Friday, 15 September 2017 23:40

How to Clear the TPM Chip Using MDT

Written by
Rate this item
(7 votes)


Before a Trusted Platform Module (TPM) can be used for advanced scenarios it must be provisioned. Windows 10 automatically provisions a TPM, but if you are planning to reinstall the operating system, you may have to clear the TPM before reinstalling so that Windows 10 can take full advantage of the TPM. In today's blog post, I will take a closer look how to clear the TPM ownership using WMI in Microsoft Deployment Toolkit (MDT), allowing Windows 10 to automatically take ownership of the TPM on the next boot (TPM AutoProvisioning). Clearing the Trusted Platform Module (TPM) cancels TPM ownership and invalidates cryptographic materials created by the previous owner.

Note: Windows 10 1709 introduces a policy setting that configures the system to prompt the user to clear the TPM if the TPM is detected to be in any state other than Ready. This policy will take effect only if the system's TPM is in a state other than Ready, including if the TPM is "Ready, with reduced functionality". The prompt to clear the TPM will start occurring after the next reboot, upon user login only if the logged in user is part of the Administrators group for the system. The prompt can be dismissed, but will reappear after every reboot and login until the policy is disabled or until the TPM is in a Ready state. I am assuming that the implementation will suspend BitLocker if clearing could cause BitLocker recovery to be required and that Bitlocker would automatically resume once TPM has been auto provisioned by the OS. While it may be applicable in some scenarios you should still excercise greater control over TPM provisioning in an Enterprise OSD scenario.

To clear the TPM we can make use of the SetPhysicalPresenceRequest method of the Win32_Tpm class. The value of 5 denotes the Clear method which resets the TPM to its factory-default state.

  1. Add the property NeedRebootTpmClear to your CustomSettings.ini
  2. Download this PowerShell script, copy it to your deployment share and add a Run PowerShell Script item to your task sequence in your State Restore phase before you run Enable Bitlocker / Invoke MBAM Client Deployment.
  3. Additionally, add a Restart computer item and modify the condition to NeedRebootTpmClear equals TRUE

The resulting task sequence will request a TPM operation to reset ownership, will check whether the operation ran successfully and - should the latter apply - initiate a reboot. 

# Determine where to do the logging 
$tsenv = New-Object -COMObject Microsoft.SMS.TSEnvironment 
$logPath = $tsenv.Value("LogPath") 
$logFile = "$logPath\$($myInvocation.MyCommand).log"

# Start the logging 
Start-Transcript $logFile
Write-Output "Logging to $logFile"
# Start Main Code Here
Function ClearTPM {
    Write-Output "The TPM must be cleared before it can be used to help secure the computer."
    Write-Output "Clearing the TPM cancels the TPM ownership and resets it to factory defaults."

    Write-Output "Quering Win32_TPM WMI object..."	
    $oTPM = Get-WmiObject -Class "Win32_Tpm" -Namespace "ROOT\CIMV2\Security\MicrosoftTpm"

    Write-Output "Clearing TPM ownership....."
    $tmp = $oTPM.SetPhysicalPresenceRequest(5)
    If ($tmp.ReturnValue -eq 0) {
	    Write-Output "Successfully cleared the TPM chip. A reboot is required."
            $TSenv.Value("NeedRebootTpmClear") = "YES"
	    Exit 0
    Else {
	    Write-Warning "Failed to clear TPM ownership. Exiting..."
	    Exit 0

Start-Sleep -Seconds 10

# Stop logging 

Be aware that this TPM operation requires a human response to validate that a user is physically present before the action is completed - depending on your vendor you could remove any requirement for a user to acknowledge the TPM clear request.

I actually was in contact with Dell Inc. product group a while ago, here is what my contact person had to share:

For security reasons, our BIOS team still requires a physical presence to clear the TPM. This is based on requirements from the Trusted Computing Group that owns the TPM specification so that the TPM cannot be maliciously cleared. Other customers have asked for this so the BIOS team is reviewing how to build a secure method to do these actions silently. I don’t have an ETA on when it might be available.

After the TPM is cleared, it may also be turned off (this does not seem to apply to Dell Inc. systems). If the TPM is turned off, you can for example use vendor tools to turn the Trusted Platform Module on again..


Read 2450 times Last modified on Tuesday, 19 September 2017 19:03

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.

Recent Posts

  • Automating Multi-node Tableau Server Environment
    After a few weeks off, I am delighted to announce that I have returned full time, once again delivering somewhat…
    Written on Monday, 19 February 2018 11:01
  • The Case of Missing TPM P@ssword
    As my regular blog readers will be aware (yes, all three of you), there is something increasingly traditional about me…
    Written on Thursday, 25 January 2018 10:04
  • The Case of "Just a Moment..."
    A key part of any complete end-to-end deployment project is analysis of the resulting logs to identify root causes for…
    Written on Tuesday, 16 January 2018 12:57
  • How to Automate Input Preferences during OSD
    A few days ago I stumbled upon a question on the Microsoft Deployment Toolkit (MDT) forum where a user asked…
    Written on Monday, 15 January 2018 12:36
  • Disabling Cortana Voice Support during OOBE
    Yesterday I came across a Twitter thread in which multiple users detailed their beef with the revamped setup experience of…
    Written on Tuesday, 12 December 2017 10:04
  • Fixing "Windows update reboot is pending" during OSD
    Automated OS deployment became common as IT professionals install systems using tools like Microsoft Deployment Toolkit or System Center Configuration…
    Written on Tuesday, 28 November 2017 08:44