Friday, 15 September 2017 23:40

How to Clear the TPM Chip Using MDT

Written by
Rate this item
(3 votes)


Before a Trusted Platform Module (TPM) can be used for advanced scenarios it must be provisioned. Windows 10 automatically provisions a TPM, but if you are planning to reinstall the operating system, you may have to clear the TPM before reinstalling so that Windows 10 can take full advantage of the TPM. In today's blog post, I will take a closer look how to clear the TPM ownership using WMI in Microsoft Deployment Toolkit (MDT), allowing Windows 10 to automatically take ownership of the TPM on the next boot (TPM AutoProvisioning). Clearing the Trusted Platform Module (TPM) cancels TPM ownership and invalidates cryptographic materials created by the previous owner.

Note: Windows 10 1709 introduces a policy setting that configures the system to prompt the user to clear the TPM if the TPM is detected to be in any state other than Ready. This policy will take effect only if the system's TPM is in a state other than Ready, including if the TPM is "Ready, with reduced functionality". The prompt to clear the TPM will start occurring after the next reboot, upon user login only if the logged in user is part of the Administrators group for the system. The prompt can be dismissed, but will reappear after every reboot and login until the policy is disabled or until the TPM is in a Ready state. I am assuming that the implementation will suspend BitLocker if clearing could cause BitLocker recovery to be required and that Bitlocker would automatically resume once TPM has been auto provisioned by the OS. While it may be applicable in some scenarios you should still excercise greater control over TPM provisioning in an Enterprise OSD scenario.

To clear the TPM we can make use of the SetPhysicalPresenceRequest method of the Win32_Tpm class. The value of 5 denotes the Clear method which resets the TPM to its factory-default state.

  1. Add the property NeedRebootTpmClear to your CustomSettings.ini
  2. Download this PowerShell script, copy it to your deployment share and add a Run PowerShell Script item to your task sequence in your State Restore phase before you run Enable Bitlocker / Invoke MBAM Client Deployment.
  3. Additionally, add a Restart computer item and modify the condition to NeedRebootTpmClear equals TRUE

The resulting task sequence will request a TPM operation to reset ownership, will check whether the operation ran successfully and - should the latter apply - initiate a reboot. 

# Determine where to do the logging 
$tsenv = New-Object -COMObject Microsoft.SMS.TSEnvironment 
$logPath = $tsenv.Value("LogPath") 
$logFile = "$logPath\$($myInvocation.MyCommand).log"

# Start the logging 
Start-Transcript $logFile
Write-Output "Logging to $logFile"
# Start Main Code Here
Function ClearTPM {
    Write-Output "The TPM must be cleared before it can be used to help secure the computer."
    Write-Output "Clearing the TPM cancels the TPM ownership and resets it to factory defaults."

    Write-Output "Quering Win32_TPM WMI object..."	
    $oTPM = Get-WmiObject -Class "Win32_Tpm" -Namespace "ROOT\CIMV2\Security\MicrosoftTpm"

    Write-Output "Clearing TPM ownership....."
    $tmp = $oTPM.SetPhysicalPresenceRequest(5)
    If ($tmp.ReturnValue -eq 0) {
	    Write-Output "Successfully cleared the TPM chip. A reboot is required."
            $TSenv.Value("NeedRebootTpmClear") = "YES"
	    Exit 0
    Else {
	    Write-Warning "Failed to clear TPM ownership. Exiting..."
	    Exit 0

Start-Sleep -Seconds 10

# Stop logging 

Be aware that this TPM operation requires a human response to validate that a user is physically present before the action is completed - depending on your vendor you could remove any requirement for a user to acknowledge the TPM clear request.

I actually was in contact with Dell Inc. product group a while ago, here is what my contact person had to share:

For security reasons, our BIOS team still requires a physical presence to clear the TPM. This is based on requirements from the Trusted Computing Group that owns the TPM specification so that the TPM cannot be maliciously cleared. Other customers have asked for this so the BIOS team is reviewing how to build a secure method to do these actions silently. I don’t have an ETA on when it might be available.

After the TPM is cleared, it may also be turned off (this does not seem to apply to Dell Inc. systems). If the TPM is turned off, you can for example use vendor tools to turn the Trusted Platform Module on again..


Read 371 times Last modified on Tuesday, 19 September 2017 19:03

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.

Recent Posts