How to Cleanup TPM information from AD for Windows 8 computers

For Windows 7 machines, TPM Owner Password is stored in msTPM-OwnerInformation which is attribute of Computer object in AD. So if you delete the computer object, TPM Owner Password is also deleted.

For Windows 8, TPM Owner Information is not stored directly under Computer Object. It is stored in a separate object which is linked to computer object. When we delete a computer object from AD, the msTPM-OwnerInformation attribute which holds the TPM Owner Password is not deleted automatically.

As per Best Practices, TPM Owner Information is also backed in AD DS for all domain joined computers.

In a Scenario, where an admin is doing a REFRESH of a computer and he will delete the existing computer object in AD, he should first delete the TPM information for the computer which is now stored under a different location in AD.

If you will not delete the msTPM-InformationObject under TPM devices, they will remain in AD as stale entry.

If administrator will not delete the original computer object from AD in a Refresh Scenario, then you do not have to delete the TPM Information under TPM devices container in AD.

In Windows 8 TPM auto-provisioning feature, initializes the TPM and can escrow the TPM Owner Password in AD DS if GPO to backup TPM password is enabled.

Windows 8 TPM GPO
https://technet.microsoft.com/en-us/library/jj679889.aspx

If your computer is not being joined to a domain the TPM owner authorization value will be stored in the local computer registry.

TPM Owner Information for a Windows 8 machine is stored under msTPM-InformationObject in TPM devices container in Active Directory Users and Computer MMC snap-in.

Note: If TPM devices container is not available then make sure you have done the schema extensions for Windows 8.

Schema Extensions for Windows Server 2008 R2 to support AD DS backup of TPM information from Windows 8 clients
https://technet.microsoft.com/en-us/library/jj635854.aspx

clip_image002

 

How to delete the msTPM-InformationObject in AD

1. Connect to Active Directory Users and Computer MMC Snap-in and select the computer object which you want to delete from AD.

2. Right Click on Computer Object and go to Properties and Select Attribute Editor tab.

3. Choose msTPM-TpmInformationForComputer from the list of attributes and get the CN name.

clip_image003

4. Now in Active Directory Users and Computers MMC Snap-in select TPM Devices container.

5. Search for the CN Name which you gather from Step 3. This is the msTPM-InformationObject for the computer.

6. Right click on msTPM-InfomationObject & select Properties.

7. In attribute list you will see the msTPM-OwnerInformation attribute under which holds the TPM owner password for the computer.

clip_image004

8. Delete the msTPM-InformationObject under TPM Devices Container which is collected from Step 5.

9. Now you can delete the original computer object from AD.

 

More Information:

TPM Provisioning Feature
https://technet.microsoft.com/en-us/library/jj131725.aspx

Windows 8 TPM GPO
https://technet.microsoft.com/en-us/library/jj679889.aspx

Schema Extensions for Windows Server 2008 R2 to support AD DS backup of TPM information from Windows 8 clients
https://technet.microsoft.com/en-us/library/jj635854.aspx

 

Manoj Sehgal
Senior Support Escalation Engineer
Microsoft Enterprise Platforms Support

Comments

  • Anonymous
    August 08, 2013
    Could you provide some reasoning why this was even done. It's just additional work from a sysadmins point of view, but I'm sure there's a valid reason for the change.
  • Anonymous
    August 14, 2013
    Merci pour le tutoriel il est très bien expliqué. En plus je l'ai croisé avec un tutoriel vidéo aussi et franchement il n'y a aucun flou, c'est parfait. Vous pouvez aussi allez jeter un coup d'oeil a ce site de tut vidéo il est sympa.  www.alphorm.com/.../formation-active-directory-2008-r2-70-640          bonne continuation a vous :)
  • Anonymous
    August 19, 2013
    For Windows 7, TPM information was only backed in AD, when TPM is initialized.Also user has to go through one to two iterations of reboot and accepting changes from BIOS.We added TPM auto-provisioning feature so that TPM now gets initialized automatically in windows 8 and TPM Owner Password can be backed in AD on a device after the initialization also.We also saw that when admin deleted the computer object TPM information is lost with the object. So we keep that information in separate container in AD DS.
  • Anonymous
    August 20, 2013
    Thank you for your reply, keep the TPM/Bitlocker updates coming.
  • Anonymous
    January 27, 2014
    I agree with you. There is slight difference between executing this task on Windows 7 to Windows 8. Well, for now I am still on 7 and haven't upgraded yet to 8 but I'm planning to. Thank you because you broaden my mind with this information.PCHAPPYhttp://pchappy.com.au
  • Anonymous
    February 26, 2014
    The comment has been removed
  • Anonymous
    August 19, 2014
    The comment has been removed
  • Anonymous
    January 06, 2015
    Is there someone I can send my vb scripts to for consideration - I have one script which will extract all the stored TPM passwords to Excel which can be useful for DR or by adding counters at the right point, get some idea of how many computers aren't storing passwords.
    A second script walks the TPM Objects container and for each entry attempts to find the backlink(s) to computer objects - if there are no backlinks then you have an orphaned object. Obviously you need appropriate rights - either domain admin or suitable delegated access to both the TPM objects as well as the tpm password in the computer object (which is marked as "confidential" so the default read access is not adequate
  • Anonymous
    April 09, 2015
    Can we get a script that looks up each TPM Device to verify it is referenced by msTPM-InformationObject? No doubt there may be orphans where the Computer object was longer removed and/or removed and recreated as a new object with the same RDN.
  • Anonymous
    September 10, 2015
    This tells us that we should delete the TPM object before deleting the computer object, but unless I'm missing something it doesn't say how to clean up a tpm object that was left behind after a computer object was deleted. How do we identify the correct TPM object to clean up after the fact when a computer object has already been deleted?
  • Anonymous
    October 20, 2016
    The comment has been removed
  • Anonymous
    November 02, 2016
    The comment has been removed