windows-itpro-docs icon indicating copy to clipboard operation
windows-itpro-docs copied to clipboard

Published 20 hours ago verified publisher icon MicrosoftDocs

TPM lockout authorization - inaccurate description and misleading terminology

Open wmjdgla opened this issue 2 years ago • 0 comments

Starting with Windows 10, version 1607, or Windows 11, Windows will not retain the TPM owner password when provisioning the TPM. The password will be set to a random high entropy value and then discarded.

On Windows 10 20H2 and Windows 11 with TPM 2.0, I found that the TPM's ownerAuth and endorsementAuth are both just a 0-byte sequence. Authorization for the SRK (Storage Root Key) is also a 0-byte sequence.

lockoutAuth is stored as a 20-byte sequence encoded in base64 format in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TPM\WMI\Admin\OwnerAuthFull, and this agrees with the statement in the "Important" section:

For Windows 10 versions newer than 1703 the default value for this key is 5. For TPM 2.0, a value of 5 means keep the lockout authorization.

I can confirm that the above values are correct as I am able to use them to successfully change the authorization values to my own ones. So none of the authorization values here are unknown and/or discarded.

In addition, the page talks about "owner password", giving the impression that it's referring to ownerAuth. However it goes on to state:

The TPM owner password allows the ability to enable, disable, or clear the TPM without having physical access to the computer, ... The TPM owner password also allows manipulation of the TPM dictionary attack logic.

Clearing the TPM and manipulating the TPM dictionary attack logic requires lockoutAuth, not ownerAuth (as per TPM Library Spec).

Document Details

Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

wmjdgla avatar Dec 15 '21 10:12 wmjdgla