Print this page
Thursday, 25 January 2018 10:04

The Case of Missing TPM [email protected]

Written by
Rate this item
(4 votes)


As my regular blog readers will be aware (yes, all three of you), there is something increasingly traditional about me writing about my customer engagements and today should be no different. With the new way of building, deploying, and servicing OS introduced with Windows 10 (Windows as a Service a.k.a. Hustle as a Service) I often kick off customer engagements with a workshop for IT professionals addressing biggest benefits of adopting Windows 10 and detailing comprehensive set of intelligent security solutions which allow organizations to protect against security threats and to better protect user and company data against sophisticated attacks thus allowing them to align themselves with the GDPR requirements. By outlining these benefits heads on, I can often persuade my customers to adopt a comprehensive set of advanced security capabilities including, but not limited to Credential Guard, Windows Information Protection, Windows Defender ATP and BitLocker.

The other day, as I was working with a customer on improving and optimizing his Windows 10 image, one of IT technicians tried enabling BitLocker pre-provisioning. That did not work out as expected as the Microsoft Deployment Toolkit's Final Summary window displayed following warning: "TPM [email protected] missing. Please provide [email protected] via [email protected] or [email protected]". As I've never seen this warning before, I started poking around ZTIBDE.wsf script and quickly located the relevant part in the script:

If bTpmOwned <> True AND bTpmOwnershipAllowed = True Then

If oEnvironment.Item("TpmOwnerPassword") <> "" Then
	oLogging.CreateEntry "TPM Ownership being intiated.", LogTypeInfo
	iRetVal = SetTpmOwner(oEnvironment.Item("TpmOwnerPassword"))
	TestAndFail iRetVal, 6741, "TPM Owner Password set"
ElseIf oEnvironment.Item("AdminPassword") <> "" Then
	oLogging.CreateEntry "TPM Ownership being intiated with [email protected] (not [email protected]).", LogTypeInfo
	iRetVal = SetTpmOwner(oEnvironment.Item("AdminPassword"))
	TestAndFail iRetVal, 6742, "TPM Owner [email protected] set to [email protected]"
	oLogging.CreateEntry "TPM [email protected] missing. Please provide [email protected] via [email protected] or [email protected]", LogTypeInfo				
	oLogging.ReportFailure "TPM [email protected] missing.", 6743							
End If

Current iterations of MDT require either TpmOwnerPassword or AdminPassword property to be configured prior to initiating BitLocker drive encryption. If set, Microsoft Deployment Toolkit will use Trusted Platform Module (TPM) owner password during the TPM initialization process and will attempt to take ownership of the TPM. Since Windows 10 was designed to be the most secure Windows OS yet, starting with Windows 10 1607, Windows will not retain the TPM owner password when provisioning the TPM because in some scenarios TPM owner password could be retrieved by a malicious party and be used in offline attacks against TPM anti-hammering. The password will be set to a random high entropy value and then discarded without ever revealing it to the user.

I am fairly certain that previous iterations of MDT used to set TpmOwnerPassword to the default value, however, this seems to no longer be the case. 

A quick look inside customer's CustomSettings.ini confirmed my suspicions that neither of these properties was configured (I am sure there were good reasons not to set default admin password). A highly unusual configuration, which a) is highly uncommon and b) something I never ran into before (which in turn explained why I was not familiar with the error message). Following my advice, the admin added TpmOwnerPassword=Pa55w0rd property to CustomSettings.ini, ran through the deployment again and verified that BitLocker pre-provisioning now worked as expected. Case solved. 

Read 7818 times Last modified on Friday, 26 January 2018 13:12