Edit

Tbsi_Get_OwnerAuth function (tbs.h)

  • Article

Retrieves the owner authorization of the TPM if the information is available in the local registry.

Syntax

TBS_RESULT Tbsi_Get_OwnerAuth(
  [in]            TBS_HCONTEXT       hContext,
  [in]            TBS_OWNERAUTH_TYPE ownerauthType,
  [out, optional] PBYTE              pOutputBuf,
  [in, out]       PUINT32            pOutputBufLen
);

Parameters

[in] hContext

TBS handle obtained from a previous call to the Tbsi_Context_Create function.

[in] ownerauthType

Unsigned 32-bit integer indicating the type of owner authentication.

Value Meaning
TBS_OWNERAUTH_TYPE_FULL
1
 The owner authorization is full.
TBS_OWNERAUTH_TYPE_ADMIN
2
 Note  TPM 1.2 only

The owner authorization is an administrator.
TBS_OWNERAUTH_TYPE_USER
3
 Note  TPM 1.2 only

The owner authorization is a user.
TBS_OWNERAUTH_TYPE_ENDORSEMENT
4
 Note  TPM 1.2 only

The owner authorization is an endorsement authorization.
TBS_OWNERAUTH_TYPE_ENDORSEMENT_20
12
 Note  TPM 2.0 and later

The owner authorization is an endorsement authorization.
TBS_OWNERAUTH_TYPE_STORAGE_20
13
 Note  TPM 2.0 and later

The owner authorization is an administrator.

[out, optional] pOutputBuf

A pointer to a buffer to receive the TPM owner authorization information.

[in, out] pOutputBufLen

An integer that, on input, specifies the size, in bytes, of the output buffer. On successful return, this value is set to the actual size of the TPM ownerAuth, in bytes.

Return value

If the function succeeds, the function returns TBS_SUCCESS.

If the function fails, it returns a TBS return code that indicates the error.

Return code/value Description
TBS_SUCCESS
0 (0x0)
 The function was successful.
TBS_E_OWNERAUTH_NOT_FOUND
2150121493 (0x80284015)
 The requested TPM ownerAuth value was not found.
TBS_E_BAD_PARAMETER
2150121474 (0x80284002)
 The requested TPM ownerAuth value does not match the TPM version.

Remarks

There are additional authorization values, also known as delegation blobs, derived from the full TPM ownerAuth that allow a subset of the TPM functionality to be executed. The administrator can configure the level of ownerAuth that should be locally stored in the registry through Group Policy and the same can be obtained from this API call.

If Active Directory backup of ownerAuth is enabled through Group Policy, the default level of ownerAuth is set as Delegated which means that the full owner auth is removed from the local registry and stored in Active Directory. Only delegation blobs are locally stored in the registry in that case. Although, the level of ownerAuth storage can be explicitly configured to Full resulting in the TPM ownerAuth being locally available in the registry.

Requirements

Requirement Value
Minimum supported client Windows 8 [desktop apps only]
Minimum supported server Windows Server 2012 [desktop apps only]
Target Platform Windows
Header tbs.h
Library Tbs.lib
DLL Tbs.dll