Thursday, 25 January 2018 10:04

The Case of Missing TPM [email protected]

Written by
Rate this item
(4 votes)

image

As my regular blog readers will be aware (yes, all three of you), there is something increasingly traditional about me writing about my customer engagements and today should be no different. With the new way of building, deploying, and servicing OS introduced with Windows 10 (Windows as a Service a.k.a. Hustle as a Service) I often kick off customer engagements with a workshop for IT professionals addressing biggest benefits of adopting Windows 10 and detailing comprehensive set of intelligent security solutions which allow organizations to protect against security threats and to better protect user and company data against sophisticated attacks thus allowing them to align themselves with the GDPR requirements. By outlining these benefits heads on, I can often persuade my customers to adopt a comprehensive set of advanced security capabilities including, but not limited to Credential Guard, Windows Information Protection, Windows Defender ATP and BitLocker.

The other day, as I was working with a customer on improving and optimizing his Windows 10 image, one of IT technicians tried enabling BitLocker pre-provisioning. That did not work out as expected as the Microsoft Deployment Toolkit's Final Summary window displayed following warning: "TPM [email protected] missing. Please provide [email protected] via [email protected] or [email protected]". As I've never seen this warning before, I started poking around ZTIBDE.wsf script and quickly located the relevant part in the script:

If bTpmOwned <> True AND bTpmOwnershipAllowed = True Then

If oEnvironment.Item("TpmOwnerPassword") <> "" Then
	oLogging.CreateEntry "TPM Ownership being intiated.", LogTypeInfo
	iRetVal = SetTpmOwner(oEnvironment.Item("TpmOwnerPassword"))
	TestAndFail iRetVal, 6741, "TPM Owner Password set"
ElseIf oEnvironment.Item("AdminPassword") <> "" Then
	oLogging.CreateEntry "TPM Ownership being intiated with [email protected] (not [email protected]).", LogTypeInfo
	iRetVal = SetTpmOwner(oEnvironment.Item("AdminPassword"))
	TestAndFail iRetVal, 6742, "TPM Owner [email protected] set to [email protected]"
Else			
	oLogging.CreateEntry "TPM [email protected] missing. Please provide [email protected] via [email protected] or [email protected]", LogTypeInfo				
	oLogging.ReportFailure "TPM [email protected] missing.", 6743							
End If

Current iterations of MDT require either TpmOwnerPassword or AdminPassword property to be configured prior to initiating BitLocker drive encryption. If set, Microsoft Deployment Toolkit will use Trusted Platform Module (TPM) owner password during the TPM initialization process and will attempt to take ownership of the TPM. Since Windows 10 was designed to be the most secure Windows OS yet, starting with Windows 10 1607, Windows will not retain the TPM owner password when provisioning the TPM because in some scenarios TPM owner password could be retrieved by a malicious party and be used in offline attacks against TPM anti-hammering. The password will be set to a random high entropy value and then discarded without ever revealing it to the user.

I am fairly certain that previous iterations of MDT used to set TpmOwnerPassword to the default value, however, this seems to no longer be the case. 

A quick look inside customer's CustomSettings.ini confirmed my suspicions that neither of these properties was configured (I am sure there were good reasons not to set default admin password). A highly unusual configuration, which a) is highly uncommon and b) something I never ran into before (which in turn explained why I was not familiar with the error message). Following my advice, the admin added TpmOwnerPassword=Pa55w0rd property to CustomSettings.ini, ran through the deployment again and verified that BitLocker pre-provisioning now worked as expected. Case solved. 

Read 5738 times Last modified on Friday, 26 January 2018 13:12
  1. Comments (0)

  2. Add yours
There are no comments posted here yet

Leave your comments

  1. Posting comment as a guest.
0 Characters
Attachments (0 / 3)
Share Your Location

Recent Posts

  • An alternative ESU MAK Activation Solution
    This blog post was shared with me by a colleague of mine, Daniel Dorner, a Microsoft Premier Field Engineer. It’s…
    Written on Wednesday, 04 December 2019 21:04
  • The Case of Missing UE-V Templates
    My customers often deal with unexpected Windows behavior and this case is no different. This particular one is especially interesting…
    Written on Tuesday, 03 September 2019 12:20
  • The Case of Corrupted Store Apps
    A few days ago I began experiencing issues with built-in Windows apps where various apps would flash open and close…
    Written on Wednesday, 14 August 2019 13:36
  • The Case of Changing Default Printer
    While I sometimes long for the day when I no longer have to deal with unexpected Windows 10 behavior, there’s…
    Written on Wednesday, 14 August 2019 20:36
  • Windows 10 1903: Useful Resources for IT Professionals
    Windows 10, version 1903 is now available via Windows Update for Business, Windows Server Update Services (WSUS) and the Volume…
    Written on Friday, 07 June 2019 11:21
  • Windows 10 1903 Built-In Apps: What to Keep
    The development of the Windows 10, version 1903 is finished and the update is now available for download from Visual…
    Written on Monday, 03 June 2019 06:59