共用方式為

How to use Hash of TPM from AD to reset your TPM password

  • 發行項

Hello, my name is Manoj Sehgal. I am a Support Escalation Engineer in the Windows group and today’s blog will cover “How to use Hash of TPM from AD to reset your TPM password”.

As per Best Practices for Bitlocker we configure a Group Policy for TPM to backup information in AD DS.

Note: See links at the end to configure the Group Policy for TPM and Bitlocker.

By design, we save hash of the TPM password in AD and not the actual TPM password.

Consider the below scenarios:

Scenario 1:

  • Customer rolls out machines using SCCM. SCCM creates a random password for “TPM Owner Password” as part of enabling bitlocker (MDT does this also). 

Scenario 2:

  • If the user enabled Bitlocker and specified a “TPM Owner password”. In this instance you could see scenario where you fired that person and need to give the laptop to his replacement. If you do not have the TPM password, you will only able to clear the TPM to factory defaults and then when you restart your computer, it will prompt you for 48 digit bitlocker recovery key.
  • This password is saved in AD (msTPM-OwnerInformation) attribute as hash value. By default only domain admins can read this attribute.

At some point the domain admin needs to make a change in TPM.MSC. In order to do this you must supply the TPM “Owner password” otherwise the TPM chip is cleared so you would lose all data on the TPM chip. 

Backing up the TPM owner information for a computer allows administrators to locally and remotely configure the TPM security hardware on that computer. As an example, an administrator might want to reset the TPM to factory defaults when decommissioning or repurposing computers.

In order to reset the TPM Owner Password, follow the below steps:

Resolution:

1. Open notepad and copy the below information.

<?xml version="1.0" encoding="UTF-8"?>

<ownerAuth>JLi2ycvjzYgYaDq5zQ094U/FxAs=</ownerAuth>

2. Get the hash information from ms-TPMOwnerInformation attribute and replace the hash information between the <ownerAuth>……</ownerAuth>

clip_image002

3. Save the file as whatevername.tpm.

4. Open TPM Administration Console (tpm.msc) and Click on Change Owner Password.

clip_image004

5. Select “I have the Owner Password File” and point it to .tpm file which you got in Step 2.

6. Now you can successfully change the TPM password.

For more information on Group Policies for Bitlocker, see my blog below.
https://blogs.technet.com/askcore/archive/2010/02/16/cannot-save-recovery-information-for-Bitlocker-in-windows-7.aspx

Bitlocker Policies for Windows 7 on Windows Server 2003 or Windows Server 2008

https://blogs.technet.com/b/askcore/archive/2010/07/02/bitlocker-policies-for-windows-7-on-windows-server-2003-or-windows-server-2008.aspx

Manoj Sehgal
Support Escalation Engineer
Microsoft Enterprise Platforms Support

Comments

  • Anonymous
    January 01, 2003
    The comment has been removed
  • Anonymous
    September 06, 2010
    A very good brief yet concise article ... Thank you
  • Anonymous
    December 08, 2011
    The comment has been removed
  • Anonymous
    March 21, 2013
    I know this is an old thread but i'm having the same problem as above. i have followed your steps, saved the file un utf-8 encoding, made sure file extensions were not hidden.first off i cannot browse to it, i have to type in the path so it isn't showing up properly as a .tpm file.when i do put in the path manually the result is tpm.msc telling me:"If you build the file manually, verify that it has the correct syntax for a tpm owner password file."
  • Anonymous
    March 21, 2013
    The comment has been removed
  • Anonymous
    May 06, 2013
    The comment has been removed
  • Anonymous
    March 31, 2015
    Anybody solved this with windows 8.1?
  • Anonymous
    April 16, 2015
    Make sure that the file in encoded with UTF-8. I used Notepad++ to change it!