Friday, 15 September 2017 23:40

How to Clear the TPM Chip Using MDT

Written by
Rate this item
(9 votes)

image

Before a Trusted Platform Module (TPM) can be used for advanced scenarios it must be provisioned. Windows 10 automatically provisions a TPM, but if you are planning to reinstall the operating system, you may have to clear the TPM before reinstalling so that Windows 10 can take full advantage of the TPM. In today's blog post, I will take a closer look how to clear the TPM ownership using WMI in Microsoft Deployment Toolkit (MDT), allowing Windows 10 to automatically take ownership of the TPM on the next boot (TPM AutoProvisioning). Clearing the Trusted Platform Module (TPM) cancels TPM ownership and invalidates cryptographic materials created by the previous owner.

Note: Windows 10 1709 introduces a policy setting that configures the system to prompt the user to clear the TPM if the TPM is detected to be in any state other than Ready. This policy will take effect only if the system's TPM is in a state other than Ready, including if the TPM is "Ready, with reduced functionality". The prompt to clear the TPM will start occurring after the next reboot, upon user login only if the logged in user is part of the Administrators group for the system. The prompt can be dismissed, but will reappear after every reboot and login until the policy is disabled or until the TPM is in a Ready state. I am assuming that the implementation will suspend BitLocker if clearing could cause BitLocker recovery to be required and that Bitlocker would automatically resume once TPM has been auto provisioned by the OS. While it may be applicable in some scenarios you should still excercise greater control over TPM provisioning in an Enterprise OSD scenario.

To clear the TPM we can make use of the SetPhysicalPresenceRequest method of the Win32_Tpm class. The value of 5 denotes the Clear method which resets the TPM to its factory-default state.

  1. Add the property NeedRebootTpmClear to your CustomSettings.ini
  2. Download this PowerShell script, copy it to your deployment share and add a Run PowerShell Script item to your task sequence in your State Restore phase before you run Enable Bitlocker / Invoke MBAM Client Deployment.
  3. Additionally, add a Restart computer item and modify the condition to NeedRebootTpmClear equals TRUE

The resulting task sequence will request a TPM operation to reset ownership, will check whether the operation ran successfully and - should the latter apply - initiate a reboot. 

# Determine where to do the logging 
$tsenv = New-Object -COMObject Microsoft.SMS.TSEnvironment 
$logPath = $tsenv.Value("LogPath") 
$logFile = "$logPath\$($myInvocation.MyCommand).log"

# Start the logging 
Start-Transcript $logFile
Write-Output "Logging to $logFile"
 
# Start Main Code Here
Function ClearTPM {
    Write-Output "The TPM must be cleared before it can be used to help secure the computer."
    Write-Output "Clearing the TPM cancels the TPM ownership and resets it to factory defaults."

    Write-Output "Quering Win32_TPM WMI object..."	
    $oTPM = Get-WmiObject -Class "Win32_Tpm" -Namespace "ROOT\CIMV2\Security\MicrosoftTpm"

    Write-Output "Clearing TPM ownership....."
    $tmp = $oTPM.SetPhysicalPresenceRequest(5)
    If ($tmp.ReturnValue -eq 0) {
	    Write-Output "Successfully cleared the TPM chip. A reboot is required."
            $TSenv.Value("NeedRebootTpmClear") = "YES"
	    Exit 0
    } 
    Else {
	    Write-Warning "Failed to clear TPM ownership. Exiting..."
            Stop-Transcript
	    Exit 0
    }
}

Start-Sleep -Seconds 10
ClearTPM

# Stop logging 
Stop-Transcript

Be aware that this TPM operation requires a human response to validate that a user is physically present before the action is completed - depending on your vendor you could remove any requirement for a user to acknowledge the TPM clear request.

I actually was in contact with Dell Inc. product group a while ago, here is what my contact person had to share:

For security reasons, our BIOS team still requires a physical presence to clear the TPM. This is based on requirements from the Trusted Computing Group that owns the TPM specification so that the TPM cannot be maliciously cleared. Other customers have asked for this so the BIOS team is reviewing how to build a secure method to do these actions silently. I don’t have an ETA on when it might be available.

After the TPM is cleared, it may also be turned off (this does not seem to apply to Dell Inc. systems). If the TPM is turned off, you can for example use vendor tools to turn the Trusted Platform Module on again..

ResetTPMOwner.ps1

Read 42379 times Last modified on Tuesday, 19 September 2017 19:03
Published in OS Deployment
Anton Romanyuk

Latest from Anton Romanyuk

More in this category: « Add .NET Framework Offline Using MDT TPM Upgrade Process on Dell & HP Systems Using MDT »

  1. Comments (7)

  2. Add yours
SierraNovember
  2. #4
This comment was minimized by the moderator on the site

Hello! Your site is wonderful.

I'm having an issue where Dell machines that had the TPM enabled before need to have it cleared in order to do a clean wipe and reinstall of Windows 10. If it isn't cleared, I can get the TPM to enable but...

Hello! Your site is wonderful.

I'm having an issue where Dell machines that had the TPM enabled before need to have it cleared in order to do a clean wipe and reinstall of Windows 10. If it isn't cleared, I can get the TPM to enable but activation fails.

I'd like to use a script like yours that clears out the TPM in WinPE before we attempt enabling and activating it. Can this work in that scenario?

Thank you!

Read More
SierraNovember
  1. 0
Anton Romanyuk
  2. #5
This comment was minimized by the moderator on the site

It might. I am using the script to clear the TPM chip during the State Restore phase as Windows 10 takes care of everything else. In fact, there is even a policy in Windows 10 1709 which does exactly that - clear the TPM chip if it is in any...

It might. I am using the script to clear the TPM chip during the State Restore phase as Windows 10 takes care of everything else. In fact, there is even a policy in Windows 10 1709 which does exactly that - clear the TPM chip if it is in any other state than ready. Hope this helps.

Read More
Anton Romanyuk
  1. 0
Dietmar Haimann
  2. #59
This comment was minimized by the moderator on the site

Hi! What if you use SetPhysicalPresenceRequest(14) - Clear, enable, and activate the TPM. This should fix the "turned off" problem after clearing. We use this for years now and it works like a charm.

Dietmar Haimann
  1. 1
Anton Romanyuk    Dietmar Haimann
  2. #61
This comment was minimized by the moderator on the site

Thanks for the heads up! I was not aware of this and will give it a whirl at the earliest possibility.

Anton Romanyuk
  1. 0
KP
  2. #68
This comment was minimized by the moderator on the site

how do you "Add the property NeedRebootTpmClear to your CustomSettings.ini"

KP
  1. 0
KP
  2. #69
This comment was minimized by the moderator on the site

Hi there

how do you "Add the property NeedRebootTpmClear to your CustomSettings.ini" and how to
" modify the condition to NeedRebootTpmClear equals TRUE "

KP
  1. 0
Surendra
  2. #289
This comment was minimized by the moderator on the site

Dear Author,

While using the above script in my Task sequence, it is asking user inputs to press F12 to clear TPM.
Is there any way to avoid that manual input to clear TPM.
Please advise.

Thanks in advance...

Surendra
  1. 0
There are no comments posted here yet

Leave your comments

  1. Posting comment as a guest.
Background
0 Characters
Attachments (0 / 3)
Share Your Location
back to top

Main Menu

Recent Posts

  • Group Policy Changes in Windows 10 20H1 Preview
    As Windows 10 Vibranium Update (20H1) development winds down, Microsoft is now beginning the phase of checking in the final…
    Written on Tuesday, 14 January 2020 04:51
  • An alternative ESU MAK Activation Solution
    This blog post was shared with me by a colleague of mine, Daniel Dorner, a Microsoft Premier Field Engineer. It’s…
    Written on Wednesday, 04 December 2019 21:04
  • The Case of Missing UE-V Templates
    My customers often deal with unexpected Windows behavior and this case is no different. This particular one is especially interesting…
    Written on Tuesday, 03 September 2019 12:20
  • The Case of Changing Default Printer
    While I sometimes long for the day when I no longer have to deal with unexpected Windows 10 behavior, there’s…
    Written on Wednesday, 14 August 2019 20:36
  • The Case of Corrupted Store Apps
    A few days ago I began experiencing issues with built-in Windows apps where various apps would flash open and close…
    Written on Wednesday, 14 August 2019 13:36
  • Windows 10 1903: Useful Resources for IT Professionals
    Windows 10, version 1903 is now available via Windows Update for Business, Windows Server Update Services (WSUS) and the Volume…
    Written on Friday, 07 June 2019 11:21

Guides