Share via


Learn more about the TPM owner password

Applies To: Windows Server 2008

The TPM owner password defines who the owner of the TPM is. You own the TPM if you are able to set the TPM owner password. Only one owner password exists per TPM, so anyone who knows that password is effectively the TPM owner.

The owner of the TPM can make full use of TPM capabilities. Once an owner is set, no other user or software can claim ownership of the TPM.

Only the TPM owner can enable, disable, or clear the TPM without being physically present at the machine, by for example, using the command-line tools remotely.

In this version of Windows, taking ownership of the TPM can be done as part of the initialization process. For more information, see Set up the TPM for first use.

Applications, including Windows BitLocker Drive Encryption, can automatically start the initialization process. If you enable BitLocker™ Drive Encryption without manually initializing the TPM, the TPM owner password will be automatically created and saved in the same location as the BitLocker recovery password.

The TPM owner password can be saved as a file on a USB flash drive, or in a folder in a location away from your local computer. The password can also be printed. In the TPM Management console, when an action can only be performed by the TPM owner, you can choose the appropriate option to type the password or use the password that has been saved.

The TPM commands available to an owner are defined by the Trusted Computing Group. For more information, consult the “Owner Permission Settings” section of the specification "Structures of the TPM" available from the Trusted Computing Group Web site (https://go.microsoft.com/fwlink/?LinkId=69584).