Trusted Platform Module configuration

3.2 Trusted Platform Module configuration

Use of VSCs requires the device to have a hardware Trusted Platform Module that complies with TPM specification 1.2 or 2.0 and has been initialized, configured and is ready for use.

Differences may exist between vendor implementations of the TPM specification – you are recommended to check the devices to be used when planning a large deployment of VSCs. Refer also to the device vendor’s own instructions for managing TPMs.

3.2.1 Preparing the TPM for use

While a TPM is found in many modern devices, it may not be provided in an enabled state that is ready for use. Further information on initializing and preparing a TPM for use with VSCs can be found in the Microsoft TechNet article Windows Trusted Platform Module Management Step-by-Step Guide:

technet.microsoft.com/en-us/library/cc749022(v=ws.10).aspx

For issuance of a VSC to occur, MyID will require that the TPM is Ready – specifically reporting:

IsReady: True
IsEnabled: True
IsOwned: True

This information can be retrieved by running the MyID TPM Interrogator Utility, which is available with the MyID release. See the associated documentation for more information on how to use the utility.

The utility provided can also return some further information that is useful for troubleshooting problems issuing VSCs – see section 7.1, Troubleshooting.

Note: Re-imaging a device, including re-installation of the operating system, may affect the TPM status, resulting in it requiring initialization again.

Some software solutions may also affect the status of the TPM; for example, Microsoft BitLocker Administration and Monitoring functionality will escrow the OwnerAuth password for the TPM, causing the TPM to report IsReady as False.

3.2.1.1 Reduced functionality

Under some circumstances, the TPM may display a message similar to:

The TPM is ready for use, with reduced functionality.

This may occur when the TPM password is no longer known to the client PC. You must make sure that the password is stored somewhere else; for example Active Directory or BitLocker.

In this case, the status (as displayed by the TPMInterrogator utility – see section 7.1.1, Checking the status of the TPM) shows IsReady to be false; however, it is possible that the TPM is actually available for use, and is in the "reduced functionality" state – run tpm.msc to confirm.

You can configure MyID to issue VSCs when the TPM status is "reduced functionality".

To allow MyID to issue VSCs to TPMs with this status:

From the Configuration category, select Operation Settings.
Select the Devices tab.
Set the following option:
- Allow virtual smart card creation with TPM reduced functionality – set to Yes.
Click Save changes.

Note: This setting is global. Any TPM that has a status of "ready" or is in a state of "reduced functionality" will be available to hold a VSC. Also, some TPMs may report different status information; these TPMs will still be unable to be issued VSCs.

If you experience any problems issuing VSCs to TPMs with reduced functionality, contact customer support quoting reference SUP-269.

3.2.2 Managing the TPM anti-hammering mechanism

The TPM anti-hammering mechanism provides extra security by limiting the number of PIN attempts that can be made when repeated failures occur. However, some TPMs do not reset this count following successful authentication. This can lead to the TPM block being activated in situations when a dictionary attack is not taking place – for example one or two incorrect PIN entries only.

Additional tools can be used to reset this following successful authentication to Windows, typically using a PowerShell script that sends a command to the TPM.

Windows has introduced further configuration settings for managing when TPM lockout occurs – see the Microsoft TechNet article Trusted Platform Module Services Group Policy Settings at:

technet.microsoft.com/en-us/library/jj679889.aspx

TPM 2.0 has well-defined dictionary attack logic behavior. This contrasts with TPM 1.2, for which the dictionary attack logic was set by the manufacturer, and the logic varied widely throughout the industry.

Key changes in TPM 2.0:

Default of 32 failed attempts before anti hammering is hit.
Every two hours the system is running, the number of failed attempts is reduced by one. This means that after 64 hours the TPM will not remember any of the previous failed attempts.
If the lockout is hit, this will last for two hours, then the user will have one attempt before lockout is hit again.
The lockout can still be reset manually by sending a reset lockout command to the TPM.

Note: The ability to reset the lockout counter using the Rest TPM Lockout option in tpm.msc has been removed from Microsoft Windows 10 Build 1607.

The following will be configurable through the group policy:

Attempts before anti hammering is hit for all users and specific users.

For more information, see the How the TPM mitigates dictionary attacks section in the Microsoft TechNet article TPM Fundamentals at:

technet.microsoft.com/en-us/library/ff2bb100-f5c8-4270-a069-603c18df132f#BKMK_HowTPMmitigates

Note: If the password used for the anti-hammering mechanism is missing (because it is being stored elsewhere by some other software – for example, Active Directory or BitLocker) then the TPM may report that it is in "reduced functionality" mode; see above for details.

3.2.3 TPM Capacity

The number of VSCs that may be associated with a TPM may be different depending on the TPM in use. For example, errors may be generated by the TPM if you attempt to create more than ten VSCs on a single device. If you plan to share devices between multiple people, you are recommended to test that the maximum number of VSCs required can be supported by the TPM within your devices.