Thursday, 25 January 2018 10:04

The Case of Missing TPM P@ssword

Written by
Rate this item
(3 votes)

image

As my regular blog readers will be aware (yes, all three of you), there is something increasingly traditional about me writing about my customer engagements and today should be no different. With the new way of building, deploying, and servicing OS introduced with Windows 10 (Windows as a Service a.k.a. Hustle as a Service) I often kick off customer engagements with a workshop for IT professionals addressing biggest benefits of adopting Windows 10 and detailing comprehensive set of intelligent security solutions which allow organizations to protect against security threats and to better protect user and company data against sophisticated attacks thus allowing them to align themselves with the GDPR requirements. By outlining these benefits heads on, I can often persuade my customers to adopt a comprehensive set of advanced security capabilities including, but not limited to Credential Guard, Windows Information Protection, Windows Defender ATP and BitLocker.

The other day, as I was working with a customer on improving and optimizing his Windows 10 image, one of IT technicians tried enabling BitLocker pre-provisioning. That did not work out as expected as the Microsoft Deployment Toolkit's Final Summary window displayed following warning: "TPM P@ssword missing. Please provide P@ssword via TpmOwnerP@ssword or AdminP@ssword". As I've never seen this warning before, I started poking around ZTIBDE.wsf script and quickly located the relevant part in the script:

If bTpmOwned <> True AND bTpmOwnershipAllowed = True Then

If oEnvironment.Item("TpmOwnerPassword") <> "" Then
	oLogging.CreateEntry "TPM Ownership being intiated.", LogTypeInfo
	iRetVal = SetTpmOwner(oEnvironment.Item("TpmOwnerPassword"))
	TestAndFail iRetVal, 6741, "TPM Owner Password set"
ElseIf oEnvironment.Item("AdminPassword") <> "" Then
	oLogging.CreateEntry "TPM Ownership being intiated with AdminP@ssword (not TPMOwnerP@ssword).", LogTypeInfo
	iRetVal = SetTpmOwner(oEnvironment.Item("AdminPassword"))
	TestAndFail iRetVal, 6742, "TPM Owner P@ssword set to AdminP@ssword"
Else			
	oLogging.CreateEntry "TPM P@ssword missing. Please provide P@ssword via TpmOwnerP@ssword or AdminP@ssword", LogTypeInfo				
	oLogging.ReportFailure "TPM P@ssword missing.", 6743							
End If

Current iterations of MDT require either TpmOwnerPassword or AdminPassword property to be configured prior to initiating BitLocker drive encryption. If set, Microsoft Deployment Toolkit will use Trusted Platform Module (TPM) owner password during the TPM initialization process and will attempt to take ownership of the TPM. Since Windows 10 was designed to be the most secure Windows OS yet, starting with Windows 10 1607, Windows will not retain the TPM owner password when provisioning the TPM because in some scenarios TPM owner password could be retrieved by a malicious party and be used in offline attacks against TPM anti-hammering. The password will be set to a random high entropy value and then discarded without ever revealing it to the user.

I am fairly certain that previous iterations of MDT used to set TpmOwnerPassword to the default value, however, this seems to no longer be the case. 

A quick look inside customer's CustomSettings.ini confirmed my suspicions that neither of these properties was configured (I am sure there were good reasons not to set default admin password). A highly unusual configuration, which a) is highly uncommon and b) something I never ran into before (which in turn explained why I was not familiar with the error message). Following my advice, the admin added TpmOwnerPassword=Pa55w0rd property to CustomSettings.ini, ran through the deployment again and verified that BitLocker pre-provisioning now worked as expected. Case solved. 

Read 548 times Last modified on Friday, 26 January 2018 13:12

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.

Recent Posts

  • Automating Multi-node Tableau Server Environment
    After a few weeks off, I am delighted to announce that I have returned full time, once again delivering somewhat…
    Written on Monday, 19 February 2018 11:01
  • The Case of Missing TPM P@ssword
    As my regular blog readers will be aware (yes, all three of you), there is something increasingly traditional about me…
    Written on Thursday, 25 January 2018 10:04
  • The Case of "Just a Moment..."
    A key part of any complete end-to-end deployment project is analysis of the resulting logs to identify root causes for…
    Written on Tuesday, 16 January 2018 12:57
  • How to Automate Input Preferences during OSD
    A few days ago I stumbled upon a question on the Microsoft Deployment Toolkit (MDT) forum where a user asked…
    Written on Monday, 15 January 2018 12:36
  • Disabling Cortana Voice Support during OOBE
    Yesterday I came across a Twitter thread in which multiple users detailed their beef with the revamped setup experience of…
    Written on Tuesday, 12 December 2017 10:04
  • Fixing "Windows update reboot is pending" during OSD
    Automated OS deployment became common as IT professionals install systems using tools like Microsoft Deployment Toolkit or System Center Configuration…
    Written on Tuesday, 28 November 2017 08:44