What this feature does The Trusted Platform Module (TPM) security hardware is a microchip built into some computers that, if present and initialized, enables your computer to take full advantage of advanced security features such as BitLocker™ Drive Encryption.
TPM Services provides a set of software components for security features that use version 1.2 of the TPM. TPM Services include TPM initialization and management tools, a driver, and a software layer that allows applications to share use of the TPM.
Information collected, processed or transmitted TPM Services include TPM initialization functionality to help you turn on and create an owner for the TPM. As part of the initialization process, you are asked to create a TPM owner password. To use your computer's TPM, you must create a TPM owner password. The TPM owner password helps ensure that only you have access to the administrative functions of the TPM. Saving the TPM owner password allows you to easily manage access to the TPM.
The TPM Initialization Wizard allows you to print your TPM owner password or save it to a file on a USB flash drive. A saved file contains authorization information for the TPM owner that is derived from the TPM owner password. The file also contains the computer name, operating system version, creation user, and creation date information to assist you in recognizing the file. In an enterprise, administrators can configure Group Policy to automatically save this TPM owner information to Active Directory Domain Services.
Each TPM has a unique cryptographic "endorsement key" that it uses to indicate its authenticity. The endorsement key may be created and stored in the TPM by your computer's manufacturer, or Windows may need to create it as part of the TPM initialization process. Once Windows creates the endorsement key, it cannot be reset.
Once the TPM is initialized, applications can use the TPM to create and help secure additional unique cryptographic keys. For example, BitLocker Drive Encryption uses the TPM to help protect the key that encrypts the hard drive.
Use of information If you choose to save the TPM owner password to a file, the additional computer and user information saved inside this file helps you to identify the matching computer and TPM. The TPM endorsement key is used by Windows only during TPM initialization to encrypt your TPM owner password before sending it to the TPM. Windows does not transmit cryptographic keys outside of your computer.
Choice and control Once your computer's TPM is initialized, TPM Services enables an administrator to prevent access to selected TPM functionality through a command management feature. By default, Windows blocks TPM commands that might reveal personal information, as well as TPM commands that have been deprecated or deleted from previous versions of the hardware. This block list may be modified by an administrator.
You can choose to turn off the TPM at any time. Turning off the TPM prevents software on your computer from using the TPM for any purpose. You can also choose to clear the TPM and reset it to factory defaults. Clearing the TPM removes owner information and, with the exception of the endorsement key, all keys or cryptographic data that applications may have created when the TPM was in use.
Update Root Certificates
What this feature does When an application is presented with a certificate issued by a certification authority that is not directly trusted (a certificate that is not stored in a list of trusted certificates on your computer), the Update Root Certificates feature will contact the online Windows Update service to see if Microsoft has added the certification authority to its list of trusted authorities. If the certification authority has been added to the Microsoft list of trusted authorities, its certificate will automatically be added to the list of trusted certificates (certificate store) on your computer.
Information collected, processed or transmitted Update Root Certificates sends a request to the online Windows Update service that asks for the current list of root certification authorities in the Microsoft Root Certificate Program. If the untrusted certificate is named in the list, Update Root Certificates obtains that certificate from Windows Update and places it in the trusted certificate store on your computer. Microsoft does not use the information transferred during this process to identify you or contact you.
For more information about Windows Update and your privacy, read the Windows Update Privacy Statement at http://go.microsoft.com/fwlink/?linkid=50142.
Use of information The information is used by Microsoft to update the trusted certificate store on your computer.
Choice and control Update Root Certificates is enabled by default. To disable the Update Root Certificates on a computer, see Using Windows Vista: Controlling Communication with the Internet at http://go.microsoft.com/fwlink/?linkid=77931.
Additional information If you are presented with a certificate issued by a root authority that is not directly trusted, and the Update Root Certificates component is not installed on your computer, you will be prevented from completing the action that required authentication. For example, you might be prevented from installing software, viewing an encrypted or digitally signed e-mail message, or using a browser to engage in a Secure Socket Layer (SSL) session.
What this feature does UPnP technology provides peer-to-peer device control for network devices. UPnP technology enables discovery and control of devices and services through standards-based protocols.
Information collected, processed or transmitted Using the IP address that is provided by this feature in the discovery process, your computer can receive information from UPnP devices, including any changes in their status. If a UPnP device provides a uniform resource locator (URL), you can use a browser to access control features, information, or device-specific capabilities from the manufacturer.
Use of information The information exchanged includes basic information about the devices and their services, and a URL that can be used to gather more information, such as device make, model, and serial number. Additionally, the information can include a list of devices and services, and URLs used for accessing features.
Choice and control To allow or prevent discovery of UPnP devices on your network, you can enable or disable the Simple Service Discovery Protocol (SSDP) discovery service in Windows. Before allowing UPnP devices to communicate on your network, we recommend that you verify that your network is secured. For example, if you use a cable modem to connect to the Internet, consider installing a router that isolates your area of the network from that of your neighbors. Or, if you have a wireless network, we recommend that you turn on a secure authentication service such as Wired Equivalent Privacy (WEP) or Wi-Fi Protected Access (WPA). For more information about helping to secure a wireless network, see Windows Help and Support.