Initialize and Configure Ownership of the TPM

  • Article

Applies To: Windows 8, Windows 8.1, Windows Server 2012, Windows Server 2012 R2

This topic for the IT professional describes how to initialize and set the ownership the Trusted Platform Module (TPM), turn the TPM on and off, and clear TPM keys. It also explains how to troubleshoot issues that you might encounter as a result of using these procedures.

About TPM initialization and ownership

The TPM must be initialized and ownership must be taken before it can be used to help secure your computer. The owner of the TPM is the user who possesses the owner password and is able to set it and change it. Only one owner password exists per TPM. The owner of the TPM can make full use of TPM capabilities. Taking ownership of the TPM can be done as part of the initialization process.

When you start the TPM Initialization Wizard, which is accessed through the TPM Microsoft Management Console (MMC), you can determine whether the computer's TPM has been initialized. You can also view the TPM properties.

This topic contains procedures for the following tasks:

  • Initialize the TPM and set ownership

  • Troubleshoot TPM initialization

  • Turn on or turn off the TPM

  • Clear all the keys from the TPM

  • Use the TPM cmdlets

Initialize the TPM and set ownership

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. In addition, the computer must be equipped with a Trusted Computing Group-compliant BIOS.

Note

Different versions of the Windows operating system have different methods to run a program or access a tool, so steps can vary. For example:

  • In Windows 8, one way to run the TPM MMC is: On the Start screen, type tpm.msc.

  • In Windows 8.1, one way to run the TPM MMC is: On the Start screen, click the Apps arrow. On the Apps screen, type tpm.msc.

To start the TPM Initialization Wizard

  1. Open the TPM Management console (tpm.msc). If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.

  2. On the Action menu, click Initialize TPM to start the TPM Initialization Wizard.

  3. If the TPM has never been initialized or is turned off, the TPM Initialization Wizard displays the Turn on the TPM security hardware dialog box. This dialog box provides guidance for initializing or turning on the TPM. Follow the instructions in the wizard.

Note

If the TPM is already turned on, the TPM Initialization Wizard displays the Create the TPM owner password dialog box. Skip the remainder of this procedure and continue with the To set ownership of the TPM procedure.

Note

If the TPM Initialization Wizard detects that you do not have a compatible BIOS, you cannot continue with the TPM Initialization Wizard, and you are alerted to consult the computer manufacturer's documentation for instructions to initialize the TPM.

  1. Click Restart.

  2. Follow the BIOS screen prompts. An acceptance prompt is displayed to ensure that a user has physical access to the computer and that no malicious software is attempting to turn on the TPM.

Note

BIOS screen prompts and the required keystrokes vary by computer manufacturer.

  1. After the computer restarts, sign in to the computer with the same administrative credentials that you used to start this procedure.

  2. The TPM Initialization Wizard automatically restarts. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.

  3. Continue with the next procedure to take ownership of the TPM.

To finish initializing the TPM for use, you must set an owner for the TPM. The process of taking ownership includes creating an owner password for the TPM.

To set ownership of the TPM

  1. If you are not continuing immediately from the last procedure, start the TPM Initialization Wizard. If you need to review the steps to do so, see the previous procedure To start the TPM Initialization Wizard.

  2. In the Create the TPM owner password dialog box, click Automatically create the password (recommended).

  3. In the Save your TPM owner password dialog box, click Save the password.

  4. In the Save As dialog box, select a location to save the password, and then click Save. The password file is saved as computer_name.tpm.

Important

We highly recommend saving the TPM owner password to a removable storage device and storing it in a safe location.

  1. Click Print the password if you want to print a copy of your password.

Important

We highly recommend printing a copy of your TPM owner password and storing it in a safe location.

  1. Click Initialize.

Note

The process of initializing the TPM might take a few minutes to complete.

  1. Click Close.

Warning

Do not lose your password. If you do, you will be unable to make administrative changes unless you clear the TPM, which can result in data loss.

Troubleshoot TPM initialization

Managing the Trusted Platform Module (TPM) is usually a straightforward procedure. If are unable to complete the initialization procedure, review the following information:

  • If the TPM is not detected by Windows, verify that your computer hardware contains a Trusted Computing Group-compliant BIOS. Ensure that no BIOS settings have been used to hide the TPM from the operating system.

  • If you are attempting to initialize the TPM as part of the BitLocker setup, check which TPM driver is installed on the computer. We recommend always using one of the TPM drivers that is provided by Microsoft and is protected with BitLocker. If a non-Microsoft TPM driver is installed, it may prevent the default TPM driver from loading and cause BitLocker to report that a TPM is not present on the computer. If you have a non-Microsoft driver installed, remove it and then try to initialize the TPM. The following table lists the three standard TPM drivers that are provided by Microsoft.

Driver name Manufacturer

Trusted Platform Module 1.2

(Standard)

Broadcom Trusted Platform Module (A1), v1.2

Broadcom

Broadcom Trusted Platform Module (A2), v1.2

Broadcom
  • If the TPM has been previously initialized and you do not have the owner password, you may have to clear or reset the TPM to the factory default values. For more information, see Clear all the keys from the TPM.

Warning

Clearing the TPM can result in data loss. To avoid data loss, make sure that you have a backup or recovery method for any data that is protected or encrypted by the TPM.

Because your TPM security hardware is a physical part of your computer, you may want to read the manuals or instructions that came with your computer, or search the manufacturer's website.

Network connection

You cannot complete the initialization of the Trusted Platform Module (TPM) when your computer is disconnected from your organization's network if either of the following conditions exist:

  • An administrator has configured your computer to require that TPM recovery information be saved in Active Directory Domain Services (AD DS). This requirement can be configured through Group Policy.

  • A domain controller cannot be reached. This can occur on a computer that is currently disconnected from the network, separated from the domain by a firewall, or experiencing a network component failure (such as an unplugged cable or a faulty network adapter).

In either case, an error message appears, and you cannot complete the initialization process. To avoid this issue, initialize the TPM while you are connected to the corporate network and you can contact a domain controller.

Turn on or turn off the TPM

Normally, the TPM is turned on as part of the TPM initialization process. You do not normally need to turn the TPM on or off. However, if necessary you can do so by using the TPM MMC.

Turn on the TPM

If the TPM has been initialized but has never been used, or if you want to use the TPM after you have turned it off, you can use the following procedure to turn on the TPM.

To turn on the TPM

  1. Open the TPM MMC (tpm.msc).

  2. In the Action pane, click Turn TPM On to display the Turn on the TPM Security Hardware page. Read the instructions on this page.

  3. Click Shutdown (or Restart), and then follow the BIOS screen prompts.

    After the computer restarts, but before you sign in to Windows, you will be prompted to accept the reconfiguration of the TPM. This ensures that the user has physical access to the computer and that malicious software is not attempting to make changes to the TPM.

Turn off the TPM

If you want to stop using the services that are provided by the TPM, you can use the TPM MMC to turn off the TPM. If you have the TPM owner password, physical access to the computer is not required to turn off the TPM. If you do not have the TPM owner password, you must have physical access to the computer to turn off the TPM.

To turn off the TPM

  1. Open the TPM MMC (tpmadmin.msc).

  2. In the Action pane, click Turn TPM Off to display the Turn off the TPM Security Hardware page.

  3. In the Turn off the TPM security hardware dialog box, select a method to enter your owner password and turning off the TPM:

    • If you saved your TPM owner password on a removable storage device, insert it, and then click I have a backup file with the TPM owner password. In the Select backup file with the TPM owner password dialog box, click Browse to locate the .tpm file that is saved on your removable storage device, click Open, and then click Turn TPM Off.

    • If you do not have the removable storage device with your saved TPM owner password, click I want to type the TPM owner password. In the Type your TPM owner password dialog box, type your password (including hyphens), and then click Turn TPM Off.

    • If you do not know your TPM owner password, click I do not have the TPM owner password, and follow the instructions that are provided in the dialog box and subsequent BIOS screens to turn off the TPM without entering the password.

Clear all the keys from the TPM

Clearing the TPM resets it to an unowned state. After clearing the TPM, you need to complete the TPM initialization process before using software that relies on the TPM, such as BitLocker Drive Encryption.

Important

Clearing the TPM can result in data loss. To avoid data loss, make sure that you have a backup or recovery method for any data that is protected or encrypted by the TPM.

After the TPM is cleared, it is also turned off.

To temporarily suspend TPM operations, turn off the TPM instead of clearing it.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

To clear the TPM

  1. Open the TPM MMC (tpm.msc).

  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.

  3. Under Actions, click Clear TPM.

Warning

If the TPM is off, reinitialize it before clearing it.
Clearing the TPM resets it to factory defaults and turns it off. You will lose all created keys and data that is protected by those keys.

  1. In the Clear the TPM Security Hardware dialog box, select one of the following methods to enter your password and clear the TPM:

    • If you have the removable storage device with your saved TPM owner password, insert it, and click I have a backup file with the TPM owner password. In the Select backup file with the TPM owner password dialog box, use Browse to navigate to the .tpm file that is saved on your removable storage device. Click Open, and then click Clear TPM.

    • If you do not have the removable storage device with your saved password, click I want to type the TPM owner password. In the Type your TPM owner password dialog box, type your password (including hyphens), and click Clear TPM.

    • If you do not know your TPM owner password, click I don't have the TPM owner password, and follow the instructions that are provided to clear the TPM without entering the password.

Note

If you have physical access to the computer, you can clear the TPM and perform a limited number of management tasks without entering the TPM owner password. 

The status of your TPM is displayed under **Status** in TPM MMC.

Use the TPM cmdlets

If you are using Windows PowerShell to manage your computers, you can also manage the TPM by using Windows PowerShell. To install the TPM cmdlets, type the following command:

dism /online /enable-feature /FeatureName:tpm-psh-cmdlets

For details about the individual cmdlets, see TPM Cmdlets in Windows PowerShell.

Additional resources

For more information about the TPM, see the Additional Resources section in the Trusted Platform Module Technology Overview.