The other day, as I was working with a customer on improving and optimizing his Windows 10 image, one of IT technicians tried enabling BitLocker pre-provisioning. That did not work out as expected as the Microsoft Deployment Toolkit's Final Summary window displayed following warning: "TPM [email protected] missing. Please provide [email protected] via [email protected] or [email protected]". As I've never seen this warning before, I started poking around ZTIBDE.wsf script and quickly located the relevant part in the script:
If bTpmOwned <> True AND bTpmOwnershipAllowed = True Then If oEnvironment.Item("TpmOwnerPassword") <> "" Then oLogging.CreateEntry "TPM Ownership being intiated.", LogTypeInfo iRetVal = SetTpmOwner(oEnvironment.Item("TpmOwnerPassword")) TestAndFail iRetVal, 6741, "TPM Owner Password set" ElseIf oEnvironment.Item("AdminPassword") <> "" Then oLogging.CreateEntry "TPM Ownership being intiated with [email protected] (not [email protected]).", LogTypeInfo iRetVal = SetTpmOwner(oEnvironment.Item("AdminPassword")) TestAndFail iRetVal, 6742, "TPM Owner [email protected] set to [email protected]" Else oLogging.CreateEntry "TPM [email protected] missing. Please provide [email protected] via [email protected] or [email protected]", LogTypeInfo oLogging.ReportFailure "TPM [email protected] missing.", 6743 End If
Current iterations of MDT require either TpmOwnerPassword or AdminPassword property to be configured prior to initiating BitLocker drive encryption. If set, Microsoft Deployment Toolkit will use Trusted Platform Module (TPM) owner password during the TPM initialization process and will attempt to take ownership of the TPM. Since Windows 10 was designed to be the most secure Windows OS yet, starting with Windows 10 1607, Windows will not retain the TPM owner password when provisioning the TPM because in some scenarios TPM owner password could be retrieved by a malicious party and be used in offline attacks against TPM anti-hammering. The password will be set to a random high entropy value and then discarded without ever revealing it to the user.
I am fairly certain that previous iterations of MDT used to set TpmOwnerPassword to the default value, however, this seems to no longer be the case.
A quick look inside customer's CustomSettings.ini confirmed my suspicions that neither of these properties was configured (I am sure there were good reasons not to set default admin password). A highly unusual configuration, which a) is highly uncommon and b) something I never ran into before (which in turn explained why I was not familiar with the error message). Following my advice, the admin added TpmOwnerPassword=Pa55w0rd property to CustomSettings.ini, ran through the deployment again and verified that BitLocker pre-provisioning now worked as expected. Case solved.