In this post, I will cover a few TPM PowerShell cmdlets, that should help you in managing TPM via PowerShell. Using PowerShell, you can get the TPM status, clear TPM, initialize TPM and do much more.
A Trusted Platform Module is a microchip that is built into a computer to provide hardware-based security. The TPM is a chip that’s part of your computer’s motherboard.
In some cases, the TPM is not enabled in BIOS and one has to manually enable TPM on the motherboard. You can always refer to the BIOS manual to get help on enabling the TPM.
There are several ways to find the TPM status and one such easy method is to find the TPM status using command line.
If you are using PowerShell to script and manage your computers, you can manage the TPM using Windows PowerShell. To install the TPM cmdlets, use the following command – dism /online /enable-feature /FeatureName:tpm-psh-cmdlets
Microsoft announced that Windows 11 will require TPM 2.0 as a requirement. With this announcement, some users aren’t happy. The users will need to either update their hardware or upgrade to a new laptop if they want to make the switch to Windows 11.
TPM PowerShell Cmdlets by Microsoft
It is interesting to know that Microsoft provides cmdlets for managing TPM using PowerShell. I will list down some commonly used TPM cmdlets that you can run using PowerShell. To view more TPM cmdlets, refer to Microsoft documentation.
| TPM PowerShell cmdlets | Description |
| Clear-Tpm | Resets a TPM to its default state |
| Get-Tpm | Gets an object that contains information about a TPM |
| Initialize-Tpm | Performs part of the provisioning process for a TPM |
| Unblock-Tpm | Resets a TPM lockout |
Get TPM status using Get-TPM PowerShell cmdlet
The first command that we will run is Get-TPM to get TPM status via PowerShell. If you want to find the TPM version using PowerShell, the Get-Tpm cmdlet shows the TPM version.
This object contains information about the Trusted Platform Module (TPM) on the current computer.
Run the PowerShell as administrator and enter the command get-tpm. If you see TpmEnabled as True, it means the TPM is enabled successfully on your computer.
The output also contains other information about TPM, and they are as follows.
- TpmPresent – This value determines if the TPM chip is present on the computer
- TpmReady – Whether the TPM is ready and complies with Windows Server 2019 standards
- TpmEnabled – The value true indicates the TPM is enabled
- TpmActivated – Determines if the TPM is activated or not
- TpmOwned
- RestartPending – Determines if there is a restart required by TPM
- ManufacturerId
- ManufacturerIdTxt
- ManufacturerVersion
- ManufacturerVersionFull20
- ManagedAuthLevel – The level at which the operating system manages the owner authorization.
- OwnerAuth – The owner authorization value that is stored in registry
- OwnerClearDisabled – This value determines if the TPM can be reset or not. If this value is False, the TPM can be reset through the operating system.
- AutoProvisioning – Specifies whether the computer can use auto-provisioning or not
- LockedOut – The value specifies whether a TPM is locked out
- LockoutHealTime – set to 2 hours by default
- LockoutCount – 0
- LockoutMax – 32
- SelfTest – TPM self test information
Clear TPM status via PowerShell using Clear-TPM
The clear-tpm command resets the TPM to its default state. The clear-tpm command removes the owner authorization value and any keys stored in the TPM.
To clear TPM status, launch the PowerShell as administrator and run the command clear-tpm. This command resets the TPM. The command uses the owner authorization value stored in the registry instead of specifying a value or using a value in a file.
The following command resets the TPM by using the specified owner authorization value.
Clear-tpm -OwnerAuthorization "ownerauthorizationvalue"
Initialize TPM status using Clear-TPM PowerShell Cmdlet
The Initialize-Tpm PowerShell cmdlet performs part of the provisioning process for a Trusted Platform Module (TPM). Provisioning is the process of preparing a TPM to be used.
When you run the initialize-tpm command, it returns the following data.
- TpmReady – Determines if the TPM is initialized or not.
- RestartRequired – Whether a restart is required to continue the provisioning process.
- ShutdownRequired – Determines if a computer requires shutdown to continue the provisioning process.
- ClearRequired – The value should be false. If this has a value of True, you must import an owner authorization value or remove the owner authorization value.
- PhysicalPresenceRequired – The value determines if a person must be at the computer during restart to continue the provisioning process.
Unblock TPM using PowerShell
The Unblock-Tpm PowerShell cmdlet resets a Trusted Platform Module (TPM) lockout. During the lockout, the TPM locks itself to prevent tampering or attack.
To end a TPM lockout, you must provide a valid owner authorization value. If you do not provide a value, the cmdlet unblock-tpm attempts to use a value stored in the registry.
Launch the PowerShell as administrator and run the below command to unblock the TPM.
Unblock-Tpm -OwnerAuthorization "ownerauthorizationvalue"
