Microsoft Enterprise Platforms Support: Windows Server Core Team
Hello, my name is Manoj Sehgal. I am a Support Escalation Engineer in the Windows group and today’s blog will cover “How to use Hash of TPM from AD to reset your TPM password”.
As per Best Practices for Bitlocker we configure a Group Policy for TPM to backup information in AD DS.
Note: See links at the end to configure the Group Policy for TPM and Bitlocker.
By design, we save hash of the TPM password in AD and not the actual TPM password.
Consider the below scenarios:
Scenario 1:
Scenario 2:
At some point the domain admin needs to make a change in TPM.MSC. In order to do this you must supply the TPM “Owner password” otherwise the TPM chip is cleared so you would lose all data on the TPM chip.
Backing up the TPM owner information for a computer allows administrators to locally and remotely configure the TPM security hardware on that computer. As an example, an administrator might want to reset the TPM to factory defaults when decommissioning or repurposing computers.
In order to reset the TPM Owner Password, follow the below steps:
Resolution:
1. Open notepad and copy the below information.
<?xml version="1.0" encoding="UTF-8"?> <ownerAuth>JLi2ycvjzYgYaDq5zQ094U/FxAs=</ownerAuth>
<?xml version="1.0" encoding="UTF-8"?>
<ownerAuth>JLi2ycvjzYgYaDq5zQ094U/FxAs=</ownerAuth>
2. Get the hash information from ms-TPMOwnerInformation attribute and replace the hash information between the <ownerAuth>……</ownerAuth>
3. Save the file as whatevername.tpm.
4. Open TPM Administration Console (tpm.msc) and Click on Change Owner Password.
5. Select “I have the Owner Password File” and point it to .tpm file which you got in Step 2.
6. Now you can successfully change the TPM password.
For more information on Group Policies for Bitlocker, see my blog below. http://blogs.technet.com/askcore/archive/2010/02/16/cannot-save-recovery-information-for-Bitlocker-in-windows-7.aspx
Bitlocker Policies for Windows 7 on Windows Server 2003 or Windows Server 2008
http://blogs.technet.com/b/askcore/archive/2010/07/02/bitlocker-policies-for-windows-7-on-windows-server-2003-or-windows-server-2008.aspx
Manoj Sehgal Support Escalation Engineer Microsoft Enterprise Platforms Support
A very good brief yet concise article ... Thank you
The article is excellent, but unfortunately the process does not work in our environment. We are doing a copy and paste of the TPM Hash from AD into a template created from your example. We are naming the file "machinename.tpm" but are denied the reset after browsing to the file.
Any thoughts as to what behavior would cause this?
I know this is an old thread but i'm having the same problem as above. i have followed your steps, saved the file un utf-8 encoding, made sure file extensions were not hidden.
first off i cannot browse to it, i have to type in the path so it isn't showing up properly as a .tpm file.
when i do put in the path manually the result is tpm.msc telling me:
"If you build the file manually, verify that it has the correct syntax for a tpm owner password file."
hahaha DUMMY moment.
this method works fine but the .tpm file you create cannot be used from the local bitlocker encrypted drive
(duh you can't store your hash on the drive!)
the same file can be used to reset the key from a network share flash drive etc
I too am getting the error referenced by David. However, it still occurs whether or not the tpm file is accessed locally or from a USB or network share.
One thing I noticed is Windows 8 backup seems to have a 27 character hash, but your example is 28. Is our backup not working correctly? It is in the format as follows for Windows 8:
CN=<27 chararcter hash>,CN=TPM Devices,DC=domain,DC=company,DC=com