How to use Hash of TPM from AD to reset your TPM password
Hello, my name is Manoj Sehgal. I am a Support Escalation Engineer in the Windows group and today’s blog will cover “How to use Hash of TPM from AD to reset your TPM password”.
As per Best Practices for Bitlocker we configure a Group Policy for TPM to backup information in AD DS.
Note: See links at the end to configure the Group Policy for TPM and Bitlocker.
By design, we save hash of the TPM password in AD and not the actual TPM password.
Consider the below scenarios:
Scenario 1:
- Customer rolls out machines using SCCM. SCCM creates a random password for “TPM Owner Password” as part of enabling bitlocker (MDT does this also).
Scenario 2:
- If the user enabled Bitlocker and specified a “TPM Owner password”. In this instance you could see scenario where you fired that person and need to give the laptop to his replacement. If you do not have the TPM password, you will only able to clear the TPM to factory defaults and then when you restart your computer, it will prompt you for 48 digit bitlocker recovery key.
- This password is saved in AD (msTPM-OwnerInformation) attribute as hash value. By default only domain admins can read this attribute.
At some point the domain admin needs to make a change in TPM.MSC. In order to do this you must supply the TPM “Owner password” otherwise the TPM chip is cleared so you would lose all data on the TPM chip.
Backing up the TPM owner information for a computer allows administrators to locally and remotely configure the TPM security hardware on that computer. As an example, an administrator might want to reset the TPM to factory defaults when decommissioning or repurposing computers.
In order to reset the TPM Owner Password, follow the below steps:
Resolution:
1. Open notepad and copy the below information.
<?xml version="1.0" encoding="UTF-8"?>
<ownerAuth>JLi2ycvjzYgYaDq5zQ094U/FxAs=</ownerAuth>
2. Get the hash information from ms-TPMOwnerInformation attribute and replace the hash information between the <ownerAuth>……</ownerAuth>
3. Save the file as whatevername.tpm.
4. Open TPM Administration Console (tpm.msc) and Click on Change Owner Password.
5. Select “I have the Owner Password File” and point it to .tpm file which you got in Step 2.
6. Now you can successfully change the TPM password.
For more information on Group Policies for Bitlocker, see my blog below.
https://blogs.technet.com/askcore/archive/2010/02/16/cannot-save-recovery-information-for-Bitlocker-in-windows-7.aspx
Bitlocker Policies for Windows 7 on Windows Server 2003 or Windows Server 2008
Manoj Sehgal
Support Escalation Engineer
Microsoft Enterprise Platforms Support