From e0c6d39e7f96548fab13dd7fac86f8e97c964334 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Fri, 22 Jun 2018 10:37:34 -0700 Subject: [PATCH 1/3] added default info --- ...-platform-module-services-group-policy-settings.md | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/windows/security/hardware-protection/tpm/trusted-platform-module-services-group-policy-settings.md b/windows/security/hardware-protection/tpm/trusted-platform-module-services-group-policy-settings.md index fe5000ea4f..142bab2ed6 100644 --- a/windows/security/hardware-protection/tpm/trusted-platform-module-services-group-policy-settings.md +++ b/windows/security/hardware-protection/tpm/trusted-platform-module-services-group-policy-settings.md @@ -52,7 +52,6 @@ This policy setting allows you to enforce or ignore the computer's local list of The local list of blocked TPM commands is configured outside of Group Policy by typing **tpm.msc** at the command prompt to open the TPM Management Console, or scripting using the **Win32\_Tpm** interface. (The default list of blocked TPM commands is preconfigured by Windows.) - If you enable this policy setting, the Windows operating system will ignore the computer's local list of blocked TPM commands, and it will block only those TPM commands that are specified by Group Policy or the default list. If you disable or do not configure this policy setting, Windows will block the TPM commands in the local list, in addition to the commands that are specified in Group Policy and the default list of blocked TPM commands. @@ -65,9 +64,9 @@ This policy setting configures how much of the TPM owner authorization informati There are three TPM owner authentication settings that are managed by the Windows operating system. You can choose a value of **Full**, **Delegate**, or **None**. -- **Full**   This setting stores the full TPM owner authorization, the TPM administrative delegation blob, and the TPM user delegation blob in the local registry. With this setting, you can use the TPM without requiring remote or external storage of the TPM owner authorization value. This setting is appropriate for scenarios that do not require you to reset the TPM anti-hammering logic or change the TPM owner authorization value. Some TPM-based applications may require that this setting is changed before features that depend on the TPM anti-hammering logic can be used. +- **Full**   This setting stores the full TPM owner authorization, the TPM administrative delegation blob, and the TPM user delegation blob in the local registry. With this setting, you can use the TPM without requiring remote or external storage of the TPM owner authorization value. This setting is appropriate for scenarios that do not require you to reset the TPM anti-hammering logic or change the TPM owner authorization value. Some TPM-based applications may require that this setting is changed before features that depend on the TPM anti-hammering logic can be used. Full owner authorization in TPM 1.2 is similar to lockout authorization in TPM 2.0. Owner authorization has a different meaning for TPM 2.0. -- **Delegated**   This setting stores only the TPM administrative delegation blob and the TPM user delegation blob in the local registry. This setting is appropriate for use with TPM-based applications that depend on the TPM antihammering logic. This is the default setting in Windows. +- **Delegated**   This setting stores only the TPM administrative delegation blob and the TPM user delegation blob in the local registry. This setting is appropriate for use with TPM-based applications that depend on the TPM antihammering logic. This is the default setting in Windows prior to version 1803. - **None**   This setting provides compatibility with previous operating systems and applications. You can also use it for scenarios when TPM owner authorization cannot be stored locally. Using this setting might cause issues with some TPM-based applications. @@ -88,8 +87,10 @@ The following table shows the TPM owner authorization values in the registry. | 2 | Delegated | | 4 | Full | -A value of 5 means discard the **Full** TPM owner authorization for TPM 1.2 but keep it for TPM 2.0. -  +Beginning with Windows 10 version 1803, the new default value for this setting is 5. This value is implemented during provisioning so that another Windows component can either delete it or take ownership of it, depending on the system configuration. +For TPM 2.0, a value of 5 means keep the lockout authorization. +For TPM 1.2, it means discard the Full TPM owner authorization and retain only the Delegated authorization. + If you enable this policy setting, the Windows operating system will store the TPM owner authorization in the registry of the local computer according to the TPM authentication setting you choose. If you disable or do not configure this policy setting, and the **Turn on TPM backup to Active Directory Domain Services** policy setting is also disabled or not configured, the default setting is to store the full TPM authorization value in the local registry. If this policy is disabled or not From 7e7674e48ce3e020a7e99fcf5993a53be6d94afc Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Fri, 22 Jun 2018 15:57:14 -0700 Subject: [PATCH 2/3] revised description for owner authorization --- ...m-module-services-group-policy-settings.md | 20 +++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/windows/security/hardware-protection/tpm/trusted-platform-module-services-group-policy-settings.md b/windows/security/hardware-protection/tpm/trusted-platform-module-services-group-policy-settings.md index 142bab2ed6..7936b618c3 100644 --- a/windows/security/hardware-protection/tpm/trusted-platform-module-services-group-policy-settings.md +++ b/windows/security/hardware-protection/tpm/trusted-platform-module-services-group-policy-settings.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: brianlic-msft -ms.date: 08/16/2017 +ms.date: 06/22/2018 --- # TPM Group Policy settings @@ -58,15 +58,22 @@ If you disable or do not configure this policy setting, Windows will block the T ## Configure the level of TPM owner authorization information available to the operating system -Beginning with Windows 10 version 1607 and Windows Server 2016, this policy setting is no longer used by Windows, but it continues to appear in GPEdit.msc for compatibility with previous versions. +>[!IMPORTANT] +>Beginning with Windows 10 version 1607 and Windows Server 2016, this policy setting is no longer used by Windows, but it continues to appear in GPEdit.msc for compatibility with previous versions. Beginning with Windows 10 version 1703, the default value is 5. This value is implemented during provisioning so that another Windows component can either delete it or take ownership of it, depending on the system configuration. For TPM 2.0, a value of 5 means keep the lockout authorization. For TPM 1.2, it means discard the Full TPM owner authorization and retain only the Delegated authorization. -This policy setting configures how much of the TPM owner authorization information is stored in the registry of the local computer. Depending on the amount of TPM owner authorization information that is stored locally, the Windows operating system and TPM-based applications can perform certain actions in the TPM that require TPM owner authorization without requiring the user to enter the TPM owner password. +This policy setting configured which TPM authorization values are stored in the registry of the local computer. Certain authorization values are required in order to allow Windows to perform certain actions. + +|TPM 1.2 value | TPM 2.0 value | Purpose | Kept at level 0?| Kept at level 2?| Kept at level 4? | +|--------------|---------------|---------|-----------------|-----------------|------------------| +| OwnerAuthAdmin | StorageOwnerAuth | Create SRK | No | Yes | Yes | +| OwnerAuthEndorsement | EndorsementAuth | Create or use EK (1.2 only: Create AIK) | No | Yes | Yes | +| OwnerAuthFull | LockoutAuth | Reset/change Dictionary Attack Protection | No | No | No | There are three TPM owner authentication settings that are managed by the Windows operating system. You can choose a value of **Full**, **Delegate**, or **None**. - **Full**   This setting stores the full TPM owner authorization, the TPM administrative delegation blob, and the TPM user delegation blob in the local registry. With this setting, you can use the TPM without requiring remote or external storage of the TPM owner authorization value. This setting is appropriate for scenarios that do not require you to reset the TPM anti-hammering logic or change the TPM owner authorization value. Some TPM-based applications may require that this setting is changed before features that depend on the TPM anti-hammering logic can be used. Full owner authorization in TPM 1.2 is similar to lockout authorization in TPM 2.0. Owner authorization has a different meaning for TPM 2.0. -- **Delegated**   This setting stores only the TPM administrative delegation blob and the TPM user delegation blob in the local registry. This setting is appropriate for use with TPM-based applications that depend on the TPM antihammering logic. This is the default setting in Windows prior to version 1803. +- **Delegated**   This setting stores only the TPM administrative delegation blob and the TPM user delegation blob in the local registry. This setting is appropriate for use with TPM-based applications that depend on the TPM antihammering logic. This is the default setting in Windows prior to version 1703. - **None**   This setting provides compatibility with previous operating systems and applications. You can also use it for scenarios when TPM owner authorization cannot be stored locally. Using this setting might cause issues with some TPM-based applications. @@ -87,13 +94,10 @@ The following table shows the TPM owner authorization values in the registry. | 2 | Delegated | | 4 | Full | -Beginning with Windows 10 version 1803, the new default value for this setting is 5. This value is implemented during provisioning so that another Windows component can either delete it or take ownership of it, depending on the system configuration. -For TPM 2.0, a value of 5 means keep the lockout authorization. -For TPM 1.2, it means discard the Full TPM owner authorization and retain only the Delegated authorization. If you enable this policy setting, the Windows operating system will store the TPM owner authorization in the registry of the local computer according to the TPM authentication setting you choose. -If you disable or do not configure this policy setting, and the **Turn on TPM backup to Active Directory Domain Services** policy setting is also disabled or not configured, the default setting is to store the full TPM authorization value in the local registry. If this policy is disabled or not +On Windows 10 prior to version 1607, if you disable or do not configure this policy setting, and the **Turn on TPM backup to Active Directory Domain Services** policy setting is also disabled or not configured, the default setting is to store the full TPM authorization value in the local registry. If this policy is disabled or not configured, and the **Turn on TPM backup to Active Directory Domain Services** policy setting is enabled, only the administrative delegation and the user delegation blobs are stored in the local registry. ## Standard User Lockout Duration From 751985fc28b382e0bf701ef0d9959e10adc1093d Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Fri, 29 Jun 2018 11:03:15 -0700 Subject: [PATCH 3/3] dates --- .../trusted-platform-module-services-group-policy-settings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/hardware-protection/tpm/trusted-platform-module-services-group-policy-settings.md b/windows/security/hardware-protection/tpm/trusted-platform-module-services-group-policy-settings.md index 7936b618c3..41d6404f4b 100644 --- a/windows/security/hardware-protection/tpm/trusted-platform-module-services-group-policy-settings.md +++ b/windows/security/hardware-protection/tpm/trusted-platform-module-services-group-policy-settings.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: brianlic-msft -ms.date: 06/22/2018 +ms.date: 06/29/2018 --- # TPM Group Policy settings