Modern operating system security features such as Secure Boot and BitLocker are designed to make use of a system’s TPM chip. TPM, or Trusted Platform Module, refers to a motherboard chip that is designed to generate cryptographic keys. TPM-related services can also be extended to virtual machines through the use of a virtual TPM. In most cases, the Windows operating system is able to utilize the underlying TPM without any significant effort on the part of the administrator. However, things can, and sometimes do, go wrong. Thankfully, Windows contains a set of PowerShell cmdlets and a helpful GUI console that you can use to diagnose and correct the problem.
One cmdlet that you need to be familiar with is Get-TPM. This cmdlet causes PowerShell to display basic information about the underlying TPM. You can see an example of this in Figure 1.
You can use the Get-TPM cmdlet to display information about the system’s TPM usage.
As you look at the figure above, you will notice that the TpmPresent field is returning a value of False. From the operating system’s perspective it means that Windows does not think that the system is equipped with a TPM chip. In reality, however, it is possible that the system has a TPM chip, but that the TPM is not enabled within the system’s UEFI setup. Figure 2 shows what types of information the Get-TPM cmdlet returns when the TPM is enabled.
PowerShell indicates that TPM is present, and returns some basic configuration information.
If the Get-TPM cmdlet shows that a TPM is indeed present, then the next thing that you should do is to enter the TPM.MSC command at the server’s Run prompt. This causes Windows to open the Trusted Platform Module Management Console, which you can see in Figure 3.
The TPM Management Console allows you to set up the TPM.
As you examine the console, there are a few things that you should be on the lookout for. Begin by checking the console’s Status section. Ideally, you should see a message like the one shown in the figure, indicating that the TPM is ready for use. If you discover that the TPM is not yet ready for use, then try clicking the Prepare the TPM link. If the TPM is healthy, then this link is usually grayed out. However, the link may be available if Windows thinks that the TPM needs to be initialized. You also can initialize the TPM through PowerShell by using the Initialize-TPM cmdlet.
Incidentally, you should be vary careful about preparing, clearing or resetting the TPM. Each of these actions has the potential to erase the cryptographic keys contained within the TPM, which in turn can cause you to lose access to data that has been encrypted using those keys.
The next thing that I recommend checking is the Specification Version. You can find the Specification Version in the console’s TPM Manufacturer Information section. The current TPM version is 2.0. If the Specification Version is 1.2, then you may need to flash your hardware to bring it up to date. Before doing so, however, it is critically important to disable BitLocker and any other security features that depend on TPM.
If your TPM seems to be healthy, but you are still having trouble making it work with a particular security feature, then you can use PowerShell to verify your TPM key attestation. Unfortunately, not all TPMs are created equally, so it can sometimes be helpful to verify your TPM’s capabilities. The easiest way to do this is to simply enter the Get-TPMSupportedFeature cmdlet into PowerShell. Upon doing so, PowerShell will list the supported features, as shown in Figure 4.
It’s a good idea to verify that your TPM supports key attestation.
As you search for the source of your TPM problems, it is a good idea to check to make sure that the TPM has not been locked out due to unsuccessful authentication attempts. If you look back at Figure 2, you will notice that there is an item on the list called LockedOut. If LockedOut is displaying a value of True, then the TPM is locked. To unlock the TPM, you will need to use PowerShell’s Unblock-TPM cmdlet. Typically you will also have to use the OwnerAuthorization switch to specify the owner authorization value. You can find the documentation for this cmdlet here.