Best practices for Trusted Platform Module Management

The following best practices are recommended for managing a Trusted Platform Module (TPM) in an enterprise environment.

Note

If you're looking for BitLocker and TPM content for Windows 10, see What's New in BitLocker and Trusted Platform Module.

This information applies to the following operating systems.

What to look for when purchasing TPM systems

A platform that includes a TPM and has passed either the Windows 7 Logo Program testing in the Business or Consumer category, or the Windows Vista Logo Program testing in the Business category. Windows XP Logo Program testing does not test TPM functionality, so that test should not be relied on for assessing whether the TPM on a platform works properly with Windows. To check the logo program testing results, go to Windows Certified Products List and search for your system. To verify that a Windows Vista system was tested in the Business category, open its Windows Logo Verification Report and ensure that the Subcategory says (Business) or (Business and Consumer), in parentheses.
A TPM that complies with Trusted Computing Group's TPM 1.2 specifications.
A TPM that is physically secured to the system board.
A TPM that comes from the original equipment manufacturer (OEM) with an endorsement key.
A platform that supports direct user input (not automated) to prove physical presence when committing important changes to the TPM.

Some BIOSes can hide the TPM completely from the operating system. To use the TPM, you must make the TPM visible to the operating system.
Some BIOSes have options that skip placing certain measurements in the TPM. Configure BIOS options to record all measurements that are available in the TPM.
Some BIOSes permit blocking the operating system from performing certain physical presence commands such as clearing the TPM. Be sure the options are configured appropriately for your enterprise.

The TPM must be initialized by a member of the administrators group.
When possible, we recommend that you initialize the TPM before deploying the platform to users.
To deploy a few computers with TPMs at the same time, use the TPM Initialization Wizard (https://technet.microsoft.com/library/cc749022.aspx).
To deploy several platforms at a time or to remotely manage the platform, use scripts that call Windows Management Instrumentation (WMI) methods that are included in the Win32_Tpm class (https://msdn.microsoft.com/library/aa376484(VS.85).aspx).

Ensure that the TPM owner is the domain administrator, local administrator, or a separate privileged account. (The TPM owner is an account that knows the TPM owner authorization data.)
Ensure that the TPM owner is the owner of the actual platform, either financially or physically.
If using a third-party tool, ensure that the storage root key (SRK) authorization is set to zero.
Use unique values for TPM owner authorization data on all machines in the enterprise.
Set up and configure Group Policy in Active Directory to require storing TPM recovery information (such as TPM owner authorization data) in Active Directory. If using the TPM initialization wizard, choose the option to randomly generate the TPM owner password instead of specifying one manually. (This helps mitigate dictionary attacks.)
Never give out the TPM owner authorization data or TPM owner password. The TPM owner password or TPM owner authorization data can be used to reset the TPM anti-hammering logic, making brute force attacks against TPM authorization values easier.

Use the TPM management console MMC snap-in to change the TPM owner password (if changing a few at a time).
If changing several platforms at a time, use WMI methods that are contained in the Win32_Tpm class.
If Group Policy was configured to store the TPM owner authorization data in Active Directory, keep this policy set so that the information in Active Directory remains synchronized.
When changing owner authorization, back up any encrypted data or escrow keys as necessary. If keys can be moved, move them to a safe storage area until after the operation succeeds. Then, re-synchronize the new authorization value with Active Directory.

If a lower-privileged user must perform operations on the TPM that require owner authorization, we recommend using software that can set up and use delegation rights for that user.
Only members of the administrators group and certain special system accounts should be able to access the TPM interface.
Do not store key authorization data or owner authorization data on the platform's local storage media.
Keep privacy-sensitive, deprecated, and deleted TPM commands blocked from executing on the platform (the default settings).

When you are decommissioning a TPM platform, you should recover or back up any encrypted data and keys before performing any other decommissioning steps.
Clear the TPM to invalidate the owner authorization data and the SRK.