Best Practices for Trusted Platform Module Management
The following best practices are recommended for managing a Trusted Platform Module (TPM) in an enterprise environment.
The information in this paper applies to the Windows Vista and Windows 7 operating systems.
On This Page
What to Look for When Purchasing TPM Systems
| • | A platform that includes a TPM and has passed either the Windows 7 Logo Program testing in the Business or Consumer category or the Windows Vista Logo Program testing in the Business category. Windows XP Logo Program testing does not test TPM functionality so the test should not be relied on for assessing whether the TPM on a platform works properly with Windows. To check the logo program testing results, go to http://winqual.microsoft.com/HCL/ and search for your system. To verify that a Windows Vista system was tested in the Business category, open its Windows Logo Verification Report and ensure that the Subcategory says (Business) or (Business and Consumer) in parentheses. |
| • | A TPM that complies with Trusted Computing Group's TPM 1.2 specifications. |
| • | A TPM that is physically secured to the system board. |
| • | A TPM that comes from the original equipment manufacturer (OEM) with an endorsement key. |
| • | A platform that supports direct user input (not automated) to prove physical presence when committing important changes to the TPM. |
TPM BIOS Settings
| • | Some BIOSes have the ability to hide the TPM completely from the operating system (OS). To use the TPM, be sure to make the TPM visible to the OS. |
| • | Some BIOSes have options that skip placing certain measurements in the TPM. Configure BIOS options to record all measurements available in the TPM. |
| • | Some BIOSes permit blocking the OS from performing certain physical presence commands like clearing the TPM. Be sure the options are configured appropriately for your enterprise. |
Initializing the TPM
| • | Ensure that initializing the TPM is done by a member of the administrators group. |
| • | Initialize the TPM before deploying the platform to end users, when possible. |
| • | To deploy a few computers with TPMs at a time, use the TPM Initialization Wizard (http://technet.microsoft.com/en-us/library/cc749022.aspx). |
| • | To deploy several platforms at a time or to remotely manage the platform, use scripts that call Windows Management Instrumentation (WMI) methods included in the Win32_Tpm class (http://msdn.microsoft.com/en-us/library/aa376484(VS.85).aspx). |
Taking Ownership of the TPM
| • | Ensure that the TPM owner is the domain administrator, local administrator, or a separate privileged account. (The TPM owner is someone or something that knows the TPM owner authorization data.) |
| • | Ensure that the TPM owner is the owner of the actual platform, either financially or physically. |
| • | Set up and configure Group Policy in Active Directory to require storing TPM recovery information (such as TPM owner authorization data) in Active Directory. |
| • | Use the TPM Initialization Wizard, if deploying a few computers with TPMs at a time. |
| • | Use scripts that call WMI, if deploying several platforms at a time or remotely managing the platform. |
| • | If using a third-party tool, ensure that the storage root key (SRK) authorization is set to zero. |
| • | Use unique values for TPM owner authorization data on all machines in the enterprise. |
| • | Set up and configure Group Policy in Active Directory to require storing TPM recovery information (such as TPM owner authorization data) in Active Directory. If using the TPM initialization wizard, choose the option to randomly generate the TPM owner password instead of specifying one manually. (This helps mitigate dictionary attacks.) |
| • | Never give out the TPM owner authorization data or TPM owner password. The TPM owner password or TPM owner authorization data might be used to reset the TPM anti-hammering logic, making brute force attacks against TPM authorization values easier. |
Changing the TPM Owner Password or TPM Owner Authorization Data
| • | Use the TPM management console MMC snap-in to change the TPM owner password, if changing a few at a time. |
| • | If changing several platforms at a time, use WMI methods contained in the Win32_Tpm class. |
| • | If group policy was configured to store the TPM owner authorization data in Active Directory, keep this policy set so that the information in Active Directory remains synchronized. |
| • | When changing owner authorization, back up any encrypted data or escrow keys as necessary. If keys can be moved, move them to a safe storage area until after the operation succeeds. Then, resynchronize the new authorization value with Active Directory. |
Using the TPM
| • | If a lower-privileged user must perform operations on the TPM that require owner authorization, then using software that can set up and use delegation rights for that user is the preferred solution. |
| • | Only members of the administrators group and certain special system accounts should be able to access the TBS interface. |
| • | Do not store key authorization data or owner authorization data on the platform's local storage media. |
| • | Keep privacy-sensitive, deprecated, and deleted TPM commands blocked from executing on the platform (the default settings). |
Decommissioning the TPM
| • | When decommissioning a TPM platform, recover or back up any encrypted data and keys before performing any other decommissioning steps. |
| • | Clear the TPM to invalidate the owner authorization data and the SRK. |