How to Cleanup TPM information from AD for Windows 8 computers

How to Cleanup TPM information from AD for Windows 8 computers

  • Comments 10
  • Likes

For Windows 7 machines, TPM Owner Password is stored in msTPM-OwnerInformation which is attribute of Computer object in AD. So if you delete the computer object, TPM Owner Password is also deleted.

For Windows 8, TPM Owner Information is not stored directly under Computer Object. It is stored in a separate object which is linked to computer object. When we delete a computer object from AD, the msTPM-OwnerInformation attribute which holds the TPM Owner Password is not deleted automatically.

As per Best Practices, TPM Owner Information is also backed in AD DS for all domain joined computers.

In a Scenario, where an admin is doing a REFRESH of a computer and he will delete the existing computer object in AD, he should first delete the TPM information for the computer which is now stored under a different location in AD.

If you will not delete the msTPM-InformationObject under TPM devices, they will remain in AD as stale entry.

If administrator will not delete the original computer object from AD in a Refresh Scenario, then you do not have to delete the TPM Information under TPM devices container in AD.

In Windows 8 TPM auto-provisioning feature, initializes the TPM and can escrow the TPM Owner Password in AD DS if GPO to backup TPM password is enabled.

Windows 8 TPM GPO

If your computer is not being joined to a domain the TPM owner authorization value will be stored in the local computer registry.

TPM Owner Information for a Windows 8 machine is stored under msTPM-InformationObject in TPM devices container in Active Directory Users and Computer MMC snap-in.

Note: If TPM devices container is not available then make sure you have done the schema extensions for Windows 8.

Schema Extensions for Windows Server 2008 R2 to support AD DS backup of TPM information from Windows 8 clients



How to delete the msTPM-InformationObject in AD

1. Connect to Active Directory Users and Computer MMC Snap-in and select the computer object which you want to delete from AD.

2. Right Click on Computer Object and go to Properties and Select Attribute Editor tab.

3. Choose msTPM-TpmInformationForComputer from the list of attributes and get the CN name.


4. Now in Active Directory Users and Computers MMC Snap-in select TPM Devices container.

5. Search for the CN Name which you gather from Step 3. This is the msTPM-InformationObject for the computer.

6. Right click on msTPM-InfomationObject & select Properties.

7. In attribute list you will see the msTPM-OwnerInformation attribute under which holds the TPM owner password for the computer.


8. Delete the msTPM-InformationObject under TPM Devices Container which is collected from Step 5.

9. Now you can delete the original computer object from AD.


More Information:

TPM Provisioning Feature

Windows 8 TPM GPO

Schema Extensions for Windows Server 2008 R2 to support AD DS backup of TPM information from Windows 8 clients


Manoj Sehgal
Senior Support Escalation Engineer
Microsoft Enterprise Platforms Support

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Could you provide some reasoning why this was even done. It's just additional work from a sysadmins point of view, but I'm sure there's a valid reason for the change.

  • Merci pour le tutoriel il est très bien expliqué. En plus je l'ai croisé avec un tutoriel vidéo aussi et franchement il n'y a aucun flou, c'est parfait. Vous pouvez aussi allez jeter un coup d'oeil a ce site de tut vidéo il est sympa.          bonne continuation a vous :)

  • For Windows 7, TPM information was only backed in AD, when TPM is initialized.

    Also user has to go through one to two iterations of reboot and accepting changes from BIOS.

    We added TPM auto-provisioning feature so that TPM now gets initialized automatically in windows 8 and TPM Owner Password can be backed in AD on a device after the initialization also.

    We also saw that when admin deleted the computer object TPM information is lost with the object. So we keep that information in separate container in AD DS.

  • Thank you for your reply, keep the TPM/Bitlocker updates coming.

  • I agree with you. There is slight difference between executing this task on Windows 7 to Windows 8. Well, for now I am still on 7 and haven't upgraded yet to 8 but I'm planning to. Thank you because you broaden my mind with this information. _____________________________________ PCHAPPY

  • This is all great, but how does one export the TPM Owner hash for Windows 8 machines. It's pretty easy for Win7 boxes since all of the information is stored in the computer obj attributes. But since Win8 is now using msTPM-TpmInformationForComputer attribute and that is just a pointed to the object in TPM Devices I'm now beating my head against the wall to figure out how to export the information I need for DR purposes. Any clues on how to accomplish this via PowerShell. I want a single .CSV file that has hostname, BitLocker PW ID, BitLocker Recovery Key & TPM Owner Hash.

  • From issues encountered, although the name of the TPM object appears to be random, it appears to be related to something (possibly in the TPM itself) rather than the computer name - I've built a box to different names but it generates the same TPM Object name.

    In terms of getting information on the hashes etc. out - haven't done it in powershell but have in vbs extracting the hash from either the computer object ot the TPM object (or in a very few cases, from both) - also can spot orphaned TPM objects as they have a reverse link back to the computer(s) - in ldp you can see all the reverse links, but in vbs I currently only see one of them

  • Is there someone I can send my vb scripts to for consideration - I have one script which will extract all the stored TPM passwords to Excel which can be useful for DR or by adding counters at the right point, get some idea of how many computers aren't storing passwords.
    A second script walks the TPM Objects container and for each entry attempts to find the backlink(s) to computer objects - if there are no backlinks then you have an orphaned object. Obviously you need appropriate rights - either domain admin or suitable delegated access to both the TPM objects as well as the tpm password in the computer object (which is marked as "confidential" so the default read access is not adequate

  • Can we get a script that looks up each TPM Device to verify it is referenced by msTPM-InformationObject? No doubt there may be orphans where the Computer object was longer removed and/or removed and recreated as a new object with the same RDN.

  • This tells us that we should delete the TPM object before deleting the computer object, but unless I'm missing something it doesn't say how to clean up a tpm object that was left behind after a computer object was deleted. How do we identify the correct TPM object to clean up after the fact when a computer object has already been deleted?