Best Practices for Trusted Platform Module Management

A platform that has the Windows Premium Logo.

A TPM that complies with Trusted Computing Group v1.2 specifications.

A TPM that is physically secured to the system board.

A TPM that comes from the original equipment manufacturer (OEM) with an endorsement key.

A platform that supports direct user input (not automated) to prove physical presence when committing important changes to the TPM.

Ensure that initializing the TPM is done by a member of the administrators group.

Initialize the TPM before deploying the platform to end users, when possible.

Use the TPM Initialization Wizard, if deploying a few computers with TPMs at a time.

Use VBScripts that call Windows Management Instrumentation (WMI), if deploying several platforms at a time or remotely managing the platform.

Ensure that the TPM owner is the domain administrator, local administrator, or a separate privileged account. (The TPM owner is someone or something that knows the TPM owner authorization data.)

Ensure that the TPM owner is the owner of the actual platform, either financially or physically.

Ensure that a member of the administrators group takes ownership of the TPM.

Set up and configure Group Policy in Microsoft Active Directory to require storing TPM recovery information (such as TPM owner authorization data) in Active Directory.

Use the TPM Initialization Wizard, if deploying a few computers with TPMs at a time.

Use VBScripts that call WMI, if deploying several platforms at a time or remotely managing the platform.

If using a third-party tool, ensure that the storage root key (SRK) authorization is set to zero.

Use unique values for TPM owner authorization data on all machines in the enterprise.

If using the TPM initialization wizard, choose the option to randomly generate the TPM owner password instead of specifying one manually. (This helps mitigate dictionary attacks.)

Store the data in Active Directory.

When changing owner authorization, back up any encrypted data or escrow keys as necessary. If keys are migratable, move them to a safe storage area until after the operation succeeds. Then, resynchronize the new authorization value with Active Directory.

Never give out the TPM owner authorization data or TPM owner password.

Ensure that a lower-privilege user does not have the TPM owner authorization data.

Use the TPM management console MMC snap-in to change the TPM owner password, if changing a few at a time.

Use VBScripts that call WMI, if changing several platforms at a time.

If group policy was configured to store TPM recovery information (for example, TPM owner authorization data) in Active Directory, keep this policy set so that the information in Active Directory remains synchronized.

When changing owner authorization, back up any encrypted data or escrow keys as necessary. If keys are migratable, move them to a safe storage area until after the operation succeeds.

Use applications that use only Trusted Software Stacks that comply with the TCG 1.2 specification and have been ported to work with TPM Base Services (TBS).

If a lower-privilege user must perform operations on the TPM that require owner authorization, then using software that can set up and use delegation rights for that user is the preferred solution.

Only members of the administrators group and certain special system accounts should be able to access the TBS interface.

Do not store key authorization data or owner authorization data on the platform's local storage media.

Keep privacy-sensitive, deprecated, and deleted TPM commands blocked from executing on the platform (the default settings).

When decommissioning a TPM platform, recover or back up any encrypted data and keys before performing any other decommissioning steps.

Clear the TPM to invalidate the owner authorization data and the SRK.

If secure startup protection was on, then the platform can be repurposed after the TPM has been cleared successfully.

If secure startup protection was off, wipe the hard drives to clear any sensitive information that may be on them.