Thursday, 25 January 2018 10:04

The Case of Missing TPM P@ssword

Written by
Rate this item
(4 votes)

image

As my regular blog readers will be aware (yes, all three of you), there is something increasingly traditional about me writing about my customer engagements and today should be no different. With the new way of building, deploying, and servicing OS introduced with Windows 10 (Windows as a Service a.k.a. Hustle as a Service) I often kick off customer engagements with a workshop for IT professionals addressing biggest benefits of adopting Windows 10 and detailing comprehensive set of intelligent security solutions which allow organizations to protect against security threats and to better protect user and company data against sophisticated attacks thus allowing them to align themselves with the GDPR requirements. By outlining these benefits heads on, I can often persuade my customers to adopt a comprehensive set of advanced security capabilities including, but not limited to Credential Guard, Windows Information Protection, Windows Defender ATP and BitLocker.

The other day, as I was working with a customer on improving and optimizing his Windows 10 image, one of IT technicians tried enabling BitLocker pre-provisioning. That did not work out as expected as the Microsoft Deployment Toolkit's Final Summary window displayed following warning: "TPM P@ssword missing. Please provide P@ssword via TpmOwnerP@ssword or AdminP@ssword". As I've never seen this warning before, I started poking around ZTIBDE.wsf script and quickly located the relevant part in the script:

If bTpmOwned <> True AND bTpmOwnershipAllowed = True Then

If oEnvironment.Item("TpmOwnerPassword") <> "" Then
	oLogging.CreateEntry "TPM Ownership being intiated.", LogTypeInfo
	iRetVal = SetTpmOwner(oEnvironment.Item("TpmOwnerPassword"))
	TestAndFail iRetVal, 6741, "TPM Owner Password set"
ElseIf oEnvironment.Item("AdminPassword") <> "" Then
	oLogging.CreateEntry "TPM Ownership being intiated with AdminP@ssword (not TPMOwnerP@ssword).", LogTypeInfo
	iRetVal = SetTpmOwner(oEnvironment.Item("AdminPassword"))
	TestAndFail iRetVal, 6742, "TPM Owner P@ssword set to AdminP@ssword"
Else			
	oLogging.CreateEntry "TPM P@ssword missing. Please provide P@ssword via TpmOwnerP@ssword or AdminP@ssword", LogTypeInfo				
	oLogging.ReportFailure "TPM P@ssword missing.", 6743							
End If

Current iterations of MDT require either TpmOwnerPassword or AdminPassword property to be configured prior to initiating BitLocker drive encryption. If set, Microsoft Deployment Toolkit will use Trusted Platform Module (TPM) owner password during the TPM initialization process and will attempt to take ownership of the TPM. Since Windows 10 was designed to be the most secure Windows OS yet, starting with Windows 10 1607, Windows will not retain the TPM owner password when provisioning the TPM because in some scenarios TPM owner password could be retrieved by a malicious party and be used in offline attacks against TPM anti-hammering. The password will be set to a random high entropy value and then discarded without ever revealing it to the user.

I am fairly certain that previous iterations of MDT used to set TpmOwnerPassword to the default value, however, this seems to no longer be the case. 

A quick look inside customer's CustomSettings.ini confirmed my suspicions that neither of these properties was configured (I am sure there were good reasons not to set default admin password). A highly unusual configuration, which a) is highly uncommon and b) something I never ran into before (which in turn explained why I was not familiar with the error message). Following my advice, the admin added TpmOwnerPassword=Pa55w0rd property to CustomSettings.ini, ran through the deployment again and verified that BitLocker pre-provisioning now worked as expected. Case solved. 

Read 16488 times Last modified on Friday, 26 January 2018 13:12

Recent Posts

  • Windows 10 21H2 Built-In Apps: What to Keep
    The development of the Windows 10, version 21H2 is finished and the update will soon be available for download from…
    Written on Wednesday, 20 October 2021 11:41
  • Group Policy Changes in Windows 10 21H2
    As Windows 10, version 21H2 update development winds down, Microsoft is now preparing for the final release of the Windows…
    Written on Wednesday, 20 October 2021 07:20
  • Group Policy Changes in Windows 10 20H1 Preview
    As Windows 10 Vibranium Update (20H1) development winds down, Microsoft is now beginning the phase of checking in the final…
    Written on Tuesday, 14 January 2020 04:51
  • An alternative ESU MAK Activation Solution
    This blog post was shared with me by a colleague of mine, Daniel Dorner, a Microsoft Premier Field Engineer. It’s…
    Written on Wednesday, 04 December 2019 21:04
  • The Case of Missing UE-V Templates
    My customers often deal with unexpected Windows behavior and this case is no different. This particular one is especially interesting…
    Written on Tuesday, 03 September 2019 12:20
  • The Case of Changing Default Printer
    While I sometimes long for the day when I no longer have to deal with unexpected Windows 10 behavior, there’s…
    Written on Wednesday, 14 August 2019 20:36