3. Enabling TPM
The TPM Services
architecture in Windows 8 provides the basic features required to
configure and deploy TPM-equipped computers. This architecture can be
extended with a feature called BitLocker Drive Encryption.
Before you can use TPM,
you must enable TPM in firmware. In some cases, computers that have TPM
might ship with TPM already enabled. In most cases, however, you’ll
find TPM is not enabled by default. With one of my computers, I needed
to do the following:
-
Start the computer, and then press F2 during startup to access the
firmware. In the firmware, I accessed the Advanced screen and then the
Peripheral Configuration screen. -
On the Peripheral Configuration screen, Trusted Platform Module was
listed as an option. After scrolling down to highlight this option, I
pressed Enter to display an options menu. From the menu, I chose Enable
and then pressed Enter. -
To save the changes to the setting and exit the firmware, I pressed
F10. When prompted to confirm that I wanted to exit, I pressed Y, and
the computer then rebooted.
With a different computer, I needed to do the following:
-
Start the computer, and then press F2 during startup to access the
firmware. In the firmware, I accessed the Security menu and then the
TPM Security screen (see Figure 3). -
On the TPM Security screen, I needed to select the TPM Security check box and tap or click Apply. -
A prompt reminded me that I needed to turn off and then restart the computer for TPM security to be fully enabled. -
When I exited firmware, the computer rebooted.
Next, you need to initialize and prepare the TPM for first use in
software. As part of this process, you take ownership of the TPM, which
sets the owner password on the TPM. After TPM is enabled, you can
manage the TPM configuration.
4. Initializing and Preparing a TPM for First Use
Initializing a TPM configures it for use on a computer so that you
can use the TPM to secure volumes on the computer’s hard drives. The
initialization process involves turning on the TPM and then setting
ownership of the TPM. By setting ownership of the TPM, you assign a
password that helps ensure that only the authorized TPM owner can
access and manage the TPM. The TPM password is required to turn off the
TPM if you no longer want to use it, and to clear the TPM before the
computer is recycled. In an Active Directory domain, you can configure
Group Policy to save TPM passwords.
Using an administrator account, you can initialize the TPM and create the owner password by completing the following steps:
-
Start the Trusted Platform Module Management console. On the Action
menu, tap or click Prepare The TPM. This starts the Manage The TPM Security Hardware Wizard (tpminit).
Note
If the Initialize The TPM Security Hardware Wizard detects
firmware that does not meet Windows requirements for a TPM or no TPM is
found, you will not be able to continue and should check that the TPM
has been turned on in firmware.
Note
REAL WORLD If a TPM was
previously initialized and then cleared, you are prompted to restart
the computer and follow onscreen instructions during startup to reset
TPM in firmware. The wizard should start again when you next log on.
However, on my systems, this did not occur. Instead, when I clicked
Restart, I needed to enter firmware by pressing F2 during startup. I
then needed to disable TPM, save the changes, and exit firmware. This
triggered an automatic reset. After this, I needed to enter firmware by
pressing F2, which let me enable TPM, save changes, and then exit
firmware. This triggered another automatic reset. When the operating
system loaded, I logged on and then needed to restart the Initialize
The TPM Security Hardware Wizard.
-
When the wizard finishes its initial tasks, you’ll see a prompt similar to the one shown in Figure 4. Tap or click Restart to restart the computer. -
Typically, hardware designed for Windows 8 and Windows Server 2012
can automatically complete the initialization process. On other
hardware, you’ll need physical access to the computer to respond to the
manufacturer’s firmware confirmation prompt. Figure 5 shows an example. Here, you must press F10 to enable and activate the TPM and allow a user to take ownership of the TPM. -
When Windows starts and you log on, the Manage the TPM Security
Hardware Wizard continues running. Windows will take ownership of the
TPM. Setting ownership on the TPM prepares it for use with the
operating system.
-
Once ownership is set, TPM is ready for use and you’ll see confirmation of this, as shown in Figure 6.
-
Before tapping or clicking Close, you might want to save the TPM
owner password. Tap or click Remember My TPM Owner Password. In the
Save As dialog box, select a location to save the password backup file,
and then tap or click Save. -
In the TPM Management console, the status should be listed as “The TPM is ready for use.”
Note
By default, the password backup file is saved as ComputerName.tpm.
Ideally, you should save the TPM ownership password to removable media,
such as a USB flash drive, and store the media in a secure location. In
a domain where the TPM Backup To Active Directory Domain Services
policy is applied, you won’t have the option to save the TPM password. Here, the password is saved to Active Directory automatically.
Note
MORE INFO The password backup
file is an unencrypted XML file that can be opened in any text editor
to confirm the name of the computer the password belongs to. In the
following example, the password was created for ENGPC85:
<?xml version="1.0" encoding="UTF-8"?>
<tpmOwnerData version="1.0" softwareAuthor="Microsoft Windows
[Version 6.2.8250]" creationDate="2014-04-24T17:19:43-08:00"
creationUser="ENGPC85\Administrator" machineName="ENGPC85">
<tpmInfo manufacturerId="1398033696"/>
<ownerAuth>cBHECAgNV8Z2EBJbERTSD87HJKL=
</ownerAuth>
</tpmOwnerData>
|
