Windows 8 and Windows Server 2012 include important
fundamental changes in the way TPM is used. One of these changes is
the ability to set the level of authorization information stored in
the registry as any of the following:
-
Full The full TPM owner
authorization, the TPM administrative delegation blob, and the
TPM user delegation blob are stored in the registry. This
setting allows a TPM to be used without requiring remote or
external storage of the TPM owner authorization. Note that
TPM-based applications designed for earlier versions of Windows
or that rely on TPM antihammering logic might not support full TPM
owner authorization in the registry. -
Delegated Only the TPM
administrative delegation blob and the TPM user delegation blob
are stored in the registry. This level is appropriate for
TPM-based applications that rely on TPM antihammering logic.
When you use this setting, Microsoft recommends that you
remotely or externally store the TPM owner authorization. -
None No TPM owner authorization information is stored in the
registry. Use this setting for compatibility with earlier
releases of Windows and for applications that require external
or remote storage of the TPM owner authorization. When you use
this setting, remote or external storage of the TPM owner
authorization is required, just as it was in earlier releases of
Windows.
You set the level of authorization information stored in the
registry using the Configure The Level Of TPM Owner Authorization
Information Available To The Operating System policy. This policy is
found in the Administrative Templates policies for Computer
Configuration under System\Trusted Platform Module Services. Keep in
mind that if you change the policy setting from Full to Delegated or
vice versa, the full TPM owner authorization value is regenerated
and any copies of the original TPM value will be invalid. Note also
that when this policy is set to Delegated or None, you’ll be
prompted for the TPM owner password before you are able to perform
most TPM administration tasks. Figure 4 shows an
example.
With earlier releases of Windows, Microsoft recommended
remotely storing the TPM owner authorization in Active Directory for
domain-joined computers, which could be accomplished by enabling the
Turn On TPM Backup To Active Directory Domain Services policy,
extending the schema for the directory, and setting the appropriate
access controls.
Enabling backup to Active Directory changes the default way
TPM owner information is stored. Specifically, when Turn On TPM
Backup To Active Directory Domain Services is enabled and Configure
The Level Of TPM Owner Authorization Information Available To The
Operating System is disabled or not configured, only the TPM
administrative delegation blob and the TPM user delegation blob are
stored in the registry. Here, to store the full TPM owner
information, you must use the Enabled setting of Full (or disable
the Active Directory backup of the TPM owner authorization).
Under System\Trusted Platform Module Services, you’ll find the
following related policies:
-
Ignore The Default List Of Blocked TPM Commands -
Ignore The Local List Of Blocked TPM Commands -
Standard User Lockout Duration -
Standard User Individual Lockout Threshold -
Standard User Total Lockout Threshold -
Configure the List of Blocked TPM Commands
These policies control the way command block lists are used
and when lockout is triggered after multiple failed authorization
attempts. An administrator can fully reset all lockout-related
parameters in the Trusted Platform Module Management console. On the
Action menu, tap or click Reset TPM Lockout. When the full TPM owner
authorization is stored in the registry, you don’t need to provide
the TPM owner password. Otherwise, follow the prompts to provide the
owner password or select the file containing the TPM owner
password.
2.3 Preparing and initializing a TPM for first use
Initializing a TPM prepares it for use on a computer so that
you can use the TPM to secure volumes on the computer’s hard drives.
The initialization process involves turning on the TPM and then
setting ownership of the TPM. By setting ownership of the TPM, you
are assigning a password that helps ensure only the authorized TPM
owner can access and manage the TPM. The TPM password is required to turn off the TPM if you no
longer want to use it and to clear the TPM if the computer is to be
recycled. In an Active Directory domain, you can configure Group
Policy to save TPM passwords.
To initialize the TPM and create the owner password, complete the
following steps:
-
Open the Trusted Platform Module Management console. On
the Action menu, choose Prepare The TPM to start the Manage the TPM Security Hardware Wizard (tpminit).
If a TPM was previously initialized and then cleared, you are
prompted to restart the computer and follow on-screen
instructions during startup to reset TPM in firmware. Here, when
I clicked Restart, I needed to enter firmware by pressing F2
during startup. I then needed to disable TPM, save the changes,
and exit firmware. This triggered an automatic reset. After
this, I needed to enter firmware by pressing F2, which let me
enable TPM, save changes, and then exit firmware. This triggered
another automatic reset. When the operating system loaded, I
logged on and then needed to restart the Manage The TPM Security
Hardware Wizard.
Note
You must have administrator privileges to manage the TPM
configuration. Additionally, if the Manage The TPM Security
Hardware Wizard detects firmware that does not meet Windows
requirements or no TPM is found, you will not be able to
continue and should ensure that the TPM has been turned on in
firmware. Otherwise, you’ll see the Create The TPM Owner
Password page.
-
When the wizard finishes its initial tasks, you’ll see a
prompt similar to the one shown in Figure 5. Tap or
click Restart to restart the computer.
-
Typically, hardware designed for Windows 8 and Windows
Server 2012 can automatically complete the initialization
process. On other hardware, you need physical access to the
computer to respond to the manufacturer’s firmware confirmation
prompt. Figure 6 shows an
example. Here, you must press F10 to enable and activate the
TPM and allow a user to take ownership of the
TPM.
-
When Windows starts and you log on, the Manage The TPM Security Hardware Wizard continues
running. Windows will take ownership of the TPM. Setting
ownership on the TPM prepares it for use with the operating
system. Once ownership is set, TPM is ready for use and you’ll
see confirmation of this, as shown in Figure 7. -
Before tapping or clicking Close, save the TPM owner
password. Tap or click Remember My TPM Owner Password. In the
Save As dialog box, select a location to save the password
backup file, and then tap or click Save. By default, the
password backup file is saved as
ComputerName.tpm. -
In the TPM Management console, the status should be listed
as “The TPM is ready for use.”
|
