How to use Hash of TPM from AD to reset your TPM password

How to use Hash of TPM from AD to reset your TPM password

  • Comments 6
  • Likes

Hello, my name is Manoj Sehgal. I am a Support Escalation Engineer in the Windows group and today’s blog will cover “How to use Hash of TPM from AD to reset your TPM password”.

As per Best Practices for Bitlocker we configure a Group Policy for TPM to backup information in AD DS.

Note: See links at the end to configure the Group Policy for TPM and Bitlocker.

By design, we save hash of the TPM password in AD and not the actual TPM password.

Consider the below scenarios:

Scenario 1:

  • Customer rolls out machines using SCCM. SCCM creates a random password for “TPM Owner Password” as part of enabling bitlocker (MDT does this also). 

Scenario 2:

  • If the user enabled Bitlocker and specified a “TPM Owner password”.  In this instance you could see scenario where you fired that person and need to give the laptop to his replacement. If you do not have the TPM password, you will only able to clear the TPM to factory defaults and then when you restart your computer, it will prompt you for 48 digit bitlocker recovery key.
  • This password is saved in AD (msTPM-OwnerInformation) attribute as hash value.  By default only domain admins can read this attribute.

At some point the domain admin needs to make a change in TPM.MSC.  In order to do this you must supply the TPM “Owner password” otherwise the TPM chip is cleared so you would lose all data on the TPM chip. 

Backing up the TPM owner information for a computer allows administrators to locally and remotely configure the TPM security hardware on that computer. As an example, an administrator might want to reset the TPM to factory defaults when decommissioning or repurposing computers.

In order to reset the TPM Owner Password, follow the below steps:

Resolution:

1. Open notepad and copy the below information.

<?xml version="1.0" encoding="UTF-8"?>

<ownerAuth>JLi2ycvjzYgYaDq5zQ094U/FxAs=</ownerAuth>

2. Get the hash information from ms-TPMOwnerInformation attribute and replace the hash information between the <ownerAuth>……</ownerAuth>

clip_image002

3. Save the file as whatevername.tpm.

4. Open TPM Administration Console (tpm.msc) and Click on Change Owner Password.

clip_image004

5. Select “I have the Owner Password File” and point it to .tpm file which you got in Step 2.

6. Now you can successfully change the TPM password.

For more information on Group Policies for Bitlocker, see my blog below.
http://blogs.technet.com/askcore/archive/2010/02/16/cannot-save-recovery-information-for-Bitlocker-in-windows-7.aspx

Bitlocker Policies for Windows 7 on Windows Server 2003 or Windows Server 2008

http://blogs.technet.com/b/askcore/archive/2010/07/02/bitlocker-policies-for-windows-7-on-windows-server-2003-or-windows-server-2008.aspx

Manoj Sehgal
Support Escalation Engineer
Microsoft Enterprise Platforms Support



Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • A very good brief yet concise article ... Thank you

  • The article is excellent, but unfortunately the process does not work in our environment.  We are doing a copy and paste of the TPM Hash from AD into a template created from your example.  We are naming the file "machinename.tpm" but are denied the reset after browsing to the file.

    Any thoughts as to what behavior would cause this?

  • I know this is an old thread but i'm having the same problem as above. i have followed your steps, saved the file un utf-8 encoding, made sure file extensions were not hidden.

    first off i cannot browse to it, i have to type in the path so it isn't showing up properly as a .tpm file.

    when i do put in the path manually the result is tpm.msc telling me:

    "If you build the file manually, verify that it has the correct syntax for a tpm owner password file."

  • hahaha DUMMY moment.

    this method works fine but the .tpm file you create cannot be used from the local bitlocker encrypted drive

    (duh you can't store your hash on the drive!)

    the same file can be used to reset the key from a network share flash drive etc

  • I too am getting the error referenced by David. However, it still occurs whether or not the tpm file is accessed locally or from a USB or network share.

    One thing I noticed is Windows 8 backup seems to have a 27 character hash, but your example is 28. Is our backup not working correctly? It is in the format as follows for Windows 8:

    CN=<27 chararcter hash>,CN=TPM Devices,DC=domain,DC=company,DC=com

  • Great article!

    Unfortunately isn't what I'm looking for...

    I was trying to generate the owner hash based on a custom password, that is generated randomically for each Computer but I'm still without success.

    For the same owner password, a hash generated by me and the one generated by Windows isn't the same... Until I figure out a way to do this I'm gonna save the password on a fileserver instead of the TPM recovery file.