TPM Key and How to Back It Up in Windows 11

What will happen if you lose the TPM key? Here’s how to back up the TPM key on Windows 11.

A Trusted Platform Module (TPM) is a microprocessor designed to perform basic security operations, especially encryption keys. The TPM is placed on the computer’s motherboard and connected to other systems via the hardware bus.

A TPM-enabled computer can generate a cryptographic key and encrypt it so that it can only be decoded by the TPM. This method, also known as wrapping or binding a key, can help secure it from disclosure.

Each TPM chip has an RSA key pair known as an Endorsement Key (EK). Pairs are stored inside semiconductors and are not accessible to software. When a user or administrator overwhelms the system, a Storage Root Key is created. The TPM generates this key pair based on the EK and password that the owner specifies.

The secret part of the storage root key or TPM-generated attestation key is never disclosed to any other component, program, process, user, or device.

Because it is a hardware-based module, malware cannot change it through standard software methods. As a result, the TPM chip becomes a hardware-based “root-of-trust” that the operating system can always rely on.

Advantages of TPM

• Create, store, and limit the use of cryptographic keys.
• Use metrics that can identify changes to the configuration to ensure platform integrity.
• Use TPM RSA keys for platform device authentication.
• Reduces the risk of firmware attacks, ransomware, and phishing.
• DRM technology can protect digital media rights.
• Ensure software licenses are secure.

What can TPM do?

• Windows Hello is a biometric identification and access control tool that works with TPM-enabled fingerprint scanners, iris scanners, and facial recognition technology.
• As a defense against brute-force attacks, which try to break into a password-protected computer network by entering each word in the dictionary as a password.
• Virtual smart cards are based on the TPM for external resource authentication.
• Boot aids in detecting malware during the Windows boot process and its configuration settings.
• Analyze and determine device health by generating AIK certificates for TPM.
• Protect credentials on virtualization-based security. TPM is used to protect the key in this case.

TPM: Discrete, Integrated, or Firmware?

TPM can be implemented in one of three ways:

• Discrete: Chip TPM as a component differs in its semiconductor package.
• Integrated: A TPM embedded into one or more shared semiconductor packages, but conceptually independent of other components.
• Firmware: A TPM that runs the TPM in firmware on a general-purpose compute unit in Trusted Execution mode.

What happens if the TPM chip fails or breaks?

• If the TPM is corrupted or becomes unreachable, any cryptography that relies on the key stored by the TPM will fail.
• Any data encrypted with a TPM key and not backed up will be lost, such as your encrypted drive.
• Any trust in the platform will be lost, for example, during remote attestation.

How to back up TPM keys in Windows 11

The first step is to make sure that you have an Active Directory domain service that can be managed remotely. You can create one if you don’t already have one.

You can use an Active Directory Domain Services (AD DS) server to guarantee that only allowed users have access to this important information through a centralized administration dashboard.

When system administrators need to reuse an old computer and reset the TPM to factory defaults, they can use backup to remotely set the TPM on the on-premises machine using AD DS. Stored data can also be used in a recovery state if the owner forgets his TPM password.

To back up TPM Owner information to AD DS using the Group Policy setting, follow these steps:

1. Run the “Run” dialog box, you can use the buttons (WIN + R).
2.  Type “gpedit.msc” in the search box and press the OK button.
3. Navigate to “Computer Configuration\Administrative Templates\System\Trusted Platform Module Services“.
4. On the right-hand pane, double-click “Turn on TPM backup to Active Directory Domain Services“.
5. Select the “Enabled” option.
6. Click the OK button to save the changes