Trusted Platform Module Administration Technical Overview
Updated: March 9, 2012
Applies To: Windows 7, Windows Server 2008 R2, Windows Vista
Trusted Platform Module (TPM) Services is used to administer the TPM security hardware in a computer. The TPM Services architecture provides the infrastructure for hardware-based security by providing access to and assuring application-level sharing of a TPM. The TPM Management console is a Microsoft Management Console (MMC) snap-in that allows administrators to interact with TPM Services.
What is a Trusted Platform Module?
A TPM is a microchip designed to provide basic security-related functions, primarily involving encryption keys. The TPM is usually installed on the motherboard of a computer, and communicates with the rest of the system by using a hardware bus.
Computers that incorporate a TPM have the ability to create cryptographic keys and encrypt them so that they can be decrypted only by the TPM. This process, often called "wrapping" or "binding" a key, can help protect the key from disclosure. Each TPM has a master "wrapping" key, called the Storage Root Key (SRK), which is stored within the TPM itself. The private portion of a key created in a TPM is never exposed to any other component, software, process, or user.
Computers that incorporate a TPM can also create a key that has not only been wrapped, but also tied to certain platform measurements. This type of key can only be unwrapped when those platform measurements have the same values that they had when the key was created. This process is called "sealing" the key to the TPM. Decrypting it is called "unsealing." The TPM can also seal and unseal data generated outside of the TPM. With this sealed key and software like BitLocker™ Drive Encryption, you can lock data until specific hardware or software conditions are met.
With a TPM, private portions of key pairs are kept separated from the memory controlled by the operating system. Keys can be sealed to the TPM, and certain assurances about the state of a system—assurances that define the "trustworthiness" of a system—can be made before the keys are unsealed and released for use. Because the TPM uses its own internal firmware and logic circuits for processing instructions, it does not rely on the operating system and is not exposed to vulnerabilities that might exist in the operating system or application software.
Trusted Platform Module Services components
The following table lists the individual components that comprise the TPM Services feature set:
The TPM driver is a kernel-mode device driver designed for TPM security hardware that conforms to the Trusted Computing Group (TCG) 1.2 specifications. Conforming to TCG 1.2 provides more platform stability and eliminates the need for vendor-specific device drivers.
TPM Base Services (TBS)
TBS is a service that provides sharing of the limited resources on the TPM. TBS acts as the resource controller for all applications using the TPM.
TPM Windows Management Instrumentation (WMI) provider
The TPM WMI provider exposes common TPM configuration tasks to administrators programmatically. Administrators can write a script that uses this provider.
TPM Management console
The TPM Management console is an MMC snap-in that exposes common TPM configuration tasks to administrators through a user interface. Administrators can use this console to access the TPM Initialization Wizard.
TPM Initialization Wizard
The purpose of the TPM Initialization Wizard is to turn on and configure the TPM to work with applications or services that use the TPM, such as BitLocker Drive Encryption.
TPM Management works with Trusted Platform Module (TPM) security hardware that supports the specifications defined by the Trusted Computing Group (TCG). For more information, consult the TCG Web site(http://go.microsoft.com/fwlink/?LinkId=69593). TPM security hardware is used to enable other components or software that protect your system or encrypt data, such as BitLocker Drive Encryption.
You may find the following resources helpful in understanding the role of TPM Management and BitLocker: