How to Add a Trusted Platform Module Password to Windows 11

Quick fix: Open tpm.msc, click Take Ownership of the TPM if it’s available, and choose a TPM owner password during the process. On modern firmware (TPM 2.0), the password is auto-generated and managed by Windows — you can’t set a custom one but you can store the owner authorization file with manage-bde.

A TPM owner password (sometimes called the TPM authorization value) is a secret the OS uses to manage the TPM — clear it, change PCR bindings, or recover from a lockout. On TPM 1.2 hardware, you set this manually during ownership; on TPM 2.0, the OS auto-generates and stores it. Knowing where to find it (or how to set it on older hardware) matters when you’re troubleshooting BitLocker or transferring a drive between machines.

What changed between TPM 1.2 and TPM 2.0

TPM 1.2 required an explicit owner password set during initial provisioning. The OS prompted for it, you saved it to a file or printed it, and you needed it any time you cleared or re-bound the TPM. TPM 2.0 changed this: Windows generates the authorization value automatically, stores it in the registry under HKLM\System\CurrentControlSet\Services\TPM\WMI\Admin, and removes it from the registry after first use for security. After that, the value lives only as a derived secret — you can’t recover it without re-provisioning.

For TPM 2.0, the practical question is rarely “what’s my password” but “how do I clear the TPM without losing data?” The answer involves BitLocker recovery keys, not TPM passwords.

Method 1: Set/save a TPM password on TPM 1.2 hardware

1. Press Win + R, type tpm.msc, press Enter.
2. If the TPM status shows Not initialized, click Initialize TPM in the Actions pane.
3. Choose Automatically create the password, or Manually create the password. The manual path lets you pick a memorable phrase; the auto path generates a random one.
4. Save the password to a file (the wizard offers a USB drive) or print it. Keep a backup in a secure location — it cannot be regenerated.
5. Click Initialize. The TPM clears and re-takes ownership with the new password. This takes 1–3 minutes.

If the wizard reports “TPM is already owned by the operating system,” you have TPM 2.0; move to Method 2.

Method 2: Locate the TPM 2.0 authorization on a fresh setup

On TPM 2.0, Windows stores the owner authorization value briefly in the registry before deleting it. To capture it, intercept before the deletion.

1. Open PowerShell as Administrator on a freshly provisioned PC (or after a TPM clear).
2. Run:
   
   Get-TpmEndorsementKeyInfo

$tpm = Get-Tpm

$tpm | Select-Object *Owner*, *Auth*
3. If OwnerAuth shows a value, copy it immediately and store it securely — Windows clears the registry copy after first use.
4. For a permanent record, run (Get-Tpm).OwnerAuth | Out-File C:\Backup\TPM-OwnerAuth.txt — protect this file with NTFS permissions, since it’s effectively the TPM’s key.
5. If OwnerAuth is empty, Windows has already cleared it. You can’t recover the original. Clearing the TPM and re-provisioning is the only path to getting a new one — see the cautionary note below.

The autorization value is rarely needed for day-to-day operation. The main use cases are forensic recovery and BitLocker drive migration.

Method 3: Clear the TPM without losing BitLocker access

If you need to reset the TPM (replaced motherboard, dual-boot reinstall) but you have BitLocker on the system drive, do this in order:

1. Open Manage BitLocker and click Suspend protection on each encrypted drive. This unlocks the seals without decrypting.
2. Record the 48-digit BitLocker recovery key for every drive — check https://account.microsoft.com/devices/recoverykey if it’s stored to your Microsoft account, or run manage-bde -protectors -get C: to list them locally.
3. In tpm.msc, click Clear TPM. Reboot and accept the firmware confirmation prompt (a one-time physical presence check).
4. After Windows boots, BitLocker shows as suspended. Open Manage BitLocker again and click Resume protection on each drive. The TPM re-seals to the new authorization.
5. Confirm with manage-bde -status — Protection Status reads On.

This is the supported flow. Clearing the TPM without suspending BitLocker leaves you needing the recovery key on every boot until you re-bind.

How to verify the fix worked

• Open tpm.msc. Status reads The TPM is ready for use.
• Run (Get-Tpm).TpmReady in PowerShell — returns True.
• If you saved an owner password file (1.2) or auth blob (2.0), confirm it’s in your secure backup location and readable.

If none of these work

If tpm.msc reports The TPM is not ready for use with an unhelpful error, check the firmware: enter BIOS and confirm the TPM (or PTT for Intel, fTPM for AMD) is enabled and that Pending operation isn’t set to Clear. Some OEM firmware ships with TPM in a half-initialized state — toggle it off, reboot, toggle it back on, and let Windows re-provision. For TPM 2.0 on a machine that lost its OwnerAuth and now refuses to clear, you may need to do a UEFI-level TPM reset (varies by manufacturer) before Windows can re-take ownership.

Bottom line: TPM 1.2 needs an explicit owner password that you set and save. TPM 2.0 manages its own auth and you only see it briefly during provisioning. For BitLocker management, focus on recovery keys and the suspend/resume cycle, not the TPM password.