Note: Windows 10 1709 introduces a policy setting that configures the system to prompt the user to clear the TPM if the TPM is detected to be in any state other than Ready. This policy will take effect only if the system's TPM is in a state other than Ready, including if the TPM is "Ready, with reduced functionality". The prompt to clear the TPM will start occurring after the next reboot, upon user login only if the logged in user is part of the Administrators group for the system. The prompt can be dismissed, but will reappear after every reboot and login until the policy is disabled or until the TPM is in a Ready state. I am assuming that the implementation will suspend BitLocker if clearing could cause BitLocker recovery to be required and that Bitlocker would automatically resume once TPM has been auto provisioned by the OS. While it may be applicable in some scenarios you should still excercise greater control over TPM provisioning in an Enterprise OSD scenario.
To clear the TPM we can make use of the SetPhysicalPresenceRequest method of the Win32_Tpm class. The value of 5 denotes the Clear method which resets the TPM to its factory-default state.
- Add the property NeedRebootTpmClear to your CustomSettings.ini
- Download this PowerShell script, copy it to your deployment share and add a Run PowerShell Script item to your task sequence in your State Restore phase before you run Enable Bitlocker / Invoke MBAM Client Deployment.
- Additionally, add a Restart computer item and modify the condition to NeedRebootTpmClear equals TRUE
The resulting task sequence will request a TPM operation to reset ownership, will check whether the operation ran successfully and - should the latter apply - initiate a reboot.
# Determine where to do the logging
$tsenv = New-Object -COMObject Microsoft.SMS.TSEnvironment
$logPath = $tsenv.Value("LogPath")
$logFile = "$logPath\$($myInvocation.MyCommand).log"
# Start the logging
Start-Transcript $logFile
Write-Output "Logging to $logFile"
# Start Main Code Here
Function ClearTPM {
Write-Output "The TPM must be cleared before it can be used to help secure the computer."
Write-Output "Clearing the TPM cancels the TPM ownership and resets it to factory defaults."
Write-Output "Quering Win32_TPM WMI object..."
$oTPM = Get-WmiObject -Class "Win32_Tpm" -Namespace "ROOT\CIMV2\Security\MicrosoftTpm"
Write-Output "Clearing TPM ownership....."
$tmp = $oTPM.SetPhysicalPresenceRequest(5)
If ($tmp.ReturnValue -eq 0) {
Write-Output "Successfully cleared the TPM chip. A reboot is required."
$TSenv.Value("NeedRebootTpmClear") = "YES"
Exit 0
}
Else {
Write-Warning "Failed to clear TPM ownership. Exiting..."
Stop-Transcript
Exit 0
}
}
Start-Sleep -Seconds 10
ClearTPM
# Stop logging
Stop-Transcript
Be aware that this TPM operation requires a human response to validate that a user is physically present before the action is completed - depending on your vendor you could remove any requirement for a user to acknowledge the TPM clear request.
I actually was in contact with Dell Inc. product group a while ago, here is what my contact person had to share:
For security reasons, our BIOS team still requires a physical presence to clear the TPM. This is based on requirements from the Trusted Computing Group that owns the TPM specification so that the TPM cannot be maliciously cleared. Other customers have asked for this so the BIOS team is reviewing how to build a secure method to do these actions silently. I don’t have an ETA on when it might be available.
After the TPM is cleared, it may also be turned off (this does not seem to apply to Dell Inc. systems). If the TPM is turned off, you can for example use vendor tools to turn the Trusted Platform Module on again..
