none
Windows 10 Build 1607 - TPM Installation / Configuration RRS feed

  • Question

  • First, I'd like to point out the thread at URL https://social.technet.microsoft.com/Forums/windows/en-US/2e30a3da-b100-4c7a-9855-4e74b9d616de/getting-the-tpm-owner-password-once-installation-is-complete?forum=w7itprosecurity.

    That thread did not appear to be completely applicable to my needs.

    Specifically, a new TPM Module was installed this date (02/26/2017) on an ASUS Motherboard SABERTOOTH R2.0/GEN 3. It is part of the plan to tighten security on this device.

    1) My understanding: In the attempt to configure for Windows 10 1607, it appears that Windows 10 now manages the initialization, setting of owner password and other base components w/in the TPM.

    2) My understanding: The setting of the Owner Password is not required on a new installation of the TPM.

    There are a couple of observed statements w/in the Microsoft TPM documentation, the most telling is:

    "Although the TPM owner password is not retained starting with Windows 10, version 1607,..."

    The second item expressed:

    "Starting with Windows 10, the operating system automatically initializes and takes ownership of the TPM. This means that in most cases, we recommend that you avoid configuring the TPM through the TPM management console, TPM.msc."

    Both statements do not present an issue with me. I'm happy to know and adapt to this approach.

    What is not known though:

    1. Is how to obtain/save TPM backup information?
    2. Obtain the Owner Password and other top level authentication information for use during a catastrophic need?

    The reason for this is because the device is standalone, owned by me, and not connected to an AD.

    Thank you for your guidance and support!

    Jim

    CURRENT INFORMATION:

    Platform: SABERTOOTH motherboard; 32GB DDR3, 20.5TB on-line storage, Windows 10 1607 (Build: 14393.693) w/current updates.

    TPM Information: F/W: 3.19

    Number of internal drives currently encrypted (including OS): None

    Next Steps: Encrypt OS Drive (following above questions being answered.)


    Jim - Mastiffs are the greatest!

    Sunday, February 26, 2017 7:22 PM

All replies

  • Hi Jim, 

    As we know, backing up the TPM owner information for a computer allows administrators in a domain to remotely configure the TPM security hardware on the local computer.

    In Windows 10, to backup TPM information, we need following requirement: 

    1. All domain controllers that are accessible by client computers that will be using TPM services are running Windows Server。
    2. You have domain administrator rights in the target forest, or you are using an account that has been granted appropriate permissions to extend the schema for the target forest. Members of the Enterprise Admins or Schema Admins groups are examples of accounts that have the appropriate permissions.

    In your scenario, since there is no domain, we cannot backup these information separately. 


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, February 28, 2017 9:02 AM
    Owner
  • Thank you for your response!!

    Of course, this is not precisely the answer I was looking for... :(

    Yet, it points me in a more appropriate direction and that was very much needed.

    The remaining question though revolves around the visibility of the Owner Password and access to save to a external device and/or printing that can be locked down.

    However, I am a bit discouraged about the backup approach, and if I extrapolate from that, Windows 10 relies, at least for all core functions, on being connected to a AD. What this would mean is:

    • No retrieval of the Owner Password.
    • No ability to configure specific operating characteristics of the TPM environment on a locally isolated platform.

    While I am hoping that the above is not entirely true, if it is then the real question is:

    • How safe is it to setup the TPM environment on a standalone and isolated system? (This would naturally include OS drive encryption and other specifics which directly make use of the TPM.

    Any further insight shall be extremely helpful.

    Thank you!

    Jim


    Jim - Mastiffs are the greatest!

    Tuesday, February 28, 2017 12:41 PM
  • Hi, 

    We can manually save the TPM key file out when you initialize the TPM in TPM management: 

    In the TPM management console, click on the Initialize. This will start the process where you need to manually create a password or generate one. In this case I selected to automatically create the TPM password.

    tpm-step2

    Save the password file in a USB drive (file.tpm) and print the password for recovery purposes. Please keep this file in a secure location away from your computer’s local hard drive.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Thursday, March 2, 2017 3:08 AM
    Owner
  • Thank you for this information!

    I shall be able to move forward this weekend (3/4-5/2017).

    Based on the information provided, as I implemented the approach, and all is well, I shall mark your response as the key answer.

    As to security of the resulting password, absolutely. That information shall be retained in a secured location, and accessible only when absolutely required.

    Once established, and working as expected, then my next step shall be to encrypt my OS drive.

    My intent is to link the OS drive, followed by two key drives on my system that must also be encrypted, and all fall under the control of the TPM.

    Again, I know your time is valuable, and I appreciate you sharing that time with me!

    Jim


    Jim - Mastiffs are the greatest!

    Thursday, March 2, 2017 1:12 PM
  • Well, the advise is great, and I believe I've translated the images provided to the current version of TPM.MSC. Shown below is the image of those options I have.

    The approach though, with the translation to today from the instructions provided, seems to be:

    1. Use BIOS access to turn TPM off. Use of the option "Turn TPM Off..." requires the owner password - which of course I don't have. I expect to clear and reset to factory settings w/in BIOS - though this has not yet been done. I don't recall if TPM BIOS management will permit this.
    2. Once off, then use TPM.MSC to a) "Clear TPM..."; b) "Prepare the TPM...". I hope that "Prepare the TPM..." shall provide the ability to generate a new Owner Password as outlined in your post.

    Please pass word back that I'm accurately moving forward.

    There is no clear and definitive break out on specifics, and to get this wrong could more than just damage my system...

    If you see anything amiss, or if a better approach is possible, please let me know.

    Below is the image of the TPM.MSC launch panel:

    Current TPM.MSC side panel (Win 10)

    Current TPM.MSC side panel (Win 10):

    Win 10 Pro x64; v1607 (OS Build 14393.693)

    Jim

    [ADDENDUM] In the BIOS settings, I've found both the clear option, and perhaps more importantly, a "Take Ownership" option. This has yet to be attempted. (Any advise?)


    Jim - Mastiffs are the greatest!


    • Edited by Jim.Low Sunday, March 5, 2017 3:30 PM
    Saturday, March 4, 2017 1:32 PM