Windows-itpro-docs: OSManagedAuthLevel 0x5

Created on 13 Jun 2018 · 9Comments · Source: MicrosoftDocs/windows-itpro-docs

Although nowhere to be found in the documentation all my machines deployed on 1709, have a value of 0x5 and the TPM is set to Full (not delegated).

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

ID: d46fce78-6956-1b3a-124f-e8188d0412cd
Version Independent ID: 5891df2d-6432-c5b4-0eff-49b520f59067
Content: TPM Group Policy settings (Windows 10)
Content Source: windows/security/hardware-protection/tpm/trusted-platform-module-services-group-policy-settings.md
Product: w10
GitHub Login: @brianlic-msft
Microsoft Alias: justinha

hardware protection security

Source

lexios

All 9 comments

@lexios Thanks for raising this. I added that value to the topic.

Justinha on 22 Jun 2018

Thank you Justinha, I saw your amendment.

"A value of 5 means discard the Full TPM owner authorization for TPM 1.2 but keep it for TPM 2.0."

The question is, how was this value populated as 5 and why is the TPM owner auth stored in the registry by default?

On 1607, this was supposedly changed as per below:
https://docs.microsoft.com/en-us/windows/security/hardware-protection/tpm/change-the-tpm-owner-password

"Starting with Windows 10, version 1607, Windows will not retain the TPM owner password when provisioning the TPM. The password will be set to a random high entropy value and then discarded."

lexios on 22 Jun 2018

@lexios Sorry Alexander I got this update wrong. I'm working on improved text with the engineering team. ETA to publish that is Monday.

Justinha on 23 Jun 2018

😕1 👍1

AndreaBichsel closed the case without it being resolved.

lexios on 27 Jun 2018

Reopening--sorry, I thought it had been resolved.