Share via


Understanding TPM initialization

Applies To: Windows Server 2008

A TPM can be in a number of different states:

  • Unowned and turned off

  • Unowned and turned on

  • Owned but turned off

  • Owned and turned on

The TPM must be turned on and owned before it can be used to help secure your computer. The process of ensuring that the TPM is both turned on and owned is called initialization. During initialization, the TPM creates new root keys that are used by the TPM.

Computers manufactured to meet requirements specified for this version of Windows include preboot BIOS functionality that makes it easy to initialize a computer's TPM by using the TPM Initialization Wizard. Normally, initialization of the TPM requires the physical presence of a user or administrator at the computer to turn on the TPM. This requirement helps protect against the threat of malicious software being able to initialize a TPM.

Note

In a business or enterprise environment, your network administrator may have initialized the TPM, or your organization may have arranged specific processes with your hardware manufacturer to support TPM initialization without user intervention.

If the TPM is not initialized, the TPM Initialization Wizard guides you through the steps required to turn on and take ownership of the TPM.

In order to be used by software such as Windows BitLocker Drive Encryption, the TPM must be initialized. The BitLocker setup wizard starts the initialization process automatically while configuring BitLocker, if needed.

For more information on how to initialize the TPM, see Initialize the TPM.