How to Cleanup TPM information from AD for Windows 8 computers

How to Cleanup TPM information from AD for Windows 8 computers

  • Comments 7
  • Likes

For Windows 7 machines, TPM Owner Password is stored in msTPM-OwnerInformation which is attribute of Computer object in AD. So if you delete the computer object, TPM Owner Password is also deleted.

For Windows 8, TPM Owner Information is not stored directly under Computer Object. It is stored in a separate object which is linked to computer object. When we delete a computer object from AD, the msTPM-OwnerInformation attribute which holds the TPM Owner Password is not deleted automatically.

As per Best Practices, TPM Owner Information is also backed in AD DS for all domain joined computers.

In a Scenario, where an admin is doing a REFRESH of a computer and he will delete the existing computer object in AD, he should first delete the TPM information for the computer which is now stored under a different location in AD.

If you will not delete the msTPM-InformationObject under TPM devices, they will remain in AD as stale entry.

If administrator will not delete the original computer object from AD in a Refresh Scenario, then you do not have to delete the TPM Information under TPM devices container in AD.

In Windows 8 TPM auto-provisioning feature, initializes the TPM and can escrow the TPM Owner Password in AD DS if GPO to backup TPM password is enabled.

Windows 8 TPM GPO
http://technet.microsoft.com/en-us/library/jj679889.aspx

If your computer is not being joined to a domain the TPM owner authorization value will be stored in the local computer registry.

TPM Owner Information for a Windows 8 machine is stored under msTPM-InformationObject in TPM devices container in Active Directory Users and Computer MMC snap-in.

Note: If TPM devices container is not available then make sure you have done the schema extensions for Windows 8.

Schema Extensions for Windows Server 2008 R2 to support AD DS backup of TPM information from Windows 8 clients
http://technet.microsoft.com/en-us/library/jj635854.aspx

clip_image002

 

How to delete the msTPM-InformationObject in AD

1. Connect to Active Directory Users and Computer MMC Snap-in and select the computer object which you want to delete from AD.

2. Right Click on Computer Object and go to Properties and Select Attribute Editor tab.

3. Choose msTPM-TpmInformationForComputer from the list of attributes and get the CN name.

clip_image003

4. Now in Active Directory Users and Computers MMC Snap-in select TPM Devices container.

5. Search for the CN Name which you gather from Step 3. This is the msTPM-InformationObject for the computer.

6. Right click on msTPM-InfomationObject & select Properties.

7. In attribute list you will see the msTPM-OwnerInformation attribute under which holds the TPM owner password for the computer.

clip_image004

8. Delete the msTPM-InformationObject under TPM Devices Container which is collected from Step 5.

9. Now you can delete the original computer object from AD.

 

More Information:

TPM Provisioning Feature
http://technet.microsoft.com/en-us/library/jj131725.aspx

Windows 8 TPM GPO
http://technet.microsoft.com/en-us/library/jj679889.aspx

Schema Extensions for Windows Server 2008 R2 to support AD DS backup of TPM information from Windows 8 clients
http://technet.microsoft.com/en-us/library/jj635854.aspx

 

Manoj Sehgal
Senior Support Escalation Engineer
Microsoft Enterprise Platforms Support

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Could you provide some reasoning why this was even done. It's just additional work from a sysadmins point of view, but I'm sure there's a valid reason for the change.

  • Merci pour le tutoriel il est très bien expliqué. En plus je l'ai croisé avec un tutoriel vidéo aussi et franchement il n'y a aucun flou, c'est parfait. Vous pouvez aussi allez jeter un coup d'oeil a ce site de tut vidéo il est sympa.  www.alphorm.com/.../formation-active-directory-2008-r2-70-640          bonne continuation a vous :)

  • For Windows 7, TPM information was only backed in AD, when TPM is initialized.

    Also user has to go through one to two iterations of reboot and accepting changes from BIOS.

    We added TPM auto-provisioning feature so that TPM now gets initialized automatically in windows 8 and TPM Owner Password can be backed in AD on a device after the initialization also.

    We also saw that when admin deleted the computer object TPM information is lost with the object. So we keep that information in separate container in AD DS.

  • Thank you for your reply, keep the TPM/Bitlocker updates coming.

  • I agree with you. There is slight difference between executing this task on Windows 7 to Windows 8. Well, for now I am still on 7 and haven't upgraded yet to 8 but I'm planning to. Thank you because you broaden my mind with this information. _____________________________________ PCHAPPY http://pchappy.com.au

  • This is all great, but how does one export the TPM Owner hash for Windows 8 machines. It's pretty easy for Win7 boxes since all of the information is stored in the computer obj attributes. But since Win8 is now using msTPM-TpmInformationForComputer attribute and that is just a pointed to the object in TPM Devices I'm now beating my head against the wall to figure out how to export the information I need for DR purposes. Any clues on how to accomplish this via PowerShell. I want a single .CSV file that has hostname, BitLocker PW ID, BitLocker Recovery Key & TPM Owner Hash.

  • From issues encountered, although the name of the TPM object appears to be random, it appears to be related to something (possibly in the TPM itself) rather than the computer name - I've built a box to different names but it generates the same TPM Object name.

    In terms of getting information on the hashes etc. out - haven't done it in powershell but have in vbs extracting the hash from either the computer object ot the TPM object (or in a very few cases, from both) - also can spot orphaned TPM objects as they have a reverse link back to the computer(s) - in ldp you can see all the reverse links, but in vbs I currently only see one of them