Windows hardware
Collapse the table of content
Expand the table of content

Best practices for Trusted Platform Module Management

Updated: June 16, 2006

The following best practices are recommended for managing a Trusted Platform Module (TPM) in an enterprise environment.


If you're looking for BitLocker and TPM content for Windows 10, see What's New in BitLocker and Trusted Platform Module.


This information applies to the following operating systems.

  • Windows 7
  • Windows Vista

What to look for when purchasing TPM systems

  • A platform that includes a TPM and has passed either the Windows 7 Logo Program testing in the Business or Consumer category, or the Windows Vista Logo Program testing in the Business category. Windows XP Logo Program testing does not test TPM functionality, so that test should not be relied on for assessing whether the TPM on a platform works properly with Windows. To check the logo program testing results, go to Windows Certified Products List and search for your system. To verify that a Windows Vista system was tested in the Business category, open its Windows Logo Verification Report and ensure that the Subcategory says (Business) or (Business and Consumer), in parentheses.
  • A TPM that complies with Trusted Computing Group's TPM 1.2 specifications.
  • A TPM that is physically secured to the system board.
  • A TPM that comes from the original equipment manufacturer (OEM) with an endorsement key.
  • A platform that supports direct user input (not automated) to prove physical presence when committing important changes to the TPM.

TPM BIOS settings

  • Some BIOSes can hide the TPM completely from the operating system. To use the TPM, you must make the TPM visible to the operating system.
  • Some BIOSes have options that skip placing certain measurements in the TPM. Configure BIOS options to record all measurements that are available in the TPM.
  • Some BIOSes permit blocking the operating system from performing certain physical presence commands such as clearing the TPM. Be sure the options are configured appropriately for your enterprise.

Initialize the TPM

Take ownership of the TPM

  • Ensure that the TPM owner is the domain administrator, local administrator, or a separate privileged account. (The TPM owner is an account that knows the TPM owner authorization data.)
  • Ensure that the TPM owner is the owner of the actual platform, either financially or physically.
  • If using a third-party tool, ensure that the storage root key (SRK) authorization is set to zero.
  • Use unique values for TPM owner authorization data on all machines in the enterprise.
  • Set up and configure Group Policy in Active Directory to require storing TPM recovery information (such as TPM owner authorization data) in Active Directory. If using the TPM initialization wizard, choose the option to randomly generate the TPM owner password instead of specifying one manually. (This helps mitigate dictionary attacks.)
  • Never give out the TPM owner authorization data or TPM owner password. The TPM owner password or TPM owner authorization data can be used to reset the TPM anti-hammering logic, making brute force attacks against TPM authorization values easier.

Change the TPM owner information

  • Use the TPM management console MMC snap-in to change the TPM owner password (if changing a few at a time).
  • If changing several platforms at a time, use WMI methods that are contained in the Win32_Tpm class.
  • If Group Policy was configured to store the TPM owner authorization data in Active Directory, keep this policy set so that the information in Active Directory remains synchronized.
  • When changing owner authorization, back up any encrypted data or escrow keys as necessary. If keys can be moved, move them to a safe storage area until after the operation succeeds. Then, re-synchronize the new authorization value with Active Directory.

Use the TPM

  • If a lower-privileged user must perform operations on the TPM that require owner authorization, we recommend using software that can set up and use delegation rights for that user.
  • Only members of the administrators group and certain special system accounts should be able to access the TPM interface.
  • Do not store key authorization data or owner authorization data on the platform's local storage media.
  • Keep privacy-sensitive, deprecated, and deleted TPM commands blocked from executing on the platform (the default settings).

Decommission the TPM

  • When you are decommissioning a TPM platform, you should recover or back up any encrypted data and keys before performing any other decommissioning steps.
  • Clear the TPM to invalidate the owner authorization data and the SRK.



Send comments about this topic to Microsoft

© 2016 Microsoft