5. Turning an Initialized TPM On or Off
Computers that have TPM might ship with TPM turned on. If you decide
not to use TPM, you should take ownership of the TPM and then turn off
the TPM. This ensures that the operating system owns the TPM but the
TPM is in an inactive state. If you want to reconfigure or recycle a
computer, you should clear the TPM. Clearing the TPM invalidates any stored keys, and data encrypted by these keys can no longer be accessed.
Using an administrator account, you can turn off TPM by completing the following steps:
-
Start the Trusted Platform Module Management console.
-
On the Action menu, tap or click Turn TPM Off.
-
When the full TPM owner authorization is stored in the registry, you
don’t need to provide the TPM owner password. Otherwise, follow the
prompts to provide the owner password or select the file containing the
TPM owner password.
Clearing the TPM erases information stored on the TPM and cancels
the related ownership of the TPM. You should clear the TPM when a
TPM-equipped computer is to be recycled. Clearing the TPM invalidates
any stored keys, and data encrypted by these keys can no longer be
accessed.
After clearing the TPM, you should take ownership of the TPM. This
will write new information to the TPM. You might then want to turn off
the TPM so it isn’t available for use.
Using an administrator account, you can clear the TPM, take ownership, and then turn off TPM by completing the following steps:
-
Start the Trusted Platform Module Management console. On the Action
menu, tap or click Clear TPM. This starts the Manage the TPM Security
Hardware Wizard.
Caution
Clearing the TPM resets it to factory defaults. As a result, you
lose all keys and data protected by those keys. You do not need the TPM
owner password to clear the TPM.
-
Read the warning on the Clear The TPM Security Hardware page, shown in Figure 7, and then tap or click Restart. Tap or click Cancel to exit without clearing the TPM.
-
Typically, hardware designed for Windows 8 and Windows Server 2012
can automatically complete the re-initialization process. On other
hardware, you’ll need physical access to the computer to respond to the
manufacturer’s firmware confirmation prompt. Figure 8
shows an example. Here, you must press F12 to clear, enable, and
activate the TPM, or press ESC to cancel and continue loading the
operating system.
-
Follow steps 4–7 in the Initializing and Preparing a TPM for First Use section.
7. Changing the TPM Owner Password
You can change the TPM password at any time. The key reason to do
this is if you suspect that the TPM owner password has been
compromised. Your company’s security policy also might require TPM
owner password changes in certain situations.
To change the TPM owner password, complete the following steps:
-
Start the Trusted Platform Module Management console. On the Action
menu, tap or click Change Owner Password. This starts the Manage The TPM Security Hardware Wizard.
-
When the full TPM owner authorization is stored in the registry, you
don’t need to provide the TPM owner password. Otherwise, follow the
prompts to provide the owner password or select the file containing the
TPM owner password.
-
On the Create The TPM Owner Password page, shown in Figure 9, you can elect to create the password automatically or manually.
-
If you want the wizard to create the password for you, select
Automatically Create The Password (Recommended). The new TPM owner
password is displayed. Tap or click Change Password.
-
If you want to create the password, select Manually Create The
Password. Type and confirm a password of at least eight characters, and
then tap or click Change Password.
-
Before tapping or clicking Close, you might want to save
the TPM owner password. Tap or click Remember My TPM Owner Password. In
the Save As dialog box, select a location to save the password backup
file, and then tap or click Save.
