is only one TPM owner password per computer; therefore, the hash of the TPM owner password can be stored as an attribute of the computer object in AD DS. The attribute has the common name (CN) of **ms-TPM-OwnerInformation**.
> **Note:**  The TPM owner authorization value is stored in AD DS, and it is present in a TPM owner password file as a SHA-1 hash of the TPM owner password, which is base 64encoded. The actual owner password is not stored.
 
Domain controllers running Windows Server 2012 R2 or Windows Server 2012 include the required AD DS schema objects by default. However, if your domain controller is running Windows Server 2008 R2, you need to update the schema as described in [AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md).
This topic contains procedures, some of which are dependent on Visual Basic scripts, to recover TPM information and decommission TPM on remote computers. Sample scripts are available, which you can customize to meet the requirements of your environment.
In this topic:
1. [Check status of prerequisites](#bkmk-prereqs)
2. [Set permissions to back up password information](#bkmk-setperms)
3. [Configure Group Policy to back up TPM recovery information in AD DS](#bkmk-configuregp)
4. [Use AD DS to recover TPM information](#bkmk-useit)
5. [Sample scripts](#bkmk-adds-tpm-scripts)
## <a href="" id="bkmk-prereqs"></a>Check status of prerequisites
Before you begin your backup, ensure that the following prerequisites are met:
1. All domain controllers that are accessible by client computers that will be using TPM services are running Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 with the updated schema.
> **Tip:**  For more info about the schema extensions that are required for a TPM backup in Active Directory domains that are running Windows Server 2008 R2, see [AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md).
 
2. You have domain administrator rights in the target forest, or you are using an account that has been granted appropriate permissions to extend the schema for the target forest. Members of the Enterprise Admins or Schema Admins groups are examples of accounts that have the appropriate permissions.
## <a href="" id="bkmk-setperms"></a>Set permissions to back up password information
This procedure uses the sample script [Add-TPMSelfWriteACE.vbs](#bkmk-add-tpmselfwriteace) to add an access control entry (ACE) so that backing up TPM recovery information is possible. A client computer cannot back up TPM owner information until this ACE is added.
This script is run on the domain controller that you will use to administer the TPM recovery information, and it operates under the following assumptions:
- You have domain administrator credentials to set permissions for the top-level domain object.
- Your target domain is the same as the domain for the user account that is running the script. For example, running the script as TESTDOMAIN\\admin will extend permissions for TESTDOMAIN.
> **Note:**  You might need to modify the sample script if you want to set permissions for multiple domains, but you do not have domain administrator accounts for each of those domains. Find the variable **strPathToDomain** in the script, and modify it for your target domain, for example:
`LDAP://DC=testdomain,DC=nttest,DC=microsoft,DC=com`
 
- Your domain is configured so that permissions are inherited from the top-level domain object to targeted computer objects.
Permissions will not take effect if any container in the hierarchy does not allow inherited permissions. By default, permissions inheritance is set in AD DS. If you are not sure whether your configuration differs from this default, you can continue with the setup steps to set the permissions.
You can then verify your configuration as described later in this topic. Or you can click the **Effective Permissions** button while viewing the properties of a computer object, then check that **Self** is approved to write the **msTPM-OwnerInformation** attribute.
**To add an ACE to allow TPM recovery information backup**
1. Open the sample script **Add-TPMSelfWriteACE.vbs**.
The script contains a permission extension, and you must modify the value of **strPathToDomain** by using your domain name.
2. Save your modifications to the script.
3. Type the following at a command prompt, and then press ENTER:
**cscript Add-TPMSelfWriteACE.vbs**
This script adds a single ACE to the top-level domain object. The ACE is an inheritable permission that allows the computer (SELF) to write to the **ms-TPM-OwnerInformation** attribute for computer objects in the domain.
Complete the following procedure to check that the correct permissions are set and to remove TPM and BitLocker ACEs from the top-level domain, if necessary.
**Manage ACEs configured on TPM schema objects**
1. Open the sample script **List-ACEs.vbs**.
2. Modify **List-ACEs.vbs**.
You must modify:
- Value of **strPathToDomain**: Use your domain name.
- Filter options: The script sets a filter to address BitLocker and TPM schema objects, so you must modify **If IsFilterActive ()** if you want to list or remove other schema objects.
3. Save your modifications to the script.
4. Type the following at a command prompt, and then press ENTER:
**cscript List-ACEs.vbs**
With this script you can optionally remove ACEs from BitLocker and TPM schema objects on the top-level domain.
## <a href="" id="bkmk-configuregp"></a>Configure Group Policy to back up TPM recovery information in AD DS
Use these procedures to configure the [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md#bkmk-tpmgp-addsbu) policy setting on a local computer. In a production environment, an efficient way to do this is to create or edit a Group Policy Object (GPO) that can target client computers in the domain.
**To enable local policy setting to back up TPM recovery information to AD DS**
1. Sign in to a domain-joined computer by using a domain account that is a member of the local Administrators group.
2. Open the Local Group Policy Editor (gpedit.msc), and in the console tree, navigate to **Computer Configuration\\Administrative Templates\\System**.
3. Click **Trusted Platform Module Services**.
4. Double-click **Turn on TPM backup to Active Directory Domain Services**.
5. Click **Enabled**, and then click **OK**.
> **Important:**  When this setting is enabled, the TPM owner password cannot be set or changed unless the computer is connected to the domain and AD DS backup of the TPM recovery information succeeds.
 
## <a href="" id="bkmk-useit"></a>Use AD DS to recover TPM information
When you need to recover the TPM owner information from AD DS and use it to manage the TPM, you need to read the **ms-TPM-OwnerInformation** object from AD DS, and then manually create a TPM owner password backup file that can be supplied when TPM owner credentials are required.
**To obtain TPM owner backup information from AD DS and create a password file**
1. Sign in to a domain controller by using domain administrator credentials.
2. Copy the sample script file, [Get-TPMOwnerInfo.vbs](#bkmk-get-tpmownerinfo), to a location on your computer.
3. Open a Command Prompt window, and change the default location to the location of the sample script files you saved in the previous step.
4. At the command prompt, type **cscript Get-TPMOwnerInfo.vbs**.
The expected output is a string that is the hash of the password that you created earlier.
> **Note:**  If you receive the error message, "Active Directory: The directory property cannot be found in the cache," verify that you are using a domain administrator account, which is required to read the **ms-TPM-OwnerInformation** attribute.
The only exception to this requirement is that if users are the Creator Owner of computer objects that they join to the domain, they can possibly read the TPM owner information for their computer objects.
 
5. Open Notepad or another text editor, and copy the following code sample into the file, and replace *TpmOwnerPasswordHash* with the string that you recorded in the previous step.
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
<!--
This page is a backup of Trusted Platform Module (TPM) owner
authorization information. Upon request, use the authorization information to
prove ownership of the computer's TPM.
IMPORTANT: Please keep this file in a secure location away from your computer's
local hard drive.
-->
<tpmOwnerData version="1.0" softwareAuthor="Microsoft Windows [Version 6.1.7600]" creationDate="2009-11-11T14:39:29-08:00" creationUser="DOMAIN\username" machineName="mymachine">
                <tpmInfo manufacturerId="1096043852"/>
                <ownerAuth>TpmOwnerPasswordHash</ownerAuth>
</tpmOwnerData>
```
6. Save this file with a .tpm extension on a removable storage device, such as a USB flash drive. When you access the TPM, and you are required to provide the TPM owner password, choose the option for reading the password from a file and provide the path to this file.
## <a href="" id="bkmk-adds-tpm-scripts"></a>Sample scripts
You can use all or portions of the following sample scripts, which are used in the preceding procedures, to configure AD DS for backing up TPM recovery information. Customization is required depending on how your environment is configured.
- [Add-TPMSelfWriteACE.vbs: Use to add the access control entry (ACE) for the TPM to AD DS](#bkmk-add-tpmselfwriteace)
- [List-ACEs.vbs: Use to list or remove the ACEs that are configured on BitLocker and TPM schema objects](#bkmk-list-aces)
- [Get-TPMOwnerInfo.vbs: Use to retrieve the TPM recovery information from AD DS for a particular computer](#bkmk-get-tpmownerinfo)
### <a href="" id="bkmk-add-tpmselfwriteace"></a>Add-TPMSelfWriteACE.vbs
This script adds the access control entry (ACE) for the TPM to AD DS so that the computer can back up TPM recovery information in AD DS.
``` syntax
'===============================================================================
'
' This script demonstrates the addition of an Access Control Entry (ACE)
' to allow computers to write Trusted Platform Module (TPM)
' recovery information to Active Directory.
'
' This script creates a SELF ACE on the top-level domain object, and
' assumes that inheritance of ACL's from the top-level domain object to
' down-level computer objects are enabled.
'
'
'
' Last Updated: 12/05/2012
' Last Reviewed: 12/05/2012
' Microsoft Corporation
'
' Disclaimer
'
' The sample scripts are not supported under any Microsoft standard support program
' or service. The sample scripts are provided AS IS without warranty of any kind.
' Microsoft further disclaims all implied warranties including, without limitation,
' any implied warranties of merchantability or of fitness for a particular purpose.
' The entire risk arising out of the use or performance of the sample scripts and
' documentation remains with you. In no event shall Microsoft, its authors, or
' anyone else involved in the creation, production, or delivery of the scripts be
' liable for any damages whatsoever (including, without limitation, damages for loss
' of business profits, business interruption, loss of business information, or
' other pecuniary loss) arising out of the use of or inability to use the sample
' scripts or documentation, even if Microsoft has been advised of the possibility
' of such damages.
'
' Version 1.0.2 - Tested and re-released for Windows 8 and Windows Server 2012
'
'===============================================================================
' --------------------------------------------------------------------------------
' Access Control Entry (ACE) constants
' --------------------------------------------------------------------------------
'- From the ADS_ACETYPE_ENUM enumeration
Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5 'Allows an object to do something
'- From the ADS_ACEFLAG_ENUM enumeration
Const ADS_ACEFLAG_INHERIT_ACE = &H2 'ACE can be inherited to child objects
Const ADS_ACEFLAG_INHERIT_ONLY_ACE = &H8 'ACE does NOT apply to target (parent) object
'- From the ADS_RIGHTS_ENUM enumeration
Const ADS_RIGHT_DS_WRITE_PROP = &H20 'The right to write object properties
Const ADS_RIGHT_DS_CREATE_CHILD = &H1 'The right to create child objects
'- From the ADS_FLAGTYPE_ENUM enumeration
Const ADS_FLAG_OBJECT_TYPE_PRESENT = &H1 'Target object type is present in the ACE
Const ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT = &H2 'Target inherited object type is present in the ACE
' --------------------------------------------------------------------------------
' TPM and FVE schema object GUID's
' --------------------------------------------------------------------------------
'- ms-TPM-OwnerInformation attribute
SCHEMA_GUID_MS_TPM_OWNERINFORMATION = "{AA4E1A6D-550D-4E05-8C35-4AFCB917A9FE}"
'- ms-FVE-RecoveryInformation object
SCHEMA_GUID_MS_FVE_RECOVERYINFORMATION = "{EA715D30-8F53-40D0-BD1E-6109186D782C}"
'- Computer object
SCHEMA_GUID_COMPUTER = "{BF967A86-0DE6-11D0-A285-00AA003049E2}"
'Reference: "Platform SDK: Active Directory Schema"
' --------------------------------------------------------------------------------
' Set up the ACE to allow write of TPM owner information
' --------------------------------------------------------------------------------
Set objAce1 = createObject("AccessControlEntry")
objAce1.AceFlags = ADS_ACEFLAG_INHERIT_ACE + ADS_ACEFLAG_INHERIT_ONLY_ACE
objAce1.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
objAce1.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT + ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT
objAce1.Trustee = "SELF"
objAce1.AccessMask = ADS_RIGHT_DS_WRITE_PROP
objAce1.ObjectType = SCHEMA_GUID_MS_TPM_OWNERINFORMATION
objAce1.InheritedObjectType = SCHEMA_GUID_COMPUTER
' --------------------------------------------------------------------------------
' NOTE: BY default, the "SELF" computer account can create
' BitLocker recovery information objects and write BitLocker recovery properties
'
' No additional ACE's are needed.
' --------------------------------------------------------------------------------
' --------------------------------------------------------------------------------
' Connect to Discretional ACL (DACL) for domain object
' --------------------------------------------------------------------------------
Set objRootLDAP = GetObject("LDAP://rootDSE")
strPathToDomain = "LDAP://" & objRootLDAP.Get("defaultNamingContext") ' e.g. string dc=fabrikam,dc=com
Set objDomain = GetObject(strPathToDomain)
WScript.Echo "Accessing object: " + objDomain.Get("distinguishedName")
Set objDescriptor = objDomain.Get("ntSecurityDescriptor")
Set objDacl = objDescriptor.DiscretionaryAcl
' --------------------------------------------------------------------------------
' Add the ACEs to the Discretionary ACL (DACL) and set the DACL
' --------------------------------------------------------------------------------
objDacl.AddAce objAce1
objDescriptor.DiscretionaryAcl = objDacl
objDomain.Put "ntSecurityDescriptor", Array(objDescriptor)
objDomain.SetInfo
WScript.Echo "SUCCESS!"
```
### <a href="" id="bkmk-list-aces"></a>List-ACEs.vbs
This script lists or removes the ACEs that are configured on BitLocker and TPM schema objects for the top-level domain. This enables you to verify that the expected ACEs have been added appropriately or to remove any ACEs that are related to BitLocker or the TPM, if necessary.
``` syntax
'===============================================================================
'
' This script lists the access control entries (ACE's) configured on
' Trusted Platform Module (TPM) and BitLocker Drive Encryption (BDE) schema objects
' for the top-level domain.
'
' You can use this script to check that the correct permissions have been set and
' to remove TPM and BitLocker ACE's from the top-level domain.
'
'
' Last Updated: 12/05/2012
' Last Reviewed: 12/02/2012
'
' Microsoft Corporation
'
' Disclaimer
'
' The sample scripts are not supported under any Microsoft standard support program
' or service. The sample scripts are provided AS IS without warranty of any kind.
' Microsoft further disclaims all implied warranties including, without limitation,
' any implied warranties of merchantability or of fitness for a particular purpose.
' The entire risk arising out of the use or performance of the sample scripts and
' documentation remains with you. In no event shall Microsoft, its authors, or
' anyone else involved in the creation, production, or delivery of the scripts be
' liable for any damages whatsoever (including, without limitation, damages for loss
' of business profits, business interruption, loss of business information, or
' other pecuniary loss) arising out of the use of or inability to use the sample
' scripts or documentation, even if Microsoft has been advised of the possibility
' of such damages.
'
' Version 1.0.2 - Tested and re-released for Windows 8 and Windows Server 2012
'
'===============================================================================
' --------------------------------------------------------------------------------
' Usage
' --------------------------------------------------------------------------------
Sub ShowUsage
Wscript.Echo "USAGE: List-ACEs"
Wscript.Echo "List access permissions for BitLocker and TPM schema objects"
Wscript.Echo ""
Wscript.Echo "USAGE: List-ACEs -remove"
Wscript.Echo "Removes access permissions for BitLocker and TPM schema objects"
WScript.Quit
End Sub
' --------------------------------------------------------------------------------
' Parse Arguments
' --------------------------------------------------------------------------------
Set args = WScript.Arguments
Select Case args.Count
Case 0
' do nothing - checks for ACE's
removeACE = False
Case 1
If args(0) = "/?" Or args(0) = "-?" Then
ShowUsage
Else
If UCase(args(0)) = "-REMOVE" Then
removeACE = True
End If
End If
Case Else
ShowUsage
End Select
' --------------------------------------------------------------------------------
' Configuration of the filter to show/remove only ACE's for BDE and TPM objects
' --------------------------------------------------------------------------------
'- ms-TPM-OwnerInformation attribute
SCHEMA_GUID_MS_TPM_OWNERINFORMATION = "{AA4E1A6D-550D-4E05-8C35-4AFCB917A9FE}"
'- ms-FVE-RecoveryInformation object
SCHEMA_GUID_MS_FVE_RECOVERYINFORMATION = "{EA715D30-8F53-40D0-BD1E-6109186D782C}"
' Use this filter to list/remove only ACEs related to TPM and BitLocker
aceGuidFilter = Array(SCHEMA_GUID_MS_TPM_OWNERINFORMATION, _
SCHEMA_GUID_MS_FVE_RECOVERYINFORMATION)
' Note to script source reader:
' Uncomment the following line to turn off the filter and list all ACEs
'aceGuidFilter = Array()
' --------------------------------------------------------------------------------
' Helper functions related to the list filter for listing or removing ACE's
' --------------------------------------------------------------------------------
Function IsFilterActive()
If Join(aceGuidFilter) = "" Then
IsFilterActive = False
Else
IsFilterActive = True
End If
End Function
Function isAceWithinFilter(ace)
aceWithinFilter = False ' assume first not pass the filter
For Each guid In aceGuidFilter
If ace.ObjectType = guid Or ace.InheritedObjectType = guid Then
isAceWithinFilter = True
End If
Next
End Function
Sub displayFilter
For Each guid In aceGuidFilter
WScript.echo guid
Next
End Sub
' --------------------------------------------------------------------------------
' Connect to Discretional ACL (DACL) for domain object
' --------------------------------------------------------------------------------
Set objRootLDAP = GetObject("LDAP://rootDSE")
strPathToDomain = "LDAP://" & objRootLDAP.Get("defaultNamingContext") ' e.g. dc=fabrikam,dc=com
Set domain = GetObject(strPathToDomain)
WScript.Echo "Accessing object: " + domain.Get("distinguishedName")
WScript.Echo ""
Set descriptor = domain.Get("ntSecurityDescriptor")
Set dacl = descriptor.DiscretionaryAcl
' --------------------------------------------------------------------------------
' Show Access Control Entries (ACE's)
' --------------------------------------------------------------------------------
' Loop through the existing ACEs, including all ACEs if the filter is not active
i = 1 ' global index
c = 0 ' found count - relevant if filter is active
For Each ace In dacl
If IsFilterActive() = False or isAceWithinFilter(ace) = True Then
' note to script source reader:
' echo i to show the index of the ACE
WScript.echo "> AceFlags: " & ace.AceFlags
WScript.echo "> AceType: " & ace.AceType
WScript.echo "> Flags: " & ace.Flags
WScript.echo "> AccessMask: " & ace.AccessMask
WScript.echo "> ObjectType: " & ace.ObjectType
WScript.echo "> InheritedObjectType: " & ace.InheritedObjectType
WScript.echo "> Trustee: " & ace.Trustee
WScript.echo ""
if IsFilterActive() = True Then
c = c + 1
' optionally include this ACE in removal list if configured
' note that the filter being active is a requirement since we don't
' want to accidentally remove all ACEs
If removeACE = True Then
dacl.RemoveAce ace
End If
end if
End If
i = i + 1
Next
' Display number of ACEs found
If IsFilterActive() = True Then
WScript.echo c & " ACE(s) found in " & domain.Get("distinguishedName") _
& " related to BitLocker and TPM" 'note to script source reader: change this line if you configure your own
filter
' note to script source reader:
' uncomment the following lines if you configure your own filter
'WScript.echo ""
'WScript.echo "The following filter was active: "
'displayFilter
'Wscript.echo ""
Else
i = i - 1
WScript.echo i & " total ACE(s) found in " & domain.Get("distinguishedName")
End If
' --------------------------------------------------------------------------------
' Optionally remove ACE's on a filtered list
' --------------------------------------------------------------------------------
if removeACE = True and IsFilterActive() = True then
descriptor.DiscretionaryAcl = dacl
domain.Put "ntSecurityDescriptor", Array(descriptor)
domain.setInfo
WScript.echo c & " ACE(s) removed from " & domain.Get("distinguishedName")
else
if removeACE = True then
WScript.echo "You must specify a filter to remove ACEs from " & domain.Get("distinguishedName")
end if
end if
```
### <a href="" id="bkmk-get-tpmownerinfo"></a>Get-TPMOwnerInfo.vbs
This script retrieves TPM recovery information from AD DS for a particular computer so that you can verify that only domain administrators (or delegated roles) can read backed up TPM recovery information and verify that the information is being backed up correctly.
``` syntax
'=================================================================================
'
' This script demonstrates the retrieval of Trusted Platform Module (TPM)
' recovery information from Active Directory for a particular computer.
'
' It returns the TPM owner information stored as an attribute of a
' computer object.
'
' Last Updated: 12/05/2012
' Last Reviewed: 12/05/2012
'
' Microsoft Corporation
'
' Disclaimer
'
' The sample scripts are not supported under any Microsoft standard support program
' or service. The sample scripts are provided AS IS without warranty of any kind.
' Microsoft further disclaims all implied warranties including, without limitation,
' any implied warranties of merchantability or of fitness for a particular purpose.
' The entire risk arising out of the use or performance of the sample scripts and
' documentation remains with you. In no event shall Microsoft, its authors, or
' anyone else involved in the creation, production, or delivery of the scripts be
' liable for any damages whatsoever (including, without limitation, damages for loss
' of business profits, business interruption, loss of business information, or
' other pecuniary loss) arising out of the use of or inability to use the sample
' scripts or documentation, even if Microsoft has been advised of the possibility
' of such damages.
'
' Version 1.0 - Initial release
' Version 1.1 - Updated GetStrPathToComputer to search the global catalog.
' Version 1.1.2 - Tested and re-released for Windows 8 and Windows Server 2012
'
'=================================================================================
' --------------------------------------------------------------------------------
' Usage
' --------------------------------------------------------------------------------
Sub ShowUsage
Wscript.Echo "USAGE: Get-TpmOwnerInfo [Optional Computer Name]"
Wscript.Echo "If no computer name is specified, the local computer is assumed."
WScript.Quit
End Sub
' --------------------------------------------------------------------------------
' Parse Arguments
' --------------------------------------------------------------------------------
Set args = WScript.Arguments
Select Case args.Count
Case 0
' Get the name of the local computer
Set objNetwork = CreateObject("WScript.Network")
strComputerName = objNetwork.ComputerName
Case 1
If args(0) = "/?" Or args(0) = "-?" Then
ShowUsage
Else
strComputerName = args(0)
End If
Case Else
ShowUsage
End Select
' --------------------------------------------------------------------------------
' Get path to Active Directory computer object associated with the computer name
' --------------------------------------------------------------------------------
Function GetStrPathToComputer(strComputerName)
' Uses the global catalog to find the computer in the forest
' Search also includes deleted computers in the tombstone
Set objRootLDAP = GetObject("LDAP://rootDSE")
namingContext = objRootLDAP.Get("defaultNamingContext") ' e.g. string dc=fabrikam,dc=com
strBase = "<GC://" & namingContext & ">"
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOOBject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
strFilter = "(&(objectCategory=Computer)(cn=" & strComputerName & "))"
strQuery = strBase & ";" & strFilter & ";distinguishedName;subtree"
objCommand.CommandText = strQuery
objCommand.Properties("Page Size") = 100
objCommand.Properties("Timeout") = 100
objCommand.Properties("Cache Results") = False
' Enumerate all objects found.
Set objRecordSet = objCommand.Execute
If objRecordSet.EOF Then
WScript.echo "The computer name '" & strComputerName & "' cannot be found."
WScript.Quit 1
End If
' Found object matching name
Do Until objRecordSet.EOF
dnFound = objRecordSet.Fields("distinguishedName")
GetStrPathToComputer = "LDAP://" & dnFound
objRecordSet.MoveNext
Loop
' Clean up.
Set objConnection = Nothing
Set objCommand = Nothing
Set objRecordSet = Nothing
End Function
' --------------------------------------------------------------------------------
' Securely access the Active Directory computer object using Kerberos
' --------------------------------------------------------------------------------
Set objDSO = GetObject("LDAP:")
strPath = GetStrPathToComputer(strComputerName)
WScript.Echo "Accessing object: " + strPath
Const ADS_SECURE_AUTHENTICATION = 1
Const ADS_USE_SEALING = 64 '0x40
Const ADS_USE_SIGNING = 128 '0x80
Set objComputer = objDSO.OpenDSObject(strPath, vbNullString, vbNullString, _
ADS_SECURE_AUTHENTICATION + ADS_USE_SEALING + ADS_USE_SIGNING)
' --------------------------------------------------------------------------------
' Get the TPM owner information from the Active Directory computer object
' --------------------------------------------------------------------------------
strOwnerInformation = objComputer.Get("msTPM-OwnerInformation")
WScript.echo "msTPM-OwnerInformation: " + strOwnerInformation
```
## Additional resources
- [Trusted Platform Module technology overview](trusted-platform-module-overview.md)
- [TPM fundamentals](tpm-fundamentals.md)
- [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md)
- [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx)
- [AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md)
- [Prepare your organization for BitLocker: Planning and Policies](http://technet.microsoft.com/library/jj592683.aspx), see TPM considerations
- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
- [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md)

1
windows/keep-secure/bitlocker-group-policy-settings.md
View File

@ -1509,7 +1509,6 @@ If the **Require BitLocker backup to AD DS** option is not selected, AD DS bac
TPM initialization might be needed during the BitLocker setup. Enable the **Turn on TPM backup to Active Directory Domain Services** policy setting in **Computer Configuration\\Administrative Templates\\System\\Trusted Platform Module Services** to ensure that TPM information is also backed up.
For more information about this setting, see [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md).
If you are using domain controllers running Windows Server 2003 with Service Pack 1, you must first set up appropriate schema extensions and access control settings on the domain before a backup to AD DS can succeed. For more info, see [Backup the TPM recovery Information to AD DS](backup-tpm-recovery-information-to-ad-ds.md).
### <a href="" id="bkmk-rec4"></a>Choose default folder for recovery password

45
windows/keep-secure/change-the-tpm-owner-password.md
View File

@ -12,52 +12,35 @@ author: brianlic-msft
# Change the TPM owner password
**Applies to**
- Windows 10
- Windows 10, version 1511
- Windows 10, version 1507
This topic for the IT professional describes how to change the password or PIN for the owner of the Trusted Platform Module (TPM) that is installed on your system.
## About the TPM owner password
Starting with Windows 10, version 1607 , Windows will not retain the TPM owner password when provisioning the TPM. The password will be set to a random high entropy value and then discarded.
In order to retain the TPM owner password, you will need to set the registry key 'HKLM\Software\Policies\Microsoft\TPM' [REG_DWORD] 'OSManagedAuthLevel' to 4. The default value for this key is 2, and unless it is changed to 4 before the TPM is provisioned, the owner password will not be saved. Microsoft strongly recommends that you do not change the default value of this registry key in order to retain the owner password.
Starting with Windows 10, version 1607, Windows will not retain the TPM owner password when provisioning the TPM. The password will be set to a random high entropy value and then discarded.
Only one owner password exists for each TPM. The TPM owner password allows the ability to enable, disable, or clear the TPM without having physical access to the computer, for example, by using the command-line tools remotely. The TPM owner password also allows manipulation of the TPM dictionary attack logic. Taking ownership of the TPM is performed by Windows as part of the provisioning process on each boot. Ownership can change when you share the password or clear your ownership of the TPM so someone else can initialize it.
> [!IMPORTANT]
> Although the TPM owner password is not retained starting with Windows 10, version 1607, you can change a default registry key to retain it. However, we strongly recommend that you do not make this change. To retain the TPM owner password, set the registry key 'HKLM\\Software\\Policies\\Microsoft\\TPM' \[REG\_DWORD\] 'OSManagedAuthLevel' to 4. The default value for this key is 2, and unless it is changed to 4 before the TPM is provisioned, the owner password will not be saved.
Only one owner password exists for each TPM. The TPM owner password allows the ability to enable, disable, or clear the TPM without having physical access to the computer, for example, by using the command-line tools remotely. The TPM owner password also allows manipulation of the TPM dictionary attack logic. Taking ownership of the TPM is performed by Windows as part of the provisioning process on each boot. Ownership can change when you share the password or clear your ownership of the TPM so someone else can initialize it.
Without the owner password you can still perform all the preceding actions by means of a physical presence confirmation from UEFI.
**Other TPM management options**
### Other TPM management options
Instead of changing your owner password, you can also use the following options to manage your TPM:
- **Clear the TPM**   If you want to invalidate all of the existing keys that have been created since you took ownership of the TPM, you can clear it. For more info, see [Initialize and Configure Ownership of the TPM](initialize-and-configure-ownership-of-the-tpm.md#bkmk-clear1).
- **Clear the TPM**   If you want to invalidate all of the existing keys that have been created since you took ownership of the TPM, you can clear it. For important precautions for this process, and instructions for completing it, see [Clear all the keys from the TPM](initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm).
>**Important:**  Clearing the TPM can result in the loss of data. To avoid data loss, make sure you have a backup or recovery method for any data protected or encrypted by the TPM.
 
- **Turn off the TPM**   If you want to keep all existing keys and data intact, and you want to disable the services that are provided by the TPM, you can turn it off. For more info, see [Initialize and Configure Ownership of the TPM](initialize-and-configure-ownership-of-the-tpm.md#bkmk-onoff). This option is only available for TPM 1.2.
- **Turn off the TPM**   With TPM 1.2 and Windows 10, versions 1507 and 1511, you can turn off the TPM. Do this if you want to keep all existing keys and data intact and disable the services that are provided by the TPM. For more info, see [Turn off the TPM](initialize-and-configure-ownership-of-the-tpm.md#turn-off-the-tpm).
## Change the TPM owner password
The following procedure provides the steps that are necessary to change the TPM owner password.
With Windows 10, version 1507 or 1511, if you have opted specifically to preserve the TPM owner password, you can use the saved password to change to a new password.
**To change the TPM owner password**
If you have opted specifically to preserve the TPM owner password, you can use the saved password to change to a new password.
1. Open the TPM MMC (tpm.msc). If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**.
2. In the **Actions** pane, click **Change Owner Password**.
3. In the **Manage the TPM security hardware** dialog box, select a method to enter your current TPM owner password.
- If you saved your TPM owner password on a removable storage device, insert it, and then click **I have the owner password file**. In the **Select backup file with the TPM owner password** dialog box, use **Browse** to navigate to the .tpm file that is saved on your removable storage device. Click **Open**, and then click **Create New Password**.
- If you do not have the removable storage device with your saved password, click **I want to enter the owner password**. In the **Type your TPM owner password** dialog box, enter your password (including hyphens), and click **Create New Password**.
4. On the **Create the TPM owner password** page, select a method for creating a new TPM owner password.
1. Click **Automatically create the password** to have a new owner password generated for you.
2. Click **Manually create the password** if you want to specify a password.
>**Note:**  The TPM owner password must have a minimum of eight characters.
 
5. After the new password is created, you can choose **Save the password** to save the password in a password backup file on a removable storage device or **Print the password** to print a copy of the password for later reference.
6. Click **Change password** to apply the new owner password to the TPM.
To change to a new TPM owner password, in TPM.msc, click **Change Owner Password**, and follow the instructions. You will be prompted to provide the owner password file or to type the password. Then you can create a new password, either automatically or manually, and save the password in a file or as a printout.
## Use the TPM cmdlets
@ -66,6 +49,6 @@ If you are using Windows PowerShell to manage your computers, you can also manag
For details about the individual cmdlets, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx).
## Additional resources
## Related topics
For more info about TPM, see [Trusted Platform Module technology overview](trusted-platform-module-overview.md#bkmk-additionalresources).
- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)

196
windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md
View File

@ -1,6 +1,6 @@
---
title: Initialize and configure ownership of the TPM (Windows 10)
description: This topic for the IT professional describes how to initialize and set the ownership the Trusted Platform Module (TPM), turn the TPM on and off, and clear TPM keys.
title: View status, clear, or troubleshoot the TPM (Windows 10)
description: This topic for the IT professional describes how to view status for, clear, or troubleshoot the Trusted Platform Module (TPM).
ms.assetid: 1166efaf-7aa3-4420-9279-435d9c6ac6f8
ms.prod: w10
ms.mktglfcycl: deploy
@ -9,156 +9,146 @@ ms.pagetype: security
author: brianlic-msft
---
# Initialize and configure ownership of the TPM
# View status, clear, or troubleshoot the TPM
**Applies to**
- Windows 10
- Windows Server 2016
This topic for the IT professional describes how to initialize and set the ownership the Trusted Platform Module (TPM), turn the TPM on and off, and clear TPM keys. It also explains how to troubleshoot issues that you might encounter as a result of using these procedures.
This topic for the IT professional describes actions you can take through the Trusted Platform Module (TPM) snap-in, **TPM.msc**:
## <a href="" id="bkmk-init"></a>About TPM initialization and ownership
- [View the status of the TPM](#view-the-status-of-the-tpm)
The TPM must be initialized and ownership must be taken before it can be used to help secure your computer. The owner of the TPM is the user who possesses the owner password and is able to set it and change it. Only one owner password exists per TPM. The owner of the TPM can make full use of TPM capabilities. Taking ownership of the TPM can be done as part of the initialization process.
- [Troubleshoot TPM initialization](#troubleshoot-tpm-initialization)
When you start the TPM Initialization Wizard, which is accessed through the TPM Microsoft Management Console (MMC), you can determine whether the computer's TPM has been initialized. You can also view the TPM properties.
- [Clear all the keys from the TPM](#clear-all-the-keys-from-the-tpm)
This topic contains procedures for the following tasks:
With TPM 1.2 and Windows 10, version 1507 or 1511, you can also take the following actions:
- [Initialize the TPM and set ownership](#bkmk-initializetpm)
- [Troubleshoot TPM initialization](#bkmk-troubleshootinit)
- [Turn on or turn off the TPM](#bkmk-onoff)
- [Clear all the keys from the TPM](#bkmk-clear1)
- [Use the TPM cmdlets](#bkmk-tpmcmdlets)
- [Turn on or turn off the TPM](#turn-on-or-turn-off)
## <a href="" id="bkmk-initializetpm"></a>Initialize the TPM and set ownership
This topic also provides information about [using the TPM cmdlets](#use-the-tpm-cmdlets).
Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. In addition, the computer must be equipped with a Trusted Computing Group-compliant BIOS.
## About TPM initialization and ownership
**To start the TPM Initialization Wizard**
Starting with Windows 10, the operating system automatically initializes and takes ownership of the TPM. This is a change from previous operating systems, where you would initialize the TPM and create an owner password. Therefore, with Windows 10, in most cases, we recommend that you avoid configuring the TPM through **TPM.msc**. The one exception is that in certain circumstances you might use **TPM.msc** to clear the TPM. For more information, see [Clear all the keys from the TPM](#clear-all-the-keys-from-the-tpm), later in this topic.
1. Open the TPM Management console (tpm.msc). If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**.
2. On the **Action** menu, click **Initialize TPM** to start the TPM Initialization Wizard.
3. If the TPM has never been initialized or is turned off, the TPM Initialization Wizard displays the **Turn on the TPM security hardware** dialog box. This dialog box provides guidance for initializing or turning on the TPM. Follow the instructions in the wizard.
## View the status of the TPM
>**Note:** If the TPM is already turned on, the TPM Initialization Wizard displays the **Create the TPM owner password** dialog box. Skip the remainder of this procedure and continue with the **To set ownership of the TPM** procedure.
 
>**Note:**  If the TPM Initialization Wizard detects that you do not have a compatible BIOS, you cannot continue with the TPM Initialization Wizard, and you are alerted to consult the computer manufacturer's documentation for instructions to initialize the TPM.
 
4. Click **Restart**.
5. Follow the BIOS screen prompts. An acceptance prompt is displayed to ensure that a user has physical access to the computer and that no malicious software is attempting to turn on the TPM.
>**Note:**  BIOS screen prompts and the required keystrokes vary by computer manufacturer.
 
6. After the computer restarts, sign in to the computer with the same administrative credentials that you used to start this procedure.
7. The TPM Initialization Wizard automatically restarts. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**.
8. Continue with the next procedure to take ownership of the TPM.
To view the status of the TPM, open the TPM Management console (TPM.msc). In the center pane, find the **Status** box.
To finish initializing the TPM for use, you must set an owner for the TPM. The process of taking ownership includes creating an owner password for the TPM.
In most cases, the status will be **Ready**. If the status is ready but “**with reduced functionality**,” see [Clear all the keys from the TPM](#clear-all-the-keys-from-the-tpm), later in this topic.
**To set ownership of the TPM**
If the status is **Not ready**, you can try the steps in [Clear all the keys from the TPM](#clear-all-the-keys-from-the-tpm), later in this topic. If this does not bring it to a **Ready** state, contact the manufacturer, and see the troubleshooting suggestions in the next section.
1. If you are not continuing immediately from the last procedure, start the TPM Initialization Wizard. If you need to review the steps to do so, see the previous procedure **To start the TPM Initialization Wizard**.
2. In the **Create the TPM owner password** dialog box, click **Automatically create the password (recommended)**.
3. In the **Save your TPM owner password** dialog box, click **Save the password**.
4. In the **Save As** dialog box, select a location to save the password, and then click **Save**. The password file is saved as *computer\_name.tpm*.
## Troubleshoot TPM initialization
>**Important:**  We highly recommend saving the TPM owner password to a removable storage device and storing it in a safe location.
 
5. Click **Print the password** if you want to print a copy of your password.
>**Important:**  We highly recommend printing a copy of your TPM owner password and storing it in a safe location.
 
6. Click **Initialize**.
>**Note:**  The process of initializing the TPM might take a few minutes to complete.
 
7. Click **Close**.
>**Caution:**  Do not lose your password. If you do, you will be unable to make administrative changes unless you clear the TPM, which can result in data loss.
 
## <a href="" id="bkmk-troubleshootinit"></a>Troubleshoot TPM initialization
If you find that Windows is not able to initialize the TPM automatically, review the following information:
Managing the Trusted Platform Module (TPM) is usually a straightforward procedure. If are unable to complete the initialization procedure, review the following information:
- You can try clearing the TPM to the factory default values and allowing Windows to re-initialize it. For important precautions for this process, and instructions for completing it, see [Clear all the keys from the TPM](#clear-all-the-keys-from-the-tpm), later in this topic.
- If the TPM is not detected by Windows, verify that your computer hardware contains a Trusted Computing Group-compliant BIOS. Ensure that no BIOS settings have been used to hide the TPM from the operating system.
- If you are attempting to initialize the TPM as part of the BitLocker setup, check which TPM driver is installed on the computer. We recommend always using one of the TPM drivers that is provided by Microsoft and is protected with BitLocker. If a non-Microsoft TPM driver is installed, it may prevent the default TPM driver from loading and cause BitLocker to report that a TPM is not present on the computer. If you have a non-Microsoft driver installed, remove it and then try to initialize the TPM. The following table lists the three standard TPM drivers that are provided by Microsoft.
- If the TPM is a TPM 2.0 and is not detected by Windows, verify that your computer hardware contains a Unified Extensible Firmware Interface (UEFI) that is Trusted Computing Group-compliant. Also, ensure that in the UEFI settings, the TPM has not been disabled or hidden from the operating system.
| Driver name | Manufacturer |
| - | - |
| Trusted Platform Module 1.2 | (Standard)|
| Broadcom Trusted Platform Module (A1), v1.2 | Broadcom|
| Broadcom Trusted Platform Module (A2), v1.2 | Broadcom|
 
- If the TPM has been previously initialized and you do not have the owner password, you may have to clear or reset the TPM to the factory default values. For more information, see [Clear all the keys from the TPM](#bkmk-clear1).
> **Caution:**  Clearing the TPM can result in data loss. To avoid data loss, make sure that you have a backup or recovery method for any data that is protected or encrypted by the TPM.
 
Because your TPM security hardware is a physical part of your computer, you may want to read the manuals or instructions that came with your computer, or search the manufacturer's website.
- If you have TPM 1.2 with Windows 10, version 1507 or 1511, the TPM might be turned off, and need to be turned back on, as described in [Turn on the TPM](#turn-on-the-tpm). When it is turned back on, Windows will re-initialize it.
**Network connection**
- If you are attempting to set up BitLocker with the TPM, check which TPM driver is installed on the computer. We recommend always using one of the TPM drivers that is provided by Microsoft and is protected with BitLocker. If a non-Microsoft TPM driver is installed, it may prevent the default TPM driver from loading and cause BitLocker to report that a TPM is not present on the computer. If you have a non-Microsoft driver installed, remove it and then allow the operating system to initialize the TPM.
You cannot complete the initialization of the Trusted Platform Module (TPM) when your computer is disconnected from your organization's network if either of the following conditions exist:
### Troubleshoot network connection issues for Windows 10, versions 1507 and 1511
If you have Windows 10, version 1507 or 1511, the initialization of the TPM cannot complete when your computer has network connection issues and both of the following conditions exist:
- An administrator has configured your computer to require that TPM recovery information be saved in Active Directory Domain Services (AD DS). This requirement can be configured through Group Policy.
- A domain controller cannot be reached. This can occur on a computer that is currently disconnected from the network, separated from the domain by a firewall, or experiencing a network component failure (such as an unplugged cable or a faulty network adapter).
In either case, an error message appears, and you cannot complete the initialization process. To avoid this issue, initialize the TPM while you are connected to the corporate network and you can contact a domain controller.
If these issues occur, an error message appears, and you cannot complete the initialization process. To avoid this issue, allow Windows to initialize the TPM while you are connected to the corporate network and you can contact a domain controller.
**Systems with multiple TPMs**
### Troubleshoot systems with multiple TPMs
Some systems may have multiple TPMs and the active TPM may be toggled in the BIOS. Windows 10 does not support this behavior. If you switch TPMs, functionality that depends on the TPM will not work with the new TPM unless it is cleared and put through provisioning. Performing this clear may cause data loss, in particular of keys and certificates associated with the previous TPM. For example, toggling TPMs will cause Bitlocker to enter recovery mode. It is strongly recommended that, on systems with two TPMs, one TPM is selected to be used and the selection is not changed.
Some systems may have multiple TPMs and the active TPM may be toggled in UEFI. Windows 10 does not support this behavior. If you switch TPMs, Windows might not properly detect or interact with the new TPM. If you plan to switch TPMs you should toggle to the new TPM, clear it, and reinstall Windows. For more information, see [Clear all the keys from the TPM](#clear-all-the-keys-from-the-tpm), later in this topic.
## <a href="" id="bkmk-onoff"></a>Turn on or turn off the TPM
For example, toggling TPMs will cause BitLocker to enter recovery mode. We strongly recommend that, on systems with two TPMs, one TPM is selected to be used and the selection is not changed.
Normally, the TPM is turned on as part of the TPM initialization process. You do not normally need to turn the TPM on or off. However, if necessary you can do so by using the TPM MMC. This option is only available with TPM 1.2 and does not apply to TPM 2.0.
## Clear all the keys from the TPM
### <a href="" id="turn-on-the-tpm-"></a>Turn on the TPM
With Windows 10, in most cases, we recommend that you avoid configuring the TPM through TPM.msc. The one exception is that you can use TPM.msc to clear the TPM, for example, as a troubleshooting step, or as a final preparation before a clean installation of a new operating system. Preparing for a clean installation in this way helps ensure that the new operating system can fully deploy any TPM-based functionality that it includes, for example, attestation. However, even if the TPM is not cleared before a new operating system is installed, most TPM functionality will probably work correctly.
If the TPM has been initialized but has never been used, or if you want to use the TPM after you have turned it off, you can use the following procedure to turn on the TPM.
Clearing the TPM resets it to an unowned state. After you clear the TPM, the Windows 10 operating system will automatically re-initialize it and take ownership again.
**To turn on the TPM (TPM 1.2 Only)**
> [!WARNING]
> Clearing the TPM can result in data loss. For more information, see the next section, “Precautions to take before clearing the TPM.”
1. Open the TPM MMC (tpm.msc).
2. In the **Action** pane, click **Turn TPM On** to display the **Turn on the TPM Security Hardware** page. Read the instructions on this page.
3. Click **Shutdown** (or **Restart**), and then follow the BIOS screen prompts.
There are several ways to clear the TPM:
After the computer restarts, but before you sign in to Windows, you will be prompted to accept the reconfiguration of the TPM. This ensures that the user has physical access to the computer and that malicious software is not attempting to make changes to the TPM.
- **Clear the TPM as part of a complete reset of the computer**: You might want to remove all files from the computer and completely reset it, for example, in preparation for a clean installation. To do this, we recommend that you use the **Reset** option in **Settings**. When you perform a reset and use the **Remove everything** option, it will clear the TPM as part of the reset. You might be prompted to press a key before the TPM can be cleared. For more information, see the “Reset this PC” section in [Recovery options in Windows 10](https://support.microsoft.com/en-us/help/12415/windows-10-recovery-options).
### <a href="" id="turn-off-the-tpm-"></a>Turn off the TPM
- **Clear the TPM to fix “reduced functionality” or “Not ready” TPM status**: If you open TPM.msc and see that the TPM status is something other than **Ready**, you can can try using TPM.msc to clear the TPM and fix the status. However, be sure to review the precautions in the next section.
If you want to stop using the services that are provided by the TPM, you can use the TPM MMC to turn off the TPM. If you have the TPM owner password, physical access to the computer is not required to turn off the TPM. If you do not have the TPM owner password, you must have physical access to the
computer to turn off the TPM.
### Precautions to take before clearing the TPM
**To turn off the TPM (TPM 1.2 only)**
Clearing the TPM can result in data loss. To protect against such loss, review the following precautions:
1. Open the TPM MMC (tpm.msc).
2. In the **Action** pane, click **Turn TPM Off** to display the **Turn off the TPM security hardware** page.
3. In the **Turn off the TPM security hardware** dialog box, select a method to enter your owner password and turning off the TPM:
- Clearing the TPM causes you to lose all created keys associated with the TPM, and data protected by those keys, such as a virtual smart card or a login PIN. Make sure that you have a backup and recovery method for any data that is protected or encrypted by the TPM.
- If you saved your TPM owner password on a removable storage device, insert it, and then click **I have the owner password file**. In the **Select backup file with the TPM owner password** dialog box, click **Browse** to locate the .tpm file that is saved on your removable storage device, click **Open**, and then click **Turn TPM Off**.
- If you do not have the removable storage device with your saved TPM owner password, click **I want to enter the password**. In the **Type your TPM owner password** dialog box, type your password (including hyphens), and then click **Turn TPM Off**.
- If you do not know your TPM owner password, click **I do not have the TPM owner password**, and follow the instructions that are provided in the dialog box and subsequent BIOS screens to turn off the TPM without entering the password.
- Do not clear the TPM on a device you do not own, such as a work or school PC, without being instructed to do so by your IT administrator.
## <a href="" id="bkmk-clear1"></a>Clear all the keys from the TPM
- If you want to temporarily suspend TPM operations and you have TPM 1.2 with Windows 10, version 1507 or 1511, you can turn off the TPM. For more information, see [Turn off the TPM](#turn-off-the-tpm), later in this topic.
Clearing the TPM resets it to an unowned state. After clearing the TPM, you need to complete the TPM initialization process before using software that relies on the TPM, such as BitLocker Drive Encryption. By default, the TPM is initialized automatically.
- Always use functionality in the operating system (such as TPM.msc) to the clear the TPM. Do not clear the TPM directly from UEFI.
>**Important:**  Clearing the TPM can result in data loss. To avoid data loss, make sure that you have a backup or recovery method for any data that is protected or encrypted by the TPM.
 
After the TPM is cleared, it is also turned off.
To temporarily suspend TPM operations, turn off the TPM instead of clearing it.
- Because your TPM security hardware is a physical part of your computer, before clearing the TPM, you might want to read the manuals or instructions that came with your computer, or search the manufacturer's website.
Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.
**To clear the TPM**
1. Open the TPM MMC (tpm.msc).
2. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**.
3. Under **Actions**, click **Clear TPM**.
>**Warning:**  If the TPM is off, reinitialize it before clearing it.
Clearing the TPM resets it to factory defaults and turns it off. You will lose all created keys and data that is protected by those keys.
 
4. You will be prompted to restart the computer. During the restart, you will be prompted by the BIOS or UEFI to press a button to confirm you wish to clear the TPM.
## <a href="" id="bkmk-tpmcmdlets"></a>Use the TPM cmdlets
2. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**.
3. Under **Actions**, click **Clear TPM**.
4. You will be prompted to restart the computer. During the restart, you might be prompted by the UEFI to press a button to confirm that you wish to clear the TPM.
5. After the PC restarts, your TPM will be automatically prepared for use by Windows 10.
## <a href="" id="turn-on-or-turn-off"></a>Turn on or turn off the TPM (TPM 1.2 with Windows 10, version 1507 or 1511)
Normally, the TPM is turned on as part of the TPM initialization process. You do not normally need to turn the TPM on or off. However, if necessary you can do so by using the TPM MMC.
### Turn on the TPM
If you want to use the TPM after you have turned it off, you can use the following procedure to turn on the TPM.
**To turn on the TPM (TPM 1.2 with Windows 10, version 1507 or 1511 only)**
1. Open the TPM MMC (tpm.msc).
2. In the **Action** pane, click **Turn TPM On** to display the **Turn on the TPM Security Hardware** page. Read the instructions on this page.
3. Click **Shutdown** (or **Restart**), and then follow the UEFI screen prompts.
After the computer restarts, but before you sign in to Windows, you will be prompted to accept the reconfiguration of the TPM. This ensures that the user has physical access to the computer and that malicious software is not attempting to make changes to the TPM.
### Turn off the TPM
If you want to stop using the services that are provided by the TPM, you can use the TPM MMC to turn off the TPM.
**To turn off the TPM (TPM 1.2 with Windows 10, version 1507 or 1511 only)**
1. Open the TPM MMC (tpm.msc).
2. In the **Action** pane, click **Turn TPM Off** to display the **Turn off the TPM security hardware** page.
3. In the **Turn off the TPM security hardware** dialog box, select a method to enter your owner password and turning off the TPM:
- If you saved your TPM owner password on a removable storage device, insert it, and then click **I have the owner password file**. In the **Select backup file with the TPM owner password** dialog box, click **Browse** to locate the .tpm file that is saved on your removable storage device, click **Open**, and then click **Turn TPM Off**.
- If you do not have the removable storage device with your saved TPM owner password, click **I want to enter the password**. In the **Type your TPM owner password** dialog box, type your password (including hyphens), and then click **Turn TPM Off**.
- If you did not save your TPM owner password or no longer know it, click **I do not have the TPM owner password**, and follow the instructions that are provided in the dialog box and subsequent UEFI screens to turn off the TPM without entering the password.
## Use the TPM cmdlets
If you are using Windows PowerShell to manage your computers, you can also manage the TPM by using Windows PowerShell. To install the TPM cmdlets, type the following command:
@ -166,6 +156,6 @@ If you are using Windows PowerShell to manage your computers, you can also manag
For details about the individual cmdlets, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx).
## Additional resources
## Related topics
For more info about TPM, see [Trusted Platform Module Technology Overview](trusted-platform-module-overview.md#bkmk-additionalresources).
- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)

40
windows/keep-secure/manage-tpm-commands.md
View File

@ -13,44 +13,54 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
This topic for the IT professional describes how to manage which Trusted Platform Module (TPM) commands are available to domain users and to local users.
## <a href="" id="bkmk-commands1"></a>
After a computer user takes ownership of the TPM, the TPM owner can limit which TPM commands can be run by creating a list of blocked TPM commands. The list can be created and applied to all computers in a domain by using Group Policy, or a list can be created for individual computers by using the TPM MMC. Because some hardware vendors might provide additional commands or the Trusted Computing Group may decide to add commands in the future, the TPM MMC also supports the ability to block new commands.
Domain administrators can configure a list of blocked TPM commands by using Group Policy. Local administrators cannot allow TPM commands that are blocked through Group Policy. For more information about this Group Policy setting, see [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md#bkmk-tpmgp-clbtc).
Domain administrators can configure a list of blocked TPM commands by using Group Policy. Local administrators cannot allow TPM commands that are blocked through Group Policy. For more information about this Group Policy setting, see [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md#configure-the-list-of-blocked-tpm-commands).
Local administrators can block commands by using the TPM MMC, and commands on the default block list are also blocked unless the Group Policy settings are changed from the default settings.
Two policy settings control the enforcement which allows TPM commands to run. For more information about these policy settings, see [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md#bkmk-tpmgp-idlb).
Two policy settings control the enforcement which allows TPM commands to run. For more information about these policy settings, see [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md#ignore-the-default-list-of-blocked-tpm-commands).
The following procedures describe how to manage the TPM command lists. You must be a member of the local Administrators group.
**To block TPM commands by using the Local Group Policy Editor**
1. Open the Local Group Policy Editor (gpedit.msc). If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**.
>**Note:**  Administrators with appropriate rights in a domain can configure a Group Policy Object (GPO) that can be applied through Active Directory Domain Services (AD DS).
 
> [!NOTE]
> Administrators with appropriate rights in a domain can configure a Group Policy Object (GPO) that can be applied through Active Directory Domain Services (AD DS).
2. In the console tree, under **Computer Configuration**, expand **Administrative Templates**, and then expand **System**.
3. Under **System**, click **Trusted Platform Module Services**.
4. In the details pane, double-click **Configure the list of blocked TPM commands**.
5. Click **Enabled**, and then click **Show**.
6. For each command that you want to block, click **Add**, enter the command number, and then click **OK**.
>**Note:**  For a list of commands, see the [Trusted Platform Module (TPM) Specifications](https://go.microsoft.com/fwlink/p/?linkid=139770).
 
> [!NOTE]
> For a list of commands, see links in the [TPM Specification](https://www.trustedcomputinggroup.org/tpm-main-specification/).
7. After you have added numbers for each command that you want to block, click **OK** twice.
8. Close the Local Group Policy Editor.
**To block or allow TPM commands by using the TPM MMC**
1. Open the TPM MMC (tpm.msc)
2. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**.
3. In the console tree, click **Command Management**. A list of TPM commands is displayed.
4. In the list, select a command that you want to block or allow.
5. Under **Actions**, click **Block Selected Command** or **Allow Selected Command** as needed. If **Allow Selected Command** is unavailable, that command is currently blocked by Group Policy.
**To block new commands**
@ -60,17 +70,19 @@ The following procedures describe how to manage the TPM command lists. You must
If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**.
2. In the console tree, click **Command Management**. A list of TPM commands is displayed.
3. In the **Action** pane, click **Block New Command**. The **Block New Command** dialog box is displayed.
4. In the **Command Number** text box, type the number of the new command that you want to block, and then click **OK**. The command number you entered is added to the blocked list.
## <a href="" id="bkmk-tpmcmdlets"></a>Use the TPM cmdlets
## Use the TPM cmdlets
If you are using Windows PowerShell to manage your computers, you can also manage the TPM by using Windows PowerShell. To install the TPM cmdlets, type the following command:
`dism /online /enable-feature /FeatureName:tpm-psh-cmdlets`
For details about the individual cmdlets, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx)
For details about the individual cmdlets, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx).
## Additional resources
## Related topics
For more info about TPM, see [Trusted Platform Module technology overview](trusted-platform-module-overview.md#bkmk-additionalresources).
- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)

48
windows/keep-secure/manage-tpm-lockout.md
View File

@ -12,10 +12,11 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
This topic for the IT professional describes how to manage the lockout feature for the Trusted Platform Module (TPM) in Windows.
## <a href="" id="bkmk-lockout1"></a>About TPM lockout
## About TPM lockout
The TPM will lock itself to prevent tampering or malicious attacks. TPM lockout often lasts for a variable amount of time or until the computer is turned off. While the TPM is in lockout mode, it generally returns an error message when it receives commands that require an authorization value. One exception is that the TPM always allows the owner at least one attempt to reset the TPM lockout when it is in lockout mode.
@ -24,49 +25,58 @@ TPM ownership is taken upon first boot by Windows. By default, Windows does not
In some cases, encryption keys are protected by a TPM by requiring a valid authorization value to access the key. A common example is configuring BitLocker Drive Encryption to use the TPM plus PIN key protector. In this scenario, the user must type the correct PIN during the boot process to access the volume encryption key protected by the TPM. To prevent malicious users or software from discovering authorization values, TPMs implement protection logic. The protection logic is designed to slow or stop responses from the TPM if it detects that an entity might be trying to guess authorization values.
**TPM 1.2**
The industry standards from the Trusted Computing Group (TCG) specify that TPM manufacturers must implement some form of protection logic in TPM 1.2 and TPM 2.0 chips. TPM 1.2 devices implement different protection mechanisms and behavior. In general, the TPM chip takes exponentially longer to respond if incorrect authorization values are sent to the TPM. Some TPM chips may not store failed attempts over time. Other TPM chips may store every failed attempt indefinitely. Therefore, some users may experience increasingly longer delays when they mistype an authorization value that is sent to the TPM. This can prevent them from using the TPM for a period of time.
**TPM 2.0**
TPM 2.0 devices have standardized lockout behavior which is configured by Windows. TPM 2.0 devices have a maximum count threshold and a healing time. Windows configures the maximum count to be 32 and the healing time to be 2 hours. This means that every continuous two hours of powered on operation without an event which increases the counter will cause the counter to decrease by 1.
If your TPM has entered lockout mode or is responding slowly to commands, you can reset the lockout value by using the following procedures. Resetting the TPM lockout requires the TPM owners authorization. This value is no longer retained by default starting with Windows 10 version 1607.
TPM 2.0 devices have standardized lockout behavior which is configured by Windows. TPM 2.0 devices have a maximum count threshold and a healing time. Windows configures the maximum count to be 32 and the healing time to be 2 hours. This means that every continuous two hours of powered on operation without an event which increases the counter will cause the counter to decrease by 1.
If your TPM has entered lockout mode or is responding slowly to commands, you can reset the lockout value by using the following procedures. Resetting the TPM lockout requires the TPM owners authorization. This value is no longer retained by default starting with Windows 10 version 1607.
## Reset the TPM lockout by using the TPM MMC
**Note:** This procedure is only available if you have configured Windows to retain the TPM Owner Password. By default, this password is not available in Windows 10 starting with version 1607.
The following procedure explains the steps to reset the TPM lockout by using the TPM MMC.
> [!NOTE]
> This procedure is only available if you have configured Windows to retain the TPM Owner Password. By default, this password is not available in Windows 10 starting with version 1607.
The following procedure explains the steps to reset the TPM lockout by using the TPM MMC.
**To reset the TPM lockout**
1. Open the TPM MMC (tpm.msc).
2. In the **Action** pane, click **Reset TPM Lockout** to start the Reset TPM Lockout Wizard.
3. Choose one of the following methods to enter the TPM owner password:
- If you saved your TPM owner password to a .tpm file, click **I have the owner password file**, and then type the path to the file, or click **Browse** to navigate to the file location.
- If you want to manually enter your TPM owner password, click **I want to enter the owner password**, and then type the password in the text box provided.
>**Note:**  If you enabled BitLocker and your TPM at the same time, and you printed your BitLocker recovery password when you turned on BitLocker, your TPM owner password may have printed with it.
 
2. In the **Action** pane, click **Reset TPM Lockout** to start the Reset TPM Lockout Wizard.
3. Choose one of the following methods to enter the TPM owner password:
- If you saved your TPM owner password to a .tpm file, click **I have the owner password file**, and then type the path to the file, or click **Browse** to navigate to the file location.
- If you want to manually enter your TPM owner password, click **I want to enter the owner password**, and then type the password in the text box provided.
> [!NOTE]
> If you enabled BitLocker and your TPM at the same time, and you printed your BitLocker recovery password when you turned on BitLocker, your TPM owner password may have printed with it.
## Use Group Policy to manage TPM lockout settings
The TPM Group Policy settings in the following list are located at:
**Computer Configuration\\Administrative Templates\\System\\Trusted Platform Module Services\\**
- [Standard User Lockout Duration](trusted-platform-module-services-group-policy-settings.md#bkmk-individual)
- [Standard User Lockout Duration](trusted-platform-module-services-group-policy-settings.md#standard-user-lockout-duration)
This policy setting allows you to manage the duration in minutes for counting standard user authorization failures for TPM commands that require authorization. An authorization failure occurs each time a user sends a command to the TPM and receives an error message that indicates an authorization failure occurred. Authorization failures that are older than the duration you set are ignored. If the number of TPM commands with an authorization failure within the lockout duration equals a threshold, the user is prevented from sending commands to the TPM that require authorization.
- [Standard User Individual Lockout Threshold](trusted-platform-module-services-group-policy-settings.md#bkmk-tpmgp-suld)
- [Standard User Individual Lockout Threshold](trusted-platform-module-services-group-policy-settings.md#standard-user-individual-lockout-threshold)
This policy setting allows you to manage the maximum number of authorization failures for the TPM for each user. This value is the maximum number of authorization failures that each user can have before the user is not allowed to send commands to the TPM that require authorization. If the number of authorization failures equals the duration that is set for the policy setting, the user is prevented from sending commands to the TPM that require authorization.
- [Standard User Total Lockout Threshold](trusted-platform-module-services-group-policy-settings.md#bkmk-total)
- [Standard User Total Lockout Threshold](trusted-platform-module-services-group-policy-settings.md#standard-user-total-lockout-threshold)
This policy setting allows you to manage the maximum number of authorization failures for the TPM for all standard users. If the total number of authorization failures for all users equals the duration that is set for the policy, all users are prevented from sending commands to the TPM that require authorization.
For information about mitigating dictionary attacks that use the lockout settings, see [TPM fundamentals](tpm-fundamentals.md#bkmk-howtpmmitigates).
For information about mitigating dictionary attacks that use the lockout settings, see [TPM fundamentals](tpm-fundamentals.md#how-the-tpm-mitigates-dictionary-attacks).
## <a href="" id="bkmk-tpmcmdlets"></a>Use the TPM cmdlets
## Use the TPM cmdlets
If you are using Windows PowerShell to manage your computers, you can also manage the TPM by using Windows PowerShell. To install the TPM cmdlets, type the following command:
@ -74,6 +84,6 @@ If you are using Windows PowerShell to manage your computers, you can also manag
For details about the individual cmdlets, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx).
## Additional resources
## Related topics
For more info about TPM, see [TPM technology overview](trusted-platform-module-overview.md#bkmk-additionalresources).
- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)

17
windows/keep-secure/prepare-your-organization-for-bitlocker-planning-and-policies.md
View File

@ -97,22 +97,9 @@ The protection differences provided by multifactor authentication methods cannot
In your deployment plan, identify what TPM-based hardware platforms will be supported. Document the hardware models from an OEM of your choice, so that their configurations can be tested and supported. TPM hardware requires special consideration during all aspects of planning and deployment.
### TPM states of existence
### TPM 1.2 states and initialization
For each of the TPM states of existence, the TPM can transition into another state (for example, moving from disabled to enabled). The states are not exclusive.
| State | Description |
| - | - |
| Enabled| Most features of the TPM are available.<br/>The TPM may be enabled and disabled multiple times within a boot period, if ownership is taken.|
| Disabled | The TPM restricts most operations. Exceptions include the ability to report TPM capabilities, extend and reset Platform Configuration Register (PCR) functions, and to perform hashing and basic initialization.<br/>The TPM may be enabled and disabled multiple times within a boot period.|
| Activated| Most features of the TPM are available. The TPM may be activated and deactivated only through physical presence which requires a reboot.|
| Deactivated| Similar to disabled, with the exception that ownership can be taken while deactivated and enabled. The TPM may be activated and deactivated only through physical presence which requires a reboot.|
| Owned| Most features of the TPM are available. The TPM has an endorsement key and storage root key, and the owner knows information about owner authorization data.|
| Un-owned| The TPM does not have a storage root key and may or may not have an endorsement key.|
 
>**Important:**  BitLocker cannot use the TPM until it is in the following state: enabled, activated, and owned. When the TPM is in this state and only when it is in this state, all operations are available.
 
The state of the TPM exists independent of the computers operating system. Once the TPM is enabled, activated, and owned, the state of the TPM is preserved if the operating system is reinstalled.
For TPM 1.2, there are multiple possible states. Windows 10 automatically initializes the TPM, which brings it to an enabled, activated, and owned state. This is the state that BitLocker requires before it can use the TPM.
### Endorsement keys

18
windows/keep-secure/switch-pcr-banks-on-tpm-2-0-devices.md
View File

@ -1,6 +1,6 @@
---
title: Switch PCR banks on TPM 2.0 devices (Windows 10)
description: A Platform Configuration Register (PCR) is a memory location in the TPM that has some unique properties.
title: Understanding PCR banks on TPM 2.0 devices (Windows 10)
description: This topic for the IT professional provides background about what happens when you switch PCR banks on TPM 2.0 devices.
ms.assetid: 743FCCCB-99A9-4636-8F48-9ECB3A3D10DE
ms.prod: w10
ms.mktglfcycl: deploy
@ -9,10 +9,13 @@ ms.pagetype: security
author: brianlic-msft
---
# Switch PCR banks on TPM 2.0 devices
# Understanding PCR banks on TPM 2.0 devices
**Applies to**
- Windows 10
- Windows Server 2016
For steps on how to switch PCR banks on TPM 2.0 devices on your PC, you should contact your OEM or UEFI vendor. This topic provides background about what happens when you switch PCR banks on TPM 2.0 devices.
A Platform Configuration Register (PCR) is a memory location in the TPM that has some unique properties. The size of the value that can be stored in a PCR is determined by the size of a digest generated by an associated hashing algorithm. A SHA-1 PCR can store 20 bytes the size of a SHA-1 digest. Multiple PCRs associated with the same hashing algorithm are referred to as a PCR bank.
@ -21,7 +24,7 @@ PCR\[N\] = HASHalg( PCR\[N\] || ArgumentOfExtend )
The existing value is concatenated with the argument of the TPM Extend operation. The resulting concatenation is then used as input to the associated hashing algorithm, which computes a digest of the input. This computed digest becomes the new value of the PCR.
The [TCG PC Client Specific Platform TPM Profile for TPM 2.0](https://go.microsoft.com/fwlink/p/?LinkId=746577) defines the inclusion of at least one PCR bank with 24 registers. The only way to reset the first 16 PCRs is to reset the TPM itself. This restriction helps ensure that the value of those PCRs can only be modified via the TPM Extend operation.
The [TCG PC Client Platform TPM Profile Specification](http://www.trustedcomputinggroup.org/pc-client-platform-tpm-profile-ptp-specification/) defines the inclusion of at least one PCR bank with 24 registers. The only way to reset the first 16 PCRs is to reset the TPM itself. This restriction helps ensure that the value of those PCRs can only be modified via the TPM Extend operation.
Some TPM PCRs are used as checksums of log events. The log events are extended in the TPM as the events occur. Later, an auditor can validate the logs by computing the expected PCR values from the log and comparing them to the PCR values of the TPM. Since the first 16 TPM PCRs cannot be modified arbitrarily, a match between an expected PCR value in that range and the actual TPM PCR value provides assurance of an unmodified log.
@ -29,8 +32,7 @@ Some TPM PCRs are used as checksums of log events. The log events are extended i
To bind the use of a TPM based key to a certain state of the PC, the key can be sealed to an expected set of PCR values. For instance, PCRs 0 through 7 have a well-defined value after the boot process when the OS is loaded. When the hardware, firmware, or boot loader of the machine changes, the change can be detected in the PCR values. Windows 10 uses this capability to make certain cryptographic keys only available at certain times during the boot process. For instance, the BitLocker key can be used at a certain point in the boot, but not before or after.
It is important to note that this binding to PCR values also includes the hashing algorithm used for the PCR. For instance, a key can be bound to a specific value of the SHA-1 PCR\[12\], if using SHA-256 PCR banks, even with the
same system configuration otherwise, the PCR values will not match.
It is important to note that this binding to PCR values also includes the hashing algorithm used for the PCR. For instance, a key can be bound to a specific value of the SHA-1 PCR\[12\], if using SHA-256 PCR banks, even with the same system configuration. Otherwise, the PCR values will not match.
## What happens when PCR banks are switched?
@ -41,3 +43,7 @@ As a result, if the currently used PCR bank is switched all keys that have been
## What can I do to switch PCRs when BitLocker is already active?
Before switching PCR banks you should suspend or disable BitLocker or have your recovery key ready. For steps on how to switch PCR banks on your PC, you should contact your OEM or UEFI vendor.
## Related topics
- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)

148
windows/keep-secure/tpm-fundamentals.md
View File

@ -13,6 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
This topic for the IT professional provides a description of the components of the Trusted Platform Module (TPM 1.2 and TPM 2.0) and explains how they are used to mitigate dictionary attacks.
@ -30,109 +31,65 @@ For info about which versions of Windows support which versions of the TPM, see
The following sections provide an overview of the technologies that support the TPM:
- [TPM-based Virtual Smart Card](#bkmk-vsc)
- [Measured Boot with support for attestation](#bkmk-measuredboot)
- [Automated provisioning and management of the TPM](#bkmk-autoprov)
- [TPM-based certificate storage](#bkmk-tpmcs)
- [Physical presence interface](#bkmk-physicalpresenceinterface)
- [TPM Cmdlets](#bkmk-tpmcmdlets)
- [TPM Owner Authorization Value](#bkmk-authvalue)
- [States of existence in a TPM](#bkmk-stateex)
- [Endorsement keys](#bkmk-endorsementkeys)
- [TPM Key Attestation](#bkmk-ketattestation)
- [How the TPM mitigates dictionary attacks](#bkmk-howtpmmitigates)
- [How do I check the state of my TPM?](#bkmk-checkstate)
- [What can I do if my TPM is in reduced functionality mode?](#bkmk-fixrfm)
- [Measured Boot with support for attestation](#measured-boot-with-support-for-attestation)
- [TPM-based Virtual Smart Card](#tpm-based-virtual-smart-card)
- [TPM-based certificate storage](#tpm-based-certificate-storage)
- [TPM Cmdlets](#tpm-cmdlets)
- [Physical presence interface](#physical-presence-interface)
- [TPM 1.2 states and initialization](#tpm-12-states-and-initialization)
- [Endorsement keys](#endorsement-keys)
- [TPM Key Attestation](#key-attestation)
- [How the TPM mitigates dictionary attacks](#how-the-tpm-mitigates-dictionary-attacks)
The following topic describes the TPM Services that can be controlled centrally by using Group Policy settings:
[Trusted Platform Module Services Group Policy Settings](trusted-platform-module-services-group-policy-settings.md)
[TPM Group Policy Settings](trusted-platform-module-services-group-policy-settings.md).
## <a href="" id="bkmk-autoprov"></a>Automated provisioning and management of the TPM
TPM provisioning can be streamlined to make it easier to deploy systems that are ready for BitLocker and other TPM-dependent features. These enhancements include simplifying the TPM state model to report **Ready**, **Ready with reduced functionality**, or **Not ready**. You can also automatically provision TPMs in the **Ready** state, remote provisioning to remove the requirement for the physical presence of a technician for the initial deployment. In addition, the TPM stack is available in the Windows Preinstallation Environment (Windows PE).
A number of management settings have been added for easier management and configuration of the TPM through Group Policy. The primary new settings include Active Directory-based backup of TPM owner authentication, the level of owner authentication that should be stored locally on the TPM, and the software-based TPM lockout settings for standard users. For more info about backing up owner authentication to Windows Server 2008 R2 AD DS domains, see [AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md).
## <a href="" id="bkmk-measuredboot"></a>Measured Boot with support for attestation
## Measured Boot with support for attestation
The Measured Boot feature provides antimalware software with a trusted (resistant to spoofing and tampering) log of all boot components. Antimalware software can use the log to determine whether components that ran before it are trustworthy versus infected with malware. It can also send the Measured Boot logs to a remote server for evaluation. The remote server can initiate remediation actions by interacting with software on the client or through out-of-band mechanisms, as appropriate.
## <a href="" id="bkmk-vsc"></a>TPM-based Virtual Smart Card
## TPM-based Virtual Smart Card
The Virtual Smart Card emulates the functionality of traditional smart cards, but Virtual Smart Cards use the TPM chip that is available on an organizations computers, rather than requiring the use of a separate physical smart card and reader. This greatly reduces the management and deployment cost of smart cards in an enterprise. To the end user, the Virtual Smart Card is always available on the computer. If a user needs to use more than one computer, a
The Virtual Smart Card emulates the functionality of traditional smart cards, but Virtual Smart Cards use the TPM chip that is available on an organizations computers, rather than requiring the use of a separate physical smart card and reader. This greatly reduces the management and deployment cost of smart cards in an enterprise. To the end user, the Virtual Smart Card is always available on the computer. If a user needs to use more than one computer, a
Virtual Smart Card must be issued to the user for each computer. A computer that is shared among multiple users can host multiple Virtual Smart Cards, one for each user.
## <a href="" id="bkmk-tpmcs"></a>TPM-based certificate storage
## TPM-based certificate storage
The TPM can be used to protect certificates and RSA keys. The TPM key storage provider (KSP) provides easy, convenient use of the TPM as a way of strongly protecting private keys. The TPM KSP can be used to generate keys when an organization enrolls for certificates, and the KSP is managed by templates in the UI. The TPM can also be used to protect certificates that are imported from an outside source. TPM-based certificates can be used exactly as standard certificates with the added functionality that the certificate can never leave the TPM from which the keys were generated. The TPM can now be used for crypto-operations through Cryptography API: Next Generation (CNG). For more info, see [Cryptography API: Next Generation](http://msdn.microsoft.com/library/windows/desktop/aa376210.aspx).
## <a href="" id="bkmk-authvalue"></a>TPM Owner Authorization Value
For Windows 8 a change to how the TPM owner authorization value is stored in AD DS was implemented in the AD DS schema. The TPM owner authorization value is now stored in a separate object which is linked to the Computer object.
This value was stored as a property in the Computer object itself for the default Windows Server 2008 R2 schemas. Windows Server 2012 domain controllers have the default schema to backup TPM owner authorization information in the separate object. If you are not upgrading your domain controller to Windows Server 2012 you need to extend the schema to support this change. If Active Directory backup of the TPM owner authorization value is enabled in a Windows Server 2008 R2 environment without extending the schema, the TPM provisioning will fail and the TPM will remain in a Not Ready state for computers running Windows 8.
If your computer is not being joined to a domain the TPM owner authorization value will be stored in the local computer registry. Using BitLocker to encrypt the operating system drive will protect the owner authorization value from being disclosed when the computer is at rest, but there is a risk that a malicious user could obtain the TPM owner authorization value when the computer is unlocked. Therefore, we recommend that in this situation you configure your computer to automatically lock after 30 seconds of inactivity. If automatic locking is not used, then you should consider removing full owner authorization from the computer registry.
**Registry information**
Registry key: HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\TPM
DWORD: OSManagedAuthLevel
| Value Data | Setting |
| - | - |
| 0 | None|
| 2 | Delegated|
| 4 | Full|
 
>**Note:**  If the operating system managed TPM authentication setting is changed from "Full" to "Delegated" the full TPM owner authorization value will be regenerated and any copies of the original TPM owner authorization value will be invalid. If you are backing up the TPM owner authorization value to AD DS, the new owner authorization value will be automatically backed up to AD DS when it is changed.
 
## <a href="" id="bkmk-tpmcmdlets"></a>TPM Cmdlets
## TPM Cmdlets
If you are using PowerShell to script and manage your computers, you can now manage the TPM using Windows PowerShell as well. To install the TPM cmdlets use the following command:
`dism /online /enable-feature /FeatureName:tpm-psh-cmdlets`
For details about the individual cmdlets, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx)
## <a href="" id="bkmk-physicalpresenceinterface"></a>Physical presence interface
For details about the individual cmdlets, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx).
The TCG specifications for TPMs require physical presence to perform some TPM administrative functions, such as turning on and turning off the TPM. Physical presence means a person must physically interact with the system and the
TPM interface to confirm or reject changes to TPM status. This typically cannot be automated with scripts or other automation tools unless the individual OEM supplies them. Here are some are examples of TPM administrative tasks that require physical presence:
## Physical presence interface
- Activating the TPM
- Clearing the existing owner information from the TPM without the owners password
- Deactivating the TPM
- Disabling the TPM temporarily without the owners password
For TPM 1.2, the TCG specifications for TPMs require physical presence (typically, pressing a key) for turning the TPM on, turning it off, or clearing it. These actions typically cannot be automated with scripts or other automation tools unless the individual OEM supplies them.
## <a href="" id="bkmk-stateex"></a>States of existence in a TPM
## TPM 1.2 states and initialization
For each of these TPM 1.2 states of existence, the TPM can transition into another state (for example, moving from disabled to enabled). The states are not exclusive.
For TPM 1.2, there are multiple possible states. Windows 10 automatically initializes the TPM, which brings it to an enabled, activated, and owned state.
These states of existence do not apply for Trusted Platform Module 2.0 because it cannot be turned off from within the operating system environment.
## Endorsement keys
| State | Description |
| - | - |
| Enabled| Most features of the TPM are available.<br/>The TPM can be enabled and disabled multiple times within a boot period, if ownership is taken.|
| Disabled| The TPM restricts most operations. Exceptions include the ability to report TPM capabilities, extend and reset Platform Configuration Register (PCR) functions, and perform hashing and basic initialization.<br/>The TPM can be enabled and disabled multiple times within a start-up period. |
| Activated| Most features of the TPM are available. The TPM can be activated and deactivated only through physical presence, which requires a restart.|
| Deactivated| Similar to the disabled state, with the exception that ownership can be taken when the TPM is deactivated and enabled. The TPM can be activated and deactivated only through physical presence, which requires a restart.|
| Owned| Most features of the TPM are available. The TPM has an endorsement key and storage root key, and the owner knows information about owner authorization data.|
| Unowned| The TPM does not have a storage root key, and it may or may not have an endorsement key.|
 
>**Important:**  Applications cannot use the TPM until the state is enabled, activated, and owned. All operations are available only when the TPM is in this state.
 
The state of the TPM exists independently of the computers operating system. When the TPM is enabled, activated, and owned, the state of the TPM is preserved if the operating system is reinstalled.
For a TPM to be usable by a trusted application, it must contain an endorsement key, which is an RSA key pair. The private half of the key pair is held inside the TPM, and it is never revealed or accessible outside the TPM.
## <a href="" id="bkmk-endorsementkeys"></a>Endorsement keys
For a TPM to be usable by a trusted application, it must contain an endorsement key, which is an RSA key pair. The private half of the key pair is held inside the TPM, and it is never revealed or accessible outside the TPM. If the
TPM does not contain an endorsement key, the application might cause the TPM to generate one automatically as part of the setup.
An endorsement key can be created at various points in the TPMs lifecycle, but it needs to be created only once for the lifetime of the TPM. The existence of an endorsement key is a requirement before TPM ownership can be taken.
## <a href="" id="bkmk-ketattestation"></a>Key attestation
## Key attestation
TPM key attestation allows a certification authority to verify that a private key is actually protected by a TPM and that the TPM is one that the certification authority trusts. Endorsement keys which have been proven valid can be used to bind the user identity to a device. Moreover, the user certificate with a TPM attested key provides higher security assurance backed up by the non-exportability, anti-hammering, and isolation of keys provided by a TPM.
## <a href="" id="bkmk-howtpmmitigates"></a>How the TPM mitigates dictionary attacks
## How the TPM mitigates dictionary attacks
When a TPM processes a command, it does so in a protected environment, for example, a dedicated microcontroller on a discrete chip or a special hardware-protected mode on the main CPU. A TPM can be used to create a cryptographic key that is not disclosed outside the TPM, but is able to be used in the TPM after the correct authorization value is provided.
@ -144,8 +101,9 @@ Because many entities can use the TPM, a single authorization success cannot res
TPM 2.0 has well defined dictionary attack logic behavior. This is in contrast to TPM 1.2 for which the dictionary attack logic was set by the manufacturer, and the logic varied widely throughout the industry.
>**Warning:**  For the purposes of this topic, Windows 8 Certified Hardware also pertains to Windows 8.1 systems. The following references to “Windows” include these supported Windows versions.
 
> [!WARNING]
> For the purposes of this topic, Windows 8 Certified Hardware also pertains to Windows 8.1 systems. The following references to “Windows” include these supported Windows versions.
For Windows 8 Certified Hardware systems with TPM 2.0, the TPM is configured by Windows to lock after 32 authorization failures and to forget one authorization failure every two hours. This means that a user could quickly attempt to use a key with the wrong authorization value 32 times. For each of the 32 attempts, the TPM records if the authorization value was correct or not. This inadvertently causes the TPM to enter a locked state after 32 failed attempts.
Attempts to use a key with an authorization value for the next two hours would not return success or failure; instead the response indicates that the TPM is locked. After two hours, one authorization failure is forgotten and the number of authorization failures remembered by the TPM drops to 31, so the TPM leaves the locked state and returns to normal operation. With the correct authorization value, keys could be used normally if no authorization failures occur during the next two hours. If a period of 64 hours elapses with no authorization failures, the TPM does not remember any authorization failures, and 32 failed attempts could occur again.
@ -165,35 +123,15 @@ For example, when BitLocker is used with a TPM plus PIN configuration, it needs
The Windows TPM-based smart card, which is a virtual smart card, can be configured to allow sign in to the system. In contrast with physical smart cards, the sign-in process uses a TPM-based key with an authorization value. The following list shows the advantages of virtual smart cards:
Physical smart cards can enforce lockout for only the physical smart card PIN, and they can reset the lockout after the correct PIN is entered. With a virtual smart card, the TPMs dictionary attack is not reset after a successful authentication. The allowed number of authorization failures before the TPM enters lockout includes many factors.
- Physical smart cards can enforce lockout for only the physical smart card PIN, and they can reset the lockout after the correct PIN is entered. With a virtual smart card, the TPMs dictionary attack is not reset after a successful authentication. The allowed number of authorization failures before the TPM enters lockout includes many factors.
Hardware manufacturers and software developers have the option to use the security features of the TPM to meet their requirements.
- Hardware manufacturers and software developers have the option to use the security features of the TPM to meet their requirements.
The intent of selecting 32 failures as the lock-out threshold is so users rarely lock the TPM (even when learning to type new passwords or if they frequently lock and unlock their computers). If users lock the TPM, they must to wait two hours or use some other credential to sign in, such as a user name and password.
- The intent of selecting 32 failures as the lock-out threshold is so users rarely lock the TPM (even when learning to type new passwords or if they frequently lock and unlock their computers). If users lock the TPM, they must to wait two hours or use some other credential to sign in, such as a user name and password.
## <a href="" id="bkmk-checkstate"></a>How do I check the state of my TPM?
## Related topics
You can check the state of the TPM on a PC by running the Trusted Platform Module snap-in (tpm.msc). The **Status** heading tells you the state of your TPM. The TPM can be in one of the following states: **Ready for use**, **Ready for use, with reduced functionality**, and **Not ready for use**. To take advantage of most of the TPM features in Windows 10, the TPM must be **Ready for use**.
## <a href="" id="bkmk-fixrfm"></a>What can I do if my TPM is in reduced functionality mode?
If your TPM is in reduced functionality mode, some features that rely on the TPM will not function correctly. This is most often caused by doing a clean installation of Windows 10 on a device where Windows 8.1, Windows 8, or Windows 7 had previously been installed on the same hardware. If your TPM is in reduced functionality mode, the Status heading in the Trusted Platform Module snap-in shows **The TPM is ready for use, with reduced functionality**.
You can fix this by clearing the TPM.
**To clear the TPM**
1. Open the Trusted Platform Module snap-in (tpm.msc).
2. Click **Clear TPM**, and then click **Restart.**
3. When the PC is restarting, you might be prompted to press a button on the keyboard to clear the TPM.
4. After the PC restarts, your TPM will be automatically prepared for use by Windows 10.
>**Note:**  Clearing the TPM causes you to lose all TPM keys and data protected by those keys, such as a virtual smart card. You should not perform this procedure on a device you do not own, such as a work or school PC, without being instructed to do so by your IT administrator.
 
## Additional resources
- [Trusted Platform Module Technology Overview](trusted-platform-module-overview.md)
- [Trusted Platform Module Services Group Policy Settings](trusted-platform-module-services-group-policy-settings.md)
- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
- [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx)
- [Schema Extensions for Windows Server 2008 R2 to support AD DS backup of TPM information from Windows 8 clients](ad-ds-schema-extensions-to-support-tpm-backup.md)
- [TPM WMI providers](https://go.microsoft.com/fwlink/p/?LinkId=93478)
- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](http://technet.microsoft.com/library/jj592683.aspx)
- [TPM WMI providers](https://msdn.microsoft.com/library/aa376476.aspx)
- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](https://technet.microsoft.com/itpro/windows/keep-secure/prepare-your-organization-for-bitlocker-planning-and-policies#bkmk-tpmconfigurations)

271
windows/keep-secure/tpm-recommendations.md
View File

@ -12,26 +12,21 @@ author: brianlic-msft
# TPM recommendations
**Applies to**
**Applies to**
- Windows 10
- Windows 10 Mobile
- Windows Server 2016
- Windows 10 IoT Core (IoT Core)
- Windows Server 2016
This topic provides recommendations for Trusted Platform Module (TPM) technology for Windows 10.
## Overview
For a basic feature description of TPM, see the [Trusted Platform Module Technology Overview](trusted-platform-module-overview.md).
Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. It has a security-related crypto-processor that is designed to carry out cryptographic operations in a variety of devices and form factors. It includes multiple physical security mechanisms to help prevent malicious software from tampering with the security functions of the TPM. Some of the key advantages of using TPM technology are that you can:
## TPM design and implementation
1. Generate, store, use, and protected cryptographic keys,
2. Use TPM technology for platform device authentication by using a unique endorsement key (EK), and
3. Help enhance platform integrity by taking and storing security measurements.
The most common TPM functions are used for system integrity measurements and for key creation and use. During the boot process of a system, the boot code that is loaded (including firmware and the operating system components) can be measured and recorded in the TPM. The integrity measurements can be used as evidence for how a system started and to make sure that a TPM-based key was used only when the correct software was used to boot the system.
Traditionally, TPMs have been discrete chips soldered to a computers motherboard. Such implementations allow the computers original equipment manufacturer (OEM) to evaluate and certify the TPM separate from the rest of the system. Although discrete TPM implementations are still common, they can be problematic for integrated devices that are small or have low power consumption. Some newer TPM implementations integrate TPM functionality into the same chipset as other platform components while still providing logical separation similar to discrete TPM chips.
TPMs are passive: they receive commands and return responses. To realize the full benefit of a TPM, the OEM must carefully integrate system hardware and firmware with the TPM to send it commands and react to its responses. TPMs were originally designed to provide security and privacy benefits to a platforms owner and users, but newer versions can provide security and privacy benefits to the system hardware itself. Before it can be used for advanced scenarios, however, a TPM must be provisioned. Windows 10 automatically provisions a TPM, but if the user reinstalls the operating system, he or she may need to tell the operating system to explicitly provision the TPM again before it can use all the TPMs features.
TPMs are passive: they receive commands and return responses. To realize the full benefit of a TPM, the OEM must carefully integrate system hardware and firmware with the TPM to send it commands and react to its responses. TPMs were originally designed to provide security and privacy benefits to a platforms owner and users, but newer versions can provide security and privacy benefits to the system hardware itself. Before it can be used for advanced scenarios, however, a TPM must be provisioned. Windows 10 automatically provisions a TPM, but if the user is planning to reinstall the operating system, he or she may need to clear the TPM before reinstalling so that Windows can take full advantage of the TPM.
The Trusted Computing Group (TCG) is the nonprofit organization that publishes and maintains the TPM specification. The TCG exists to develop, define, and promote vendor-neutral, global industry standards that support a hardware-based root of trust for interoperable trusted computing platforms. The TCG also publishes the TPM specification as the international standard ISO/IEC 11889, using the Publicly Available Specification Submission Process that the Joint Technical Committee 1 defines between the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
@ -39,9 +34,6 @@ OEMs implement the TPM as a component in a trusted computing platform, such as a
The TCG designed the TPM as a low-cost, mass-market security solution that addresses the requirements of different customer segments. There are variations in the security properties of different TPM implementations just as there are variations in customer and regulatory requirements for different sectors. In public-sector procurement, for example, some governments have clearly defined security requirements for TPMs whereas others do not.
>**Note:**  Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
## TPM 1.2 vs. 2.0 comparison
From an industry standard, Microsoft has been an industry leader in moving and standardizing on TPM 2.0, which has many key realized benefits across algorithms, crypto, hierarchy, root keys, authorization and NV RAM.
@ -51,16 +43,23 @@ From an industry standard, Microsoft has been an industry leader in moving and s
TPM 2.0 products and systems have important security advantages over TPM 1.2, including:
- The TPM 1.2 spec only allows for the use of RSA and the SHA-1 hashing algorithm.
- For security reasons, some entities are moving away from SHA-1. Notably, NIST has required many federal agencies to move to SHA-256 as of 2014, and technology leaders, including Microsoft and Google have announced they will remove support for SHA-1 based signing or certificates in 2017.
- TPM 2.0 **enables greater crypto agility** by being more flexible with respect to cryptographic algorithms.
- TPM 2.0 supports SHA-256 as well as ECC, the latter being critical to drive signing and key generation performance.
- TPM 2.0 supports newer algorithms, which can improve drive signing and key generation performance. For the full list of supported algorithms, see the [TCG Algorithm Registry](http://www.trustedcomputinggroup.org/tcg-algorithm-registry/). Some TPMs do not support all algorithms.
- For the list of algorithms that Windows supports in the platform cryptographic storage provider, see [CNG Cryptographic Algorithm Providers](https://msdn.microsoft.com/library/windows/desktop/bb931354(v=vs.85).aspx).
- TPM 2.0 achieved ISO standardization ([ISO/IEC 11889:2015](http://blogs.microsoft.com/cybertrust/2015/06/29/governments-recognize-the-importance-of-tpm-2-0-through-iso-adoption/)).
- Use of TPM 2.0 may help eliminate the need for OEMs to make exception to standard configurations for certain countries and regions.
- TPM 2.0 offers a more **consistent experience** across different implementations.
- TPM 1.2 implementations vary in policy settings. This may result in support issues as lockout policies vary.
- TPM 2.0 lockout policy is configured by Windows, ensuring a consistent dictionary attack protection guarantee.
- While TPM 1.2 parts are discrete silicon components which are typically soldered on the motherboard, TPM 2.0 is available as a **discrete (dTPM)** silicon component in a single semiconductor package, an **integrated** component incorporated in one or more semiconductor packages - alongside other logic units in the same package(s) - and as a **firmware (fTPM)** based component running in a trusted execution environment (TEE) on a general purpose SoC.
@ -69,22 +68,24 @@ TPM 2.0 products and systems have important security advantages over TPM 1.2, in
There are three implementation options for TPMs:
- Discrete TPM chip as a separate component in its own semiconductor package
- Integrated TPM solution, using dedicated hardware integrated into one or more semiconductor packages alongside, but logically separate from, other components
- Discrete TPM chip as a separate component in its own semiconductor package
- Integrated TPM solution, using dedicated hardware integrated into one or more semiconductor packages alongside, but logically separate from, other components
- Firmware TPM solution, running the TPM in firmware in a Trusted Execution mode of a general purpose computation unit
Windows uses any compatible TPM in the same way. Microsoft does not take a position on which way a TPM should be implemented and there is a wide ecosystem of available TPM solutions which should suit all needs.
Windows uses any compatible TPM in the same way. Microsoft does not take a position on which way a TPM should be implemented and there is a wide ecosystem of available TPM solutions which should suit all needs.
## Is there any importance for TPM for consumer?
## Is there any importance for TPM for consumers?
For end consumers, TPM is behind the scenes but is still very relevant. TPM is used for Windows Hello, Windows Hello for Business and in the future, will be a components of many other key security features in Windows. TPM secures the PIN, helps encrypt passwords, and builds on our overall Windows 10 experience story for security as a critical pillar. Using Windows on a system with a TPM enables a deeper and broader level of security coverage.
For end consumers, TPM is behind the scenes but is still very relevant. TPM is used for Windows Hello, Windows Hello for Business and in the future, will be a component of many other key security features in Windows. TPM secures the PIN, helps encrypt passwords, and builds on our overall Windows 10 experience story for security as a critical pillar. Using Windows on a system with a TPM enables a deeper and broader level of security coverage.
## TPM 2.0 Compliance for Windows 10
### Windows 10 for desktop editions (Home, Pro, Enterprise, and Education)
- Since July 28, 2016, all new device models, lines or series (or if you are updating the hardware configuration of a existing model, line or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7, https://msdn.microsoft.com/library/windows/hardware/dn915086(v=vs.85).aspx)
- Since July 28, 2016, all new device models, lines or series (or if you are updating the hardware configuration of a existing model, line or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7 of the [Minimum hardware requirements](https://msdn.microsoft.com/library/windows/hardware/dn915086(v=vs.85).aspx) page).
### IoT Core
- TPM is optional on IoT Core.
@ -95,212 +96,28 @@ For end consumers, TPM is behind the scenes but is still very relevant. TPM is
## TPM and Windows Features
The following table defines which Windows features require TPM support. Some features are not applicable to Windows 7/8/8.1 and are noted accordingly.
The following table defines which Windows features require TPM support.
<table>
<colgroup>
<col width="20%" />
<col width="20%" />
<col width="20%" />
<col width="20%" />
<col width="20%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Windows Features</th>
<th align="left">Windows 7/8/8.1 TPM 1.2</th>
<th align="left">Windows 10 TPM 1.2</th>
<th align="left">Windows 10 TPM 2.0</th>
<th align="left">Details</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left">Measured Boot</td>
<td align="left">Required</td>
<td align="left">Required</td>
<td align="left">Required</td>
<td align="left">Measured boot requires TPM 1.2 or 2.0 and UEFI Secure boot.</td>
</tr>
<tr class="even">
<td align="left">Bitlocker</td>
<td align="left">Required</td>
<td align="left">Required</td>
<td align="left">Required</td>
<td align="left">TPM 1.2 or later required or a removable USB memory device such as a flash drive.</td>
</tr>
<tr class="odd">
<td align="left">Passport: Domain AADJ Join</td>
<td align="left">n/a</td>
<td align="left">Required</td>
<td align="left">Required</td>
<td align="left">Supports both versions of TPM, but requires TPM with HMAC and EK certificate for key attestation support.</td>
</tr>
<tr class="even">
<td align="left">Passport: MSA or Local Account</td>
<td align="left">n/a</td>
<td align="left">Required</td>
<td align="left">Required</td>
<td align="left">TPM 2.0 is required with HMAC and EK certificate for key attestation support.</td>
</tr>
<tr class="odd">
<td align="left">Device Encryption</td>
<td align="left">n/a</td>
<td align="left">Not Required</td>
<td align="left">Required</td>
<td align="left">TPM 2.0 is required for all InstantGo devices.</td>
</tr>
<tr class="even">
<td align="left">Device Guard / Configurable Code Integrity</td>
<td align="left">n/a</td>
<td align="left">Optional</td>
<td align="left">Optional</td>
<td align="left"></td>
</tr>
<tr class="odd">
<td align="left">Credential Guard</td>
<td align="left">n/a</td>
<td align="left">Required</td>
<td align="left">Required</td>
<td align="left">For Windows 10, version 1511, TPM 1.2 or 2.0 is highly recommended. If you don't have a TPM installed, Credential Guard will still be enabled, but the keys used to encrypt Credential Guard will not be protected by the TPM.</td>
</tr>
<tr class="even">
<td align="left">Device Health Attestation</td>
<td align="left">n/a</td>
<td align="left">Required</td>
<td align="left">Required</td>
<td align="left"></td>
</tr>
<tr class="odd">
<td align="left">Windows Hello</td>
<td align="left">n/a</td>
<td align="left">Not Required</td>
<td align="left">Not Required</td>
<td align="left"></td>
</tr>
<tr class="even">
<td align="left">UEFI Secure Boot</td>
<td align="left">Not Required</td>
<td align="left">Not Required</td>
<td align="left">Not Required</td>
<td align="left"></td>
</tr>
<tr class="odd">
<td align="left">Platform Key Storage provider</td>
<td align="left">n/a</td>
<td align="left">Required</td>
<td align="left">Required</td>
<td align="left"></td>
</tr>
<tr class="even">
<td align="left">Virtual Smart Card</td>
<td align="left">n/a</td>
<td align="left">Required</td>
<td align="left">Required</td>
<td align="left"></td>
</tr>
<tr class="odd">
<td align="left">Certificate storage (TPM bound)</td>
<td align="left">n/a</td>
<td align="left">Required</td>
<td align="left">Required</td>
<td align="left"></td>
</tr>
</tbody>
</table>
 
## Chipset options for TPM 2.0
There is a vibrant ecosystem of TPM manufacturers.
### Discrete TPM
<table>
<colgroup>
<col width="100%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Supplier</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><ul>
<li>Infineon</li>
<li>Nuvoton</li>
<li>Atmel</li>
<li>NationZ</li>
<li>ST Micro</li>
</ul></td>
</tr>
</tbody>
</table>
 
### Integrated TPM
<table>
<colgroup>
<col width="100%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Supplier</th>
<th align="left">Chipset</th>
</tr>
</thead>
<tbody>
<tr class="even">
<td align="left">Intel</td>
<td align="left"><ul>
<li>Atom (CloverTrail)
<li>Baytrail</li>
<li>Braswell</li>
<li>4th generation Core (Haswell)</li>
<li>5th generation Core (Broadwell)</li>
<li>6th generation Core (Skylake)</li>
<li>7th generation Core (Kaby Lake)</li>
</ul></td>
</tr>
</tbody>
</table>
| Windows Features | Windows 10 TPM 1.2 | Windows 10 TPM 2.0 | Details |
|-------------------------|----------------------|----------------------|----------|
| Measured Boot | Required | Required | Measured boot requires TPM 1.2 or 2.0 and UEFI Secure boot. |
| Bitlocker | Required | Required | TPM 1.2 or later required or a removable USB memory device such as a flash drive. |
| Passport: Domain AADJ Join | Required | Required | Supports both versions of TPM, but requires TPM with HMAC and EK certificate for key attestation support. |
| Passport: MSA or Local Account | Required | Required | TPM 2.0 is required with HMAC and EK certificate for key attestation support. |
| Device Encryption | Not Applicable | Required | TPM 2.0 is required for all InstantGo devices. |
| Device Guard / Configurable Code Integrity | See next column | Recommended | |
| Credential Guard | Required | Required | For Windows 10, version 1511, TPM 1.2 or 2.0 is highly recommended. If you don't have a TPM installed, Credential Guard will still be enabled, but the keys used to encrypt Credential Guard will not be protected by the TPM. |
| Device Health Attestation | Required | Required | |
| Windows Hello | Not Required | Recommended | |
| UEFI Secure Boot | Not Required | Recommended | |
| Platform Key Storage provider | Required | Required | |
| Virtual Smart Card | Required | Required | |
| Certificate storage (TPM bound) | Required | Required | |
## OEM Status on TPM 2.0 system availability and certified parts
### Firmware TPM
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Supplier</th>
<th align="left">Chipset</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left">AMD</td>
<td align="left"><ul>
<li>Mullins</li>
<li>Beema</li>
<li>Carrizo</li>
</ul></td>
</tr>
<tr class="even">
<td align="left">Qualcomm</td>
<td align="left"><ul>
<li>MSM8994</li>
<li>MSM8992</li>
<li>MSM8952</li>
<li>MSM8909</li>
<li>MSM8208</li>
</ul></td>
</tr>
</tbody>
</table>
 
## OEM Feedback and Status on TPM 2.0 system availability
Government customers and enterprise customers in regulated industries may have acquisition standards that require use of common certified TPM parts. As a result, OEMs, who provide the devices, may be required to use only certified TPM components on their commercial class systems. For more information, contact your OEM or hardware vendor.
### Certified TPM parts
## Related topics
Government customers and enterprise customers in regulated industries may have acquisition standards that require use of common certified TPM parts. As a result, OEMs, who provide the devices, may be required to use only certified TPM components on their commercial class systems. Discrete TPM 2.0 vendors have completion certification.
### Windows 7 32-bit support
Even though Windows 7 shipped before the TPM 2.0 spec or products existed, Microsoft backported TPM 2.0 support to Windows 7 64-bit and released it in summer 2014 as a downloadable Windows hotfix for UEFI based Windows 7 systems. Microsoft is not currently planning to backport support to Windows 7 32-bit support.
- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)

58
windows/keep-secure/trusted-platform-module-overview.md
View File

@ -1,6 +1,6 @@
---
title: Trusted Platform Module Technology Overview (Windows 10)
description: This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication. The topic provides links to other resources about the TPM.
description: This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication.
ms.assetid: face8932-b034-4319-86ac-db1163d46538
ms.prod: w10
ms.mktglfcycl: deploy
@ -14,64 +14,70 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication. The topic provides links to other resources about the TPM.
This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication.
## <a href="" id="bkmk-over"></a>Feature description
## Feature description
Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. Some of the key advantages of using TPM technology are that you can:
- Generate, store, and limit the use of cryptographic keys.
- Use TPM technology for platform device authentication by using the TPMs unique RSA key, which is burned into itself.
- Help ensure platform integrity by taking and storing security measurements.
The most common TPM functions are used for system integrity measurements and for key creation and use. During the boot process of a system, the boot code that is loaded (including firmware and the operating system components) can be measured and recorded in the TPM. The integrity measurements can be used as evidence for how a system started and to make sure that a TPM-based key was used only when the correct software was used to boot the system.
TPM-based keys can be configured in a variety of ways. One option is to make a TPM-based key unavailable outside the TPM. This is good to mitigate phishing attacks because it prevents the key from being copied and used without the TPM. TPM-based keys can also be configured to require an authorization value to use them. If too many incorrect authorization guesses occur, the TPM will activate its dictionary attack logic and prevent further authorization value guesses.
Different versions of the TPM are defined in specifications by the Trusted Computing Group (TCG). For more information, consult the TCG Web site (<http://www.trustedcomputinggroup.org/developers/trusted_platform_module>).
Different versions of the TPM are defined in specifications by the Trusted Computing Group (TCG). For more information, consult the [TCG Web site](http://www.trustedcomputinggroup.org/work-groups/trusted-platform-module/).
Windows can automatically provision and manage the TPM. Group Policy settings can be configured to control whether the TPM owner authorization value is backed up in Active Directory. Because the TPM state persists across operating system installations, TPM information is stored in a location in Active Directory that is separate from computer objects. Depending on an enterprises security goals, Group Policy can be configured to allow or prevent local administrators from resetting the TPMs dictionary attack logic. Standard users can use the TPM, but Group Policy controls limit how many authorization failures standard users can attempt so that one user is unable to prevent other users or the administrator from using the TPM. TPM technology can also be used as a virtual smart card and for secure certificate storage. With BitLocker Network Unlock, domain-joined computers are not prompted for a BitLocker PIN.
### Automatic initialization of the TPM with Windows 10
## <a href="" id="bkmk-app"></a>Practical applications
Starting with Windows 10, the operating system automatically initializes and takes ownership of the TPM. This means that in most cases, we recommend that you avoid configuring the TPM through the TPM management console, **TPM.msc**. There are a few exceptions, mostly related to resetting or performing a clean installation on a PC. For more information, see [Clear all the keys from the TPM](initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm).
In certain specific enterprise scenarios limited to Windows 10, versions 1507 and 1511, Group Policy might be used to back up the TPM owner authorization value in Active Directory. Because the TPM state persists across operating system installations, this TPM information is stored in a location in Active Directory that is separate from computer objects.
## Practical applications
Certificates can be installed or created on computers that are using the TPM. After a computer is provisioned, the RSA private key for a certificate is bound to the TPM and cannot be exported. The TPM can also be used as a replacement for smart cards, which reduces the costs associated with creating and disbursing smart cards.
Automated provisioning in the TPM reduces the cost of TPM deployment in an enterprise. New APIs for TPM management can determine if TPM provisioning actions require physical presence of a service technician to approve TPM state change requests during the boot process.
Antimalware software can use the boot measurements of the operating system start state to prove the integrity of a computer running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012. These measurements include the launch of Hyper-V to test that datacenters using virtualization are not running untrusted hypervisors. With BitLocker Network Unlock, IT administrators can push an update without concerns that a computer is waiting for PIN entry.
Antimalware software can use the boot measurements of the operating system start state to prove the integrity of a computer running Windows 10 or Windows Server 2016. These measurements include the launch of Hyper-V to test that datacenters using virtualization are not running untrusted hypervisors. With BitLocker Network Unlock, IT administrators can push an update without concerns that a computer is waiting for PIN entry.
The TPM has several Group Policy settings that can be used to manage how it is used. These settings can be used to manage the owner authorization value, the blocked TPM commands, the standard user lockout, and the backup of the TPM to AD DS. For more info, see [Trusted Platform Module Services Group Policy Settings](trusted-platform-module-services-group-policy-settings.md).
The TPM has several Group Policy settings that might be useful in certain enterprise scenarios. For more info, see [TPM Group Policy Settings](trusted-platform-module-services-group-policy-settings.md).
## <a href="" id="bkmk-new"></a>New and changed functionality
## New and changed functionality
For more info on new and changed functionality for Trusted Platform Module in Windows 10, see [What's new in Trusted Platform Module?](../whats-new/whats-new-windows-10-version-1507-and-1511.md#trusted-platform-module).
For more info on new and changed functionality for Trusted Platform Module in Windows 10, see [What's new in Trusted Platform Module?](https://technet.microsoft.com/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511#trusted-platform-module).
## <a href="" id="bkmk-dha"></a>Device health attestation
## Device health attestation
Device health attestation enables enterprises to establish trust based on hardware and software components of a managed device. With device heath attestation, you can configure an MDM server to query a health attestation service that will allow or deny a managed device access to a secure resource.
Some things that you can check on the device are:
- Is Data Execution Prevention supported and enabled?
- Is BitLocker Drive Encryption supported and enabled?
- Is SecureBoot supported and enabled?
>**Note:**  The device must be running Windows 10 and it must support at least TPM 2.0.
 
## <a href="" id="bkmk-supportedversions"></a>Supported versions
> [!NOTE]
> The device must be running Windows 10 and it must support at least TPM 2.0.
| TPM version | Windows 10 | Windows Server 2012 R2, Windows 8.1, and Windows RT | Windows Server 2012, Windows 8, and Windows RT | Windows Server 2008 R2 and Windows 7 |
| - | - | - | - | - |
| TPM 1.2| X| X| X| X|
| TPM 2.0| X| X| X| X|
## Supported versions
## <a href="" id="bkmk-additionalresources"></a>Additional Resources
| TPM version | Windows 10 | Windows Server 2016 |
|-------------|------------|---------------------|
| TPM 1.2 | X | X |
| TPM 2.0 | X | X |
- [TPM Fundamentals](tpm-fundamentals.md)
- [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md)
- [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx)
- [AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md)
- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](http://technet.microsoft.com/library/jj592683.aspx)
 
 
## Related topics
- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
- [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx)
- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](https://technet.microsoft.com/itpro/windows/keep-secure/prepare-your-organization-for-bitlocker-planning-and-policies#bkmk-tpmconfigurations)

120
windows/keep-secure/trusted-platform-module-services-group-policy-settings.md
View File

@ -13,103 +13,94 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016
This topic for the IT professional describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings.
## <a href="" id="bkmk-version-table"></a>
The TPM Services Group Policy settings are located at:
**Computer Configuration\\Administrative Templates\\System\\Trusted Platform Module Services\\**
| Setting | Windows 10, version 1607 | Windows 10, version 1511 and Windows 10, version 1507 | Windows Server 2012 R2, Windows 8.1 and Windows RT | Windows Server 2012, Windows 8 and Windows RT | Windows Server 2008 R2 and Windows 7 | Windows Server 2008 and Windows Vista |
| - | - | - | - | - | - | - |
| [Turn on TPM backup to Active Directory Domain Services](#bkmk-tpmgp-addsbu) | | X| X| X| X| X|
| [Configure the list of blocked TPM commands](#bkmk-tpmgp-clbtc)| X| X| X| X| X| X|
| [Ignore the default list of blocked TPM commands](#bkmk-tpmgp-idlb) | X| X| X| X| X| X|
| [Ignore the local list of blocked TPM commands](#bkmk-tpmgp-illb) | X| X| X| X| X| X|
| [Configure the level of TPM owner authorization information available to the operating system](#bkmk-tpmgp-oauthos)| | X| X| X|||
| [Standard User Lockout Duration](#bkmk-tpmgp-suld)| X| X| X| X|||
| [Standard User Individual Lockout Threshold](#bkmk-individual)| X| X| X| X|||
| [Standard User Total Lockout Threshold](#bkmk-total)| X| X| X| X||||
| Setting | Windows 10, version 1607 and Windows Server 2016 | Windows 10, version 1511 and Windows 10, version 1507 |
|-----------------|--------------------------------------------------|-------------------------------------------------------|
| [Turn on TPM backup to Active Directory Domain Services](#turn-on-tpm-backup-to-active-directory-domain-services) | | X |
| [Configure the list of blocked TPM commands](#configure-the-list-of-blocked-tpm-commands) | X | X |
| [Ignore the default list of blocked TPM commands](#ignore-the-default-list-of-blocked-tpm-commands) | X | X |
| [Ignore the local list of blocked TPM commands](#ignore-the-local-list-of-blocked-tpm-commands) | X | X |
| [Configure the level of TPM owner authorization information available to the operating system](#configure-the-level-of-tpm-owner-authorization-information-available-to-the-operating-system) | X | X |
| [Standard User Lockout Duration](#standard-user-lockout-duration) | X | X |
| [Standard User Individual Lockout Threshold](#standard-user-individual-lockout-threshold) | X | X |
| [Standard User Total Lockout Threshold](#standard-user-total-lockout-threshold) | X | X |
### <a href="" id="bkmk-tpmgp-addsbu"></a>Turn on TPM backup to Active Directory Domain Services
### Turn on TPM backup to Active Directory Domain Services
This policy setting allows you to manage the Active Directory Domain Services (AD DS) backup of TPM owner information.
>[!NOTE]
>This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table).
TPM owner information includes a cryptographic hash of the TPM owner password. Certain TPM commands can be run only by the TPM owner. This hash authorizes the TPM to run these commands.
>[!IMPORTANT]
>To back up TPM owner information from a computer running Windows 10, version 1507, Windows 10, version 1511, Windows 8.1, or Windows 8, you might need to first set up appropriate schema extensions and access control settings on the domain so that the AD DS backup can succeed. Windows Server 2012 R2 and Windows Server 2012 include the required schema extensions by default. For more information, see [AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md). This functionality is discontinued starting with Windows 10, version 1607.
> [!IMPORTANT]
> The **Turn on TPM backup to Active Directory Domain Services** is not available in the Windows 10, version 1607 and Windows Server 2016 and later versions of the ADMX files.
If you enable this policy setting, TPM owner information will be automatically and silently backed up to AD DS when you use Windows to set or change a TPM owner password. When this policy setting is enabled, a TPM owner password cannot be set or changed unless the computer is connected to the domain and the AD DS backup succeeds.
If you disable or do not configure this policy setting, TPM owner information will not be backed up to AD DS.
>[!NOTE]
> The **Turn on TPM backup to Active Directory Domain Services** is not available in the Windows 10, version 1607 and Windows Server 2016 and later versions of the ADMX files.
### <a href="" id="bkmk-tpmgp-clbtc"></a>Configure the list of blocked TPM commands
### Configure the list of blocked TPM commands
This policy setting allows you to manage the Group Policy list of Trusted Platform Module (TPM) commands that are blocked by Windows.
>**Note:**  This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table).
 
If you enable this policy setting, Windows will block the specified commands from being sent to the TPM on the computer. TPM commands are referenced by a command number. For example, command number 129 is **TPM\_OwnerReadInternalPub**, and command number 170 is **TPM\_FieldUpgrade**. To find the command number that is associated with each TPM command, at the command prompt, type **tpm.msc**to open the TPM Management Console and navigate to the **Command Management** section.
If you enable this policy setting, Windows will block the specified commands from being sent to the TPM on the computer. TPM commands are referenced by a command number. For example, command number 129 is **TPM\_OwnerReadInternalPub**, and command number 170 is **TPM\_FieldUpgrade**. To find the command number that is associated with each TPM command, at the command prompt, type **tpm.msc** to open the TPM Management Console and navigate to the **Command Management** section.
If you disable or do not configure this policy setting, only those TPM commands that are specified through the default or local lists can be blocked by Windows. The default list of blocked TPM commands is preconfigured by Windows.
- You can view the default list by typing **tpm.msc** at the command prompt, navigating to the **Command Management** section, and exposing the **On Default Block List** column.
- The local list of blocked TPM commands is configured outside of Group Policy by running the TPM Management Console or scripting using the **Win32\_Tpm** interface.
For information how to enforce or ignore the default and local lists of blocked TPM commands, see
- [Ignore the default list of blocked TPM commands](#bkmk-tpmgp-idlb)
- [Ignore the local list of blocked TPM commands](#bkmk-tpmgp-illb)
- [Ignore the default list of blocked TPM commands](#ignore-the-default-list-of-blocked-tpm-commands)
### <a href="" id="bkmk-tpmgp-idlb"></a>Ignore the default list of blocked TPM commands
- [Ignore the local list of blocked TPM commands](#ignore-the-local-list-of-blocked-tpm-commands)
### Ignore the default list of blocked TPM commands
This policy setting allows you to enforce or ignore the computer's default list of blocked Trusted Platform Module (TPM) commands.
>**Note:**  This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table).
 
The default list of blocked TPM commands is preconfigured by Windows. You can view the default list by typing **tpm.msc** at the command prompt to open the TPM Management Console, navigating to the **Command Management** section, and exposing the **On Default Block List** column. Also see the related policy setting, [Configure the list of blocked TPM commands](#bkmk-tpmgp-clbtc).
The default list of blocked TPM commands is preconfigured by Windows. You can view the default list by typing **tpm.msc** at the command prompt to open the TPM Management Console, navigating to the **Command Management** section, and exposing the **On Default Block List** column. Also see the related policy setting, [Configure the list of blocked TPM commands](#configure-the-list-of-blocked-tpm-commands).
If you enable this policy setting, the Windows operating system will ignore the computer's default list of blocked TPM commands, and it will block only those TPM commands that are specified by Group Policy or the local list.
If you disable or do not configure this policy setting, Windows will block the TPM commands in the default list, in addition to the commands that are specified by Group Policy and the local list of blocked TPM commands.
### <a href="" id="bkmk-tpmgp-illb"></a>Ignore the local list of blocked TPM commands
### Ignore the local list of blocked TPM commands
This policy setting allows you to enforce or ignore the computer's local list of blocked Trusted Platform Module (TPM) commands.
>**Note:**  This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table).
 
The local list of blocked TPM commands is configured outside of Group Policy by typing **tpm.msc** at the command prompt to open the TPM Management Console, or scripting using the **Win32\_Tpm** interface. (The default list of blocked TPM commands is preconfigured by Windows.) Also see the related policy setting to **Configure the list of blocked TPM commands**.
The local list of blocked TPM commands is configured outside of Group Policy by typing **tpm.msc** at the command prompt to open the TPM Management Console, or scripting using the **Win32\_Tpm** interface. (The default list of blocked TPM commands is preconfigured by Windows.) Also see the related policy setting, [Configure the list of blocked TPM commands](#configure-the-list-of-blocked-tpm-commands).
If you enable this policy setting, the Windows operating system will ignore the computer's local list of blocked TPM commands, and it will block only those TPM commands that are specified by Group Policy or the default list.
If you disable or do not configure this policy setting, Windows will block the TPM commands in the local list, in addition to the commands that are specified in Group Policy and the default list of blocked TPM commands.
### <a href="" id="bkmk-tpmgp-oauthos"></a>Configure the level of TPM owner authorization information available to the operating system
### Configure the level of TPM owner authorization information available to the operating system
This policy setting configures how much of the TPM owner authorization information is stored in the registry of the local computer. Depending on the amount of TPM owner authorization information that is stored locally, the Windows operating system and TPM-based applications can perform certain actions in the TPM that require TPM owner authorization without requiring the user to enter the TPM owner password.
>**Note:**  This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table).
 
> [!IMPORTANT]
> This policy setting is not available in the Windows 10, version 1607 and Windows Server 2016 and later versions of the ADMX files.
There are three TPM owner authentication settings that are managed by the Windows operating system. You can choose a value of **Full**, **Delegate**, or **None**.
- **Full**   This setting stores the full TPM owner authorization, the TPM administrative delegation blob, and the TPM user delegation blob in the local registry. With this setting, you can use the TPM without requiring remote or external storage of the TPM owner authorization value. This setting is appropriate for scenarios that do not require you to reset the TPM anti-hammering logic or change the TPM owner authorization value. Some TPM-based applications may require that this setting is changed before features that depend on the TPM anti-hammering logic can be used.
- **Delegated**   This setting stores only the TPM administrative delegation blob and the TPM user delegation blob in the local registry. This setting is appropriate for use with TPM-based applications that depend on the TPM antihammering logic. This is the default setting in Windows.
- **None**   This setting provides compatibility with previous operating systems and applications. You can also use it for scenarios when TPM owner authorization cannot be stored locally. Using this setting might cause issues with some TPM-based applications.
>**Note:**  If the operating system managed TPM authentication setting is changed from **Full** to **Delegated**, the full TPM owner authorization value will be regenerated, and any copies of the previously set TPM owner authorization value will be invalid.
 
> [!NOTE]
> If the operating system managed TPM authentication setting is changed from **Full** to **Delegated**, the full TPM owner authorization value will be regenerated, and any copies of the previously set TPM owner authorization value will be invalid.
**Registry information**
Registry key: HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\TPM
@ -118,43 +109,41 @@ DWORD: OSManagedAuthLevel
The following table shows the TPM owner authorization values in the registry.
| Value Data | Setting |
| - | - |
| 0 | None|
| 2 | Delegated|
| 4 | Full|
| Value Data | Setting |
|------------|-----------|
| 0 | None |
| 2 | Delegated |
| 4 | Full |
 
If you enable this policy setting, the Windows operating system will store the TPM owner authorization in the registry of the local computer according to the TPM authentication setting you choose.
If you disable or do not configure this policy setting, and the **Turn on TPM backup to Active Directory Domain Services** policy setting is also disabled or not configured, the default setting is to store the full TPM authorization value in the local registry. If this policy is disabled or not
If you disable or do not configure this policy setting, and the **Turn on TPM backup to Active Directory Domain Services** policy setting is also disabled or not configured, the default setting is to store the full TPM authorization value in the local registry. If this policy is disabled or not
configured, and the **Turn on TPM backup to Active Directory Domain Services** policy setting is enabled, only the administrative delegation and the user delegation blobs are stored in the local registry.
### <a href="" id="bkmk-tpmgp-suld"></a>Standard User Lockout Duration
### Standard User Lockout Duration
This policy setting allows you to manage the duration in minutes for counting standard user authorization failures for Trusted Platform Module (TPM) commands requiring authorization. An authorization failure occurs each time a standard user sends a command to the TPM and receives an error response that indicates an authorization failure occurred. Authorization failures that are older than the duration you set are ignored. If the number of TPM commands with an authorization failure within the lockout duration equals a threshold, a standard user is prevented from sending commands that require
This policy setting allows you to manage the duration in minutes for counting standard user authorization failures for Trusted Platform Module (TPM) commands requiring authorization. An authorization failure occurs each time a standard user sends a command to the TPM and receives an error response that indicates an authorization failure occurred. Authorization failures that are older than the duration you set are ignored. If the number of TPM commands with an authorization failure within the lockout duration equals a threshold, a standard user is prevented from sending commands that require
authorization to the TPM.
>**Note:**  This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table).
 
The TPM is designed to protect itself against password guessing attacks by entering a hardware lockout mode when it receives too many commands with an incorrect authorization value. When the TPM enters a lockout mode, it is global for all users (including administrators) and for Windows features such as BitLocker Drive Encryption.
This setting helps administrators prevent the TPM hardware from entering a lockout mode by slowing the speed at which standard users can send commands that require authorization to the TPM.
For each standard user, two thresholds apply. Exceeding either threshold prevents the user from sending a command that requires authorization to the TPM. Use the following policy settings to set the lockout duration:
- [Standard User Individual Lockout Threshold](#bkmk-individual)   This value is the maximum number of authorization failures that each standard user can have before the user is not allowed to send commands that require authorization to the TPM.
- [Standard User Total Lockout Threshold](#bkmk-total)   This value is the maximum total number of authorization failures that all standard users can have before all standard users are not allowed to send commands that require authorization to the TPM.
- [Standard User Individual Lockout Threshold](#standard-user-individual-lockout-threshold)   This value is the maximum number of authorization failures that each standard user can have before the user is not allowed to send commands that require authorization to the TPM.
- [Standard User Total Lockout Threshold](#standard-user-total-lockout-threshold)   This value is the maximum total number of authorization failures that all standard users can have before all standard users are not allowed to send commands that require authorization to the TPM.
An administrator with the TPM owner password can fully reset the TPM's hardware lockout logic by using the TPM Management Console (tpm.msc). Each time an administrator resets the TPM's hardware lockout logic, all prior standard user TPM authorization failures are ignored. This allows standard users to immediately use the TPM normally.
If you do not configure this policy setting, a default value of 480 minutes (8 hours) is used.
### <a href="" id="bkmk-individual"></a>Standard User Individual Lockout Threshold
### Standard User Individual Lockout Threshold
This policy setting allows you to manage the maximum number of authorization failures for each standard user for the Trusted Platform Module (TPM). This value is the maximum number of authorization failures that each standard user can have before the user is not allowed to send commands that require authorization to the TPM. If the number of authorization failures for the user within the duration that is set for the **Standard User Lockout Duration** policy setting equals this value, the standard user is prevented from sending commands that require authorization to the Trusted Platform Module (TPM).
>**Note:**  This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table).
 
This setting helps administrators prevent the TPM hardware from entering a lockout mode by slowing the speed at which standard users can send commands that require authorization to the TPM.
An authorization failure occurs each time a standard user sends a command to the TPM and receives an error response indicating an authorization failure occurred. Authorization failures older than the duration are ignored.
@ -163,29 +152,20 @@ An administrator with the TPM owner password can fully reset the TPM's hardware
If you do not configure this policy setting, a default value of 4 is used. A value of zero means that the operating system will not allow standard users to send commands to the TPM, which might cause an authorization failure.
### <a href="" id="bkmk-total"></a>Standard User Total Lockout Threshold
### Standard User Total Lockout Threshold
This policy setting allows you to manage the maximum number of authorization failures for all standard users for the Trusted Platform Module (TPM). If the total number of authorization failures for all standard users within the duration that is set for the **Standard User Lockout Duration** policy equals this value, all standard users are prevented from sending commands that require authorization to the Trusted Platform Module (TPM).
>**Note:**  This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table).
 
This setting helps administrators prevent the TPM hardware from entering a lockout mode because it slows the speed standard users can send commands requiring authorization to the TPM.
An authorization failure occurs each time a standard user sends a command to the TPM and receives an error response indicating an authorization failure occurred. Authorization failures older than the duration are ignored.
For each standard user two thresholds apply. Exceeding either threshold will prevent the standard user from sending a command to the TPM that requires authorization.
1. The standard user individual lockout value is the maximum number of authorization failures each standard user may have before the user is not allowed to send commands requiring authorization to the TPM.
2. The standard user total lockout threshold value is the maximum total number of authorization failures all standard users may have before all standard users are not allowed to send commands requiring authorization to the TPM.
The TPM is designed to protect itself against password guessing attacks by entering a hardware lockout mode when it receives too many commands with an incorrect authorization value. When the TPM enters a lockout mode, it is global for all users (including administrators) and for Windows features
such as BitLocker Drive Encryption..
An administrator with the TPM owner password can fully reset the TPM's hardware lockout logic by using the TPM Management Console (tpm.msc). Each time an administrator resets the TPM's hardware lockout logic, all prior standard user TPM authorization failures are ignored. This allows standard users to immediately use the TPM normally.
If you do not configure this policy setting, a default value of 9 is used. A value of zero means that the operating system will not allow standard users to send commands to the TPM, which might cause an authorization failure.
## Additional resources
## Related topics
- [Trusted Platform Module Technology Overview](trusted-platform-module-overview.md)
- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
- [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx)
- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](http://technet.microsoft.com/library/jj592683.aspx)
- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](https://technet.microsoft.com/itpro/windows/keep-secure/prepare-your-organization-for-bitlocker-planning-and-policies#bkmk-tpmconfigurations)

33
windows/keep-secure/trusted-platform-module-top-node.md Normal file
View File

@ -0,0 +1,33 @@
---
title: Trusted Platform Module (Windows 10)
description: This topic for the IT professional provides links to information about the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
localizationpriority: high
author: brianlic-msft
---
# Trusted Platform Module
**Applies to**
- Windows 10
- Windows Server 2016
Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that helps you with actions such as generating, storing, and limiting the use of cryptographic keys. The following topics provide details.
<!-- The description for "Manage TPM lockout" might need updating-- the topic is being revised in December 2016 or January 2017. -->
| Topic | Description |
|-------|-------------|
| [Trusted Platform Module Overview](trusted-platform-module-overview.md) | Provides an overview of the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication. |
| [TPM fundamentals](tpm-fundamentals.md) | Provides background about how a TPM can work with cryptographic keys. Also describes technologies that work with the TPM, such as TPM-based virtual smart cards. |
| [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md) | Describes TPM services that can be controlled centrally by using Group Policy settings. |
| [Back up the TPM recovery information to AD DS](backup-tpm-recovery-information-to-ad-ds.md) | For Windows 10, version 1511 and Windows 10, version 1507 only, describes how to back up a computers TPM information to Active Directory Domain Services. |
| [Manage TPM commands](manage-tpm-commands.md) | Describes methods by which a local or domain administrator can block or allow specific TPM commands. |
| [Manage TPM lockout](manage-tpm-lockout.md) | Describes how TPM lockout works (to help prevent tampering or malicious attacks), and outlines ways to work with TPM lockout settings. |
| [Change the TPM owner password](change-the-tpm-owner-password.md) | In most cases, applies to Windows 10, version 1511 and Windows 10, version 1507 only. Tells how to change the TPM owner password. |
| [View status, clear, or troubleshoot the TPM](initialize-and-configure-ownership-of-the-tpm.md) | Describes actions you can take through the TPM snap-in, TPM.msc: view TPM status, troubleshoot TPM initialization, and clear keys from the TPM. Also, for TPM 1.2 and Windows 10, version 1507 or 1511, describes how to turn the TPM on or off. |
| [Understanding PCR banks on TPM 2.0 devices](switch-pcr-banks-on-tpm-2-0-devices.md) | Provides background about what happens when you switch PCR banks on TPM 2.0 devices. |
| [TPM recommendations](tpm-recommendations.md) | Discusses aspects of TPMs such as the difference between TPM 1.2 and 2.0, and the Windows 10 features for which a TPM is required or recommended. |