Understand the TPM Owner Password

Applies To: Windows 7, Windows Server 2008 R2

The Trusted Platform Module (TPM) owner password defines who the owner of the TPM is. You own the TPM if you are able to set the TPM owner password. Only one owner password exists per TPM, so anyone who knows that password is effectively the TPM owner. The owner of the TPM can make full use of TPM capabilities. Once an owner is set, no other user or software can claim ownership of the TPM. Only the TPM owner can enable, disable, or clear the TPM without having physical access to the computer (for example, by using the command-line tools remotely). Taking ownership of the TPM can be done as part of the initialization process. For more information, see Setting Up the TPM for First Use.

Applications, including BitLocker Drive Encryption, can automatically start the initialization process. If you enable BitLocker without manually initializing the TPM, the TPM owner password will be automatically created and saved in the same location as the BitLocker recovery password.

The TPM owner password can be saved as a file on a USB flash drive, or in a folder in a location away from your local computer. The password can also be printed. In TPM Management, when an action can only be performed by the TPM owner, you can choose the appropriate option to type the password or use the password that has been saved.

The TPM commands available to an owner are defined by the Trusted Computing Group. For more information, consult the "Owner Permission Settings" section of the specification "Structures of the TPM" available from the Trusted Computing Group Web site (https://go.microsoft.com/fwlink/?LinkId=69584).