Managing TPM for Windows
TPM (Trust Platform Module) is a hardware module for PC computers that allows a seamless encryption experience for the end user.
Detailed Description - During the encryption process a key is generated to decrypt your data each time your computer starts, with TPM, your key is stored securely within the computer and will only unlock the hard drive if it's attached to the same computer. In other words, if your hard drive was stolen, it would be inaccessible if attached to any other computer without the data in the TPM. If unwarranted access was attempted at the computer, they would need to know your Windows password to unlock the data.
Without TPM, encryption is a more manual process, and you must enter a boot-time password (Windows 10) each time the computer starts (in addition to the Windows password) or plug in a USB key (Windows 7 Enterprise) while the computer boots up and remove it when you're away.
If you've chosen the "Manual Encryption w/ Key Escrow" option and have downloaded the Sophos SafeGuard packages, it's recommended that you check to make sure your TPM security module is turned on and activated BEFORE installing the package for a seamless encryption experience.
Common Steps to configure the BIOS:
- Enter BIOS Setup
- Restart computer and continually press either F2, F12, or del (key depends on computer model)
- Go to the Security section of the BIOS
- Find TPM and turn on and enable/activate
- You may see additional options such as:
- PPI Bypass for Enable Commands (ENABLE)
- PPI Bypass for Disable Commands (ENABLE)
- TPM PPI Provision Override (ENABLE)
- TPM PPI Deprovision Override (ENABLE)
- Description: These options make it so the user isn’t prompted to make changes to TPM/Encryption related configuration
- Activate (ENABLE)
- Clear (DO NOT CHECK)
- Any other settings can be left as default
- You may see additional options such as:
Screenshots
Accessing the BIOS setup screen
Accessing the security settings and turning on TPM
Additional BIOS Settings
Setting your boot options to only the Internal HDD or "Windows Boot Manager"
If you have an older computer you likely have a "Legacy BIOS" so look at the second image below. Generally your BIOS will let you know whether it's setup for "Legacy" or "UEFI" as seen below.
UEFI BIOS
Legacy BIOS
How to get help
If these directions are unclear or don't seem to apply to your computer, please fill out a service request for a full consultation or contact help@ucsc.edu.