mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-15 10:23:37 +00:00
Links: Windows (2021-03)
This commit is contained in:
David Coulter
@ -26,9 +26,9 @@ ms.date: 04/19/2017
|
||||
|
||||
- Windows 10, version 1607 or later
|
||||
|
||||
With Windows 10, versions 1511 and 1507, you can back up a computer’s Trusted Platform Module (TPM) information to Active Directory Domain Services (AD DS). By doing this, you can use AD DS to administer the TPM from a remote computer. The procedure is the same as it was for Windows 8.1. For more information, see [Backup the TPM Recovery Information to AD DS](https://technet.microsoft.com/library/dn466534(v=ws.11).aspx).
|
||||
With Windows 10, versions 1511 and 1507, you can back up a computer’s Trusted Platform Module (TPM) information to Active Directory Domain Services (AD DS). By doing this, you can use AD DS to administer the TPM from a remote computer. The procedure is the same as it was for Windows 8.1. For more information, see [Backup the TPM Recovery Information to AD DS](/previous-versions/windows/it-pro/windows-8.1-and-8/dn466534(v=ws.11)).
|
||||
|
||||
## Related topics
|
||||
|
||||
- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
|
||||
- [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md)
|
||||
- [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md)
|
||||
@ -51,8 +51,8 @@ To change to a new TPM owner password, in TPM.msc, click **Change Owner Password
|
||||
|
||||
## Use the TPM cmdlets
|
||||
|
||||
You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](https://docs.microsoft.com/powershell/module/trustedplatformmodule).
|
||||
You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule).
|
||||
|
||||
## Related topics
|
||||
|
||||
- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
|
||||
- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
|
||||
@ -32,7 +32,7 @@ With TPM 1.2 and Windows 10, version 1507 or 1511, you can also take the followi
|
||||
|
||||
- [Turn on or turn off the TPM](#turn-on-or-turn-off)
|
||||
|
||||
For information about the TPM cmdlets, see [TPM Cmdlets in Windows PowerShell](https://docs.microsoft.com/powershell/module/trustedplatformmodule/?view=win10-ps).
|
||||
For information about the TPM cmdlets, see [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule/?view=win10-ps).
|
||||
|
||||
## About TPM initialization and ownership
|
||||
|
||||
@ -145,8 +145,8 @@ If you want to stop using the services that are provided by the TPM, you can use
|
||||
|
||||
## Use the TPM cmdlets
|
||||
|
||||
You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](https://docs.microsoft.com/powershell/module/trustedplatformmodule/?view=win10-ps).
|
||||
You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule/?view=win10-ps).
|
||||
|
||||
## Related topics
|
||||
|
||||
- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
|
||||
- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
|
||||
@ -78,8 +78,8 @@ The following procedures describe how to manage the TPM command lists. You must
|
||||
|
||||
## Use the TPM cmdlets
|
||||
|
||||
You can manage the TPM using Windows PowerShell. For details, see [TrustedPlatformModule PowerShell cmdlets](https://docs.microsoft.com/powershell/module/trustedplatformmodule/?view=win10-ps).
|
||||
You can manage the TPM using Windows PowerShell. For details, see [TrustedPlatformModule PowerShell cmdlets](/powershell/module/trustedplatformmodule/?view=win10-ps).
|
||||
|
||||
## Related topics
|
||||
|
||||
- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
|
||||
- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
|
||||
@ -85,8 +85,8 @@ For information about mitigating dictionary attacks that use the lockout setting
|
||||
|
||||
## Use the TPM cmdlets
|
||||
|
||||
You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](https://docs.microsoft.com/powershell/module/trustedplatformmodule/).
|
||||
You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule/).
|
||||
|
||||
## Related topics
|
||||
|
||||
- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
|
||||
- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
|
||||
@ -70,11 +70,11 @@ Virtual Smart Card must be issued to the user for each computer. A computer that
|
||||
|
||||
## TPM-based certificate storage
|
||||
|
||||
The TPM can be used to protect certificates and RSA keys. The TPM key storage provider (KSP) provides easy, convenient use of the TPM as a way of strongly protecting private keys. The TPM KSP can be used to generate keys when an organization enrolls for certificates, and the KSP is managed by templates in the UI. The TPM can also be used to protect certificates that are imported from an outside source. TPM-based certificates can be used exactly as standard certificates with the added functionality that the certificate can never leave the TPM from which the keys were generated. The TPM can now be used for crypto-operations through Cryptography API: Next Generation (CNG). For more info, see [Cryptography API: Next Generation](https://msdn.microsoft.com/library/windows/desktop/aa376210.aspx).
|
||||
The TPM can be used to protect certificates and RSA keys. The TPM key storage provider (KSP) provides easy, convenient use of the TPM as a way of strongly protecting private keys. The TPM KSP can be used to generate keys when an organization enrolls for certificates, and the KSP is managed by templates in the UI. The TPM can also be used to protect certificates that are imported from an outside source. TPM-based certificates can be used exactly as standard certificates with the added functionality that the certificate can never leave the TPM from which the keys were generated. The TPM can now be used for crypto-operations through Cryptography API: Next Generation (CNG). For more info, see [Cryptography API: Next Generation](/windows/win32/seccng/cng-portal).
|
||||
|
||||
## TPM Cmdlets
|
||||
|
||||
You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](https://docs.microsoft.com/powershell/module/trustedplatformmodule/).
|
||||
You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule/).
|
||||
|
||||
## Physical presence interface
|
||||
|
||||
@ -150,6 +150,6 @@ The Windows TPM-based smart card, which is a virtual smart card, can be configur
|
||||
## Related topics
|
||||
|
||||
- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
|
||||
- [TPM Cmdlets in Windows PowerShell](https://docs.microsoft.com/powershell/module/trustedplatformmodule/)
|
||||
- [TPM WMI providers](https://docs.microsoft.com/windows/win32/secprov/security-wmi-providers-reference)
|
||||
- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](https://docs.microsoft.com/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies#tpm-hardware-configurations)
|
||||
- [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule/)
|
||||
- [TPM WMI providers](/windows/win32/secprov/security-wmi-providers-reference)
|
||||
- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](../bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md#tpm-hardware-configurations)
|
||||
@ -56,7 +56,7 @@ TPM 2.0 products and systems have important security advantages over TPM 1.2, in
|
||||
|
||||
- TPM 2.0 supports newer algorithms, which can improve drive signing and key generation performance. For the full list of supported algorithms, see the [TCG Algorithm Registry](http://www.trustedcomputinggroup.org/tcg-algorithm-registry/). Some TPMs do not support all algorithms.
|
||||
|
||||
- For the list of algorithms that Windows supports in the platform cryptographic storage provider, see [CNG Cryptographic Algorithm Providers](https://msdn.microsoft.com/library/windows/desktop/bb931354(v=vs.85).aspx).
|
||||
- For the list of algorithms that Windows supports in the platform cryptographic storage provider, see [CNG Cryptographic Algorithm Providers](/windows/win32/seccertenroll/cng-cryptographic-algorithm-providers).
|
||||
|
||||
- TPM 2.0 achieved ISO standardization ([ISO/IEC 11889:2015](https://blogs.microsoft.com/cybertrust/2015/06/29/governments-recognize-the-importance-of-tpm-2-0-through-iso-adoption/)).
|
||||
|
||||
@ -73,7 +73,7 @@ TPM 2.0 products and systems have important security advantages over TPM 1.2, in
|
||||
> [!NOTE]
|
||||
> TPM 2.0 is not supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For added security Enable the Secure Boot feature.
|
||||
|
||||
> Installed Operating System on hardware in legacy mode will stop the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](https://docs.microsoft.com/windows/deployment/mbr-to-gpt) before changing the BIOS mode which will prepare the OS and the disk to support UEFI.
|
||||
> Installed Operating System on hardware in legacy mode will stop the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](/windows/deployment/mbr-to-gpt) before changing the BIOS mode which will prepare the OS and the disk to support UEFI.
|
||||
|
||||
## Discrete, Integrated or Firmware TPM?
|
||||
|
||||
@ -95,7 +95,7 @@ For end consumers, TPM is behind the scenes but is still very relevant. TPM is u
|
||||
|
||||
### Windows 10 for desktop editions (Home, Pro, Enterprise, and Education)
|
||||
|
||||
- Since July 28, 2016, all new device models, lines or series (or if you are updating the hardware configuration of a existing model, line or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7 of the [Minimum hardware requirements](https://docs.microsoft.com/windows-hardware/design/minimum/minimum-hardware-requirements-overview) page). The requirement to enable TPM 2.0 only applies to the manufacturing of new devices. For TPM recommendations for specific Windows features, see [TPM and Windows Features](#tpm-and-windows-features).
|
||||
- Since July 28, 2016, all new device models, lines or series (or if you are updating the hardware configuration of a existing model, line or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7 of the [Minimum hardware requirements](/windows-hardware/design/minimum/minimum-hardware-requirements-overview) page). The requirement to enable TPM 2.0 only applies to the manufacturing of new devices. For TPM recommendations for specific Windows features, see [TPM and Windows Features](#tpm-and-windows-features).
|
||||
|
||||
### IoT Core
|
||||
|
||||
@ -112,7 +112,7 @@ The following table defines which Windows features require TPM support.
|
||||
Windows Features | TPM Required | Supports TPM 1.2 | Supports TPM 2.0 | Details |
|
||||
-|-|-|-|-
|
||||
Measured Boot | Yes | Yes | Yes | Measured Boot requires TPM 1.2 or 2.0 and UEFI Secure Boot
|
||||
BitLocker | No | Yes | Yes | TPM 1.2 or 2.0 are supported but TPM 2.0 is recommended. [Automatic Device Encryption requires Modern Standby](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) including TPM 2.0 support
|
||||
BitLocker | No | Yes | Yes | TPM 1.2 or 2.0 are supported but TPM 2.0 is recommended. [Automatic Device Encryption requires Modern Standby](../bitlocker/bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) including TPM 2.0 support
|
||||
Device Encryption | Yes | N/A | Yes | Device Encryption requires Modern Standby/Connected Standby certification, which requires TPM 2.0.
|
||||
Windows Defender Application Control (Device Guard) | No | Yes | Yes
|
||||
Windows Defender System Guard | Yes | No | Yes
|
||||
@ -133,4 +133,4 @@ Government customers and enterprise customers in regulated industries may have a
|
||||
|
||||
## Related topics
|
||||
|
||||
- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
|
||||
- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
|
||||
@ -44,7 +44,7 @@ Different versions of the TPM are defined in specifications by the Trusted Compu
|
||||
|
||||
### Automatic initialization of the TPM with Windows 10
|
||||
|
||||
Starting with Windows 10, the operating system automatically initializes and takes ownership of the TPM. This means that in most cases, we recommend that you avoid configuring the TPM through the TPM management console, **TPM.msc**. There are a few exceptions, mostly related to resetting or performing a clean installation on a PC. For more information, see [Clear all the keys from the TPM](initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm). We're [no longer actively developing the TPM management console](https://docs.microsoft.com/windows-server/get-started-19/removed-features-19#features-were-no-longer-developing) beginning with Windows Server 2019 and Windows 10, version 1809.
|
||||
Starting with Windows 10, the operating system automatically initializes and takes ownership of the TPM. This means that in most cases, we recommend that you avoid configuring the TPM through the TPM management console, **TPM.msc**. There are a few exceptions, mostly related to resetting or performing a clean installation on a PC. For more information, see [Clear all the keys from the TPM](initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm). We're [no longer actively developing the TPM management console](/windows-server/get-started-19/removed-features-19#features-were-no-longer-developing) beginning with Windows Server 2019 and Windows 10, version 1809.
|
||||
|
||||
In certain specific enterprise scenarios limited to Windows 10, versions 1507 and 1511, Group Policy might be used to back up the TPM owner authorization value in Active Directory. Because the TPM state persists across operating system installations, this TPM information is stored in a location in Active Directory that is separate from computer objects.
|
||||
|
||||
@ -60,7 +60,7 @@ The TPM has several Group Policy settings that might be useful in certain enterp
|
||||
|
||||
## New and changed functionality
|
||||
|
||||
For more info on new and changed functionality for Trusted Platform Module in Windows 10, see [What's new in Trusted Platform Module?](https://technet.microsoft.com/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511#trusted-platform-module).
|
||||
For more info on new and changed functionality for Trusted Platform Module in Windows 10, see [What's new in Trusted Platform Module?](/windows/whats-new/whats-new-windows-10-version-1507-and-1511#trusted-platform-module).
|
||||
|
||||
## Device health attestation
|
||||
|
||||
@ -89,11 +89,11 @@ Some things that you can check on the device are:
|
||||
|
||||
- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
|
||||
- [Details on the TPM standard](https://www.microsoft.com/research/project/the-trusted-platform-module-tpm/) (has links to features using TPM)
|
||||
- [TPM Base Services Portal](https://docs.microsoft.com/windows/desktop/TBS/tpm-base-services-portal)
|
||||
- [TPM Base Services API](https://docs.microsoft.com/windows/desktop/api/_tbs/)
|
||||
- [TPM Cmdlets in Windows PowerShell](https://docs.microsoft.com/powershell/module/trustedplatformmodule)
|
||||
- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](https://docs.microsoft.com/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies#bkmk-tpmconfigurations)
|
||||
- [TPM Base Services Portal](/windows/desktop/TBS/tpm-base-services-portal)
|
||||
- [TPM Base Services API](/windows/desktop/api/_tbs/)
|
||||
- [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule)
|
||||
- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](../bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md#bkmk-tpmconfigurations)
|
||||
- [Azure device provisioning: Identity attestation with TPM](https://azure.microsoft.com/blog/device-provisioning-identity-attestation-with-tpm/)
|
||||
- [Azure device provisioning: A manufacturing timeline for TPM devices](https://azure.microsoft.com/blog/device-provisioning-a-manufacturing-timeline-for-tpm-devices/)
|
||||
- [Windows 10: Enabling vTPM (Virtual TPM)](https://social.technet.microsoft.com/wiki/contents/articles/34431.windows-10-enabling-vtpm-virtual-tpm.aspx)
|
||||
- [How to Multiboot with Bitlocker, TPM, and a Non-Windows OS](https://social.technet.microsoft.com/wiki/contents/articles/9528.how-to-multiboot-with-bitlocker-tpm-and-a-non-windows-os.aspx)
|
||||
- [How to Multiboot with Bitlocker, TPM, and a Non-Windows OS](https://social.technet.microsoft.com/wiki/contents/articles/9528.how-to-multiboot-with-bitlocker-tpm-and-a-non-windows-os.aspx)
|
||||
@ -146,5 +146,5 @@ If you don't want users to see the recommendation to update TPM firmware, you ca
|
||||
## Related topics
|
||||
|
||||
- [Trusted Platform Module](trusted-platform-module-top-node.md)
|
||||
- [TPM Cmdlets in Windows PowerShell](https://docs.microsoft.com/powershell/module/trustedplatformmodule/?view=win10-ps)
|
||||
- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](https://docs.microsoft.com/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies#bkmk-tpmconfigurations)
|
||||
- [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule/?view=win10-ps)
|
||||
- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](../bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md#bkmk-tpmconfigurations)
|
||||
Reference in New Issue
Block a user