Menu
CCMEXEC.COM – Enterprise Mobility
  • Home
  • General
  • Configuration Manager
  • Windows 10
  • Intune
  • About the author
  • GitHub
CCMEXEC.COM – Enterprise Mobility

MBAM TPM Password Hash and Windows 10 1607

Posted on November 4, 2016March 17, 2021 by Jörgen Nilsson

In Windows 10 1607 the TPM Password Hash is no longer accessible from within windows. This is design change to increase the Security in windows 10 which you can read more about here: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/change-the-tpm-owner-password

Quote: “Starting with Windows 10, version 1607, Windows will not retain the TPM owner password when provisioning the TPM. The password will be set to a random high entropy value and then discarded.”

The ability to turn on TPM Backup to AD using Group Policy is also removed in the Windows 10 1607 .ADMX files as documented here: Onevinn – Scripts (schrewelius.it)

The behavior is controlled by the registry key called “’HKLM\Software\Policies\Microsoft\TPM\OSManagedAuthLevel” it is default set to “2” which means it will discard the TPM Password Hash, if we set it to “4” it is retained.

When we upgrade ADK to 1607 we get the same behavior in WinPE so the script used before to capture the TPM Password Hash when we use Pre-provision BitLocker and write it to registry doesn’t work anymore.

When me and my College Johan Schrewelius tested this, we found a Task Sequence variable that contains the TPM password hash if the Pre-Provision BitLocker step is used in the Configuration Manager Task Sequence called “_OSDOAF”

Johan posted two Powershell Scripts here on Technet Galleries, one that read the TS variable and write it to the registry and set the “OSDManagedAuthLevel” to “4” otherwise it will be removed by Windows again. Onevinn – Scripts (schrewelius.it)

And one that simply sets the “OSDManagedAuthLevel” value back to default.

Here are the steps that are involved, I disabled the SaveWinPETPMOwnerAuth.wsf that we used before to achieve the same thing.

TPM Pass the Hash

The “MBAM TPMPassTheHash” step which we call it, runs the following script. A Computer restart must be run before the Invoke-MbamClientDeployment step is run.

TPM Pass the Hash Step1

And the “Reset tpm policy” step will reset the value of the “OSDManagedAuthLevel” back to default.

TPM Pass the Hash Step2

Then we have the TPM password Hash in our MBAM database once again.

Note that it is recommended that the TPM Password Hash isn’t saved anymore as stated in one of the links above. “Microsoft strongly recommends that you do not change the default value of this registry key in order to retain the owner password.”

But in some scenarios we still want to be able to do it.

  • MBAM
  • OS Deployment
  • TPM Password Hash
  • Windows 10
  • 33 thoughts on “MBAM TPM Password Hash and Windows 10 1607”

    1. M4R10 says:
      November 5, 2016 at 9:27 am

      Could you write something about MBAM and your steps to activate XTS AES 256 and others steps in Windows 10 1607?

      Reply
      1. Jörgen Nilsson says:
        November 23, 2016 at 1:32 pm

        Hi,
        Noted! I will do it as soon as I have finished my ongoing post.
        Regards,
        Jörgen

        Reply
    2. MR410 says:
      December 15, 2016 at 8:34 pm

      Jorgen, what is the difference betwen this old script (SaveWinPETPMOwnerAuth.wsf) and yours scripts?

      Reply
      1. Jörgen Nilsson says:
        December 15, 2016 at 9:56 pm

        Hi,
        If you run the “old” one in WinPE 1607, it will not be able to read the TPM Password Hash anymore and write to registry so the MBAM agent cannot back it up anymore.
        Regards,
        Jörgen

        Reply
    3. MR410 says:
      December 15, 2016 at 10:11 pm

      Hi, thank you for reply.

      Even if i use these patches this doesn’t work?

      2.5.1119.0 MBAM 2.5 SP1 with Hotfix Package 1 (KB3122998 for server)
      2.5.1125.0 MBAM 2.5 SP1 with September 2016 package (KB3168628 for client and server)

      Is it worth to mention about these resources when you will posting about MBAM.

      https://blogs.technet.microsoft.com/appv/2016/12/12/the-mdop-december-servicing-release-is-now-available/

      https://blogs.technet.microsoft.com/dubaisec/2016/05/23/mbam-version-chart/

      For MBAM 2.5 SP1, this servicing release Makes the following improvements:

      The GPO description and the Invoke-MbamClientDeployment.ps1 MBAM deployment script for Bitlocker XTS-AES support are updated. The Microsoft Download Center provides the following download and installation instructions:
      The updated GPO: Microsoft Desktop Optimization Pack Group Policy Administrative Templates
      The updated deployment script: Microsoft BitLocker Administration and Monitoring – Client Deployment Scripts

      Reply
      1. Jörgen Nilsson says:
        December 15, 2016 at 10:42 pm

        Hi,
        Great links totally missed the december update. Yes it will still not work as it is a Windows 10 1607 feature that you cannot access the TPM Password hash from Windows. You could open you WinPE image and add the registry value to allow Windows to access the Password Hash, will work as well..
        Regards,
        Jörgen

        Reply
        1. alexandr says:
          October 18, 2017 at 5:10 pm

          Hello, which registry value need to add?
          Thank you for your answer.

          Reply
    4. M4R10 says:
      December 21, 2016 at 3:26 pm

      Jörgen, do you have any experience with similar case:

      1) When I’am using MBAM Drive Recovery Portal i have problem to see the key. The key is stored in database, i can see key using selfportal but when I am using Drive Recovery Portal I get information that “Recovery key not found”.

      2) I have been using your scripts for tpm password hash but when I am checking the database i can see that TPMPasswordHass has value ‘NULL’.

      Reply
      1. Jörgen Nilsson says:
        December 22, 2016 at 10:09 am

        Hi,
        1. Have you installed the December Update? have the computer reported a user yet to MBAM?
        2. When you deployed the machine was the TPM cleared and not owned?

        Regards,
        Jörgen

        Reply
    5. ItzikT says:
      January 9, 2017 at 9:11 am

      Hi
      I’m using a TS step to force the computer to encrypt using MBAM and it works just fine, it starts encryption in TS and after the PC loads it asks for PIN code and I can see the recovery key is baked up in MBAM, so perfect. Except it does not backup TPM hash.
      The image is Win 10 1511 and when I go to the reg key u mentioned, it doesn’t exist. There is no OSManagedAuthLevel there’s only a couple of keys speaking of AD back up both set to 1.

      Do you know what i need to change, maybe during TS for it all to work?

      Thanks

      Reply
    6. Laiya says:
      January 11, 2017 at 6:36 pm

      My task sequence fails in Invoke-MbamClientDeployment.ps1 step. error code is (0x00000001). Any idea about that? I’ve not included SaveWinPETPMOwnerAuth.wsf in my TS since it’s a Win 10 1607 deployment

      Reply
    7. JLO says:
      January 12, 2017 at 4:17 pm

      Hi, ItzikT
      seems we have the same issue here – TS encryption works with 1511 but no TPM Hash is available in MBAM.
      Anyone who has a idea?

      Thx!

      Reply
    8. M4R10 says:
      January 25, 2017 at 9:19 pm

      After several attempts, I now successful- almost. I had similar error (0×00000001). I solved this with creating the packages, putting the powershell task in batch script.

      @echo off

      ECHO Running MBAMClientDeployment Powershell Script

      powershell.exe -nologo -executionpolicy bypass -noprofile -file Invoke-MbamClientDeployment.ps1 –RecoveryServiceEndpoint https://fqdn/MBAMRecoveryAndHardwareService/CoreService.svc -EncryptAndEscrowDataVolume -EncryptionMethod XTSAES256 -IgnoreEscrowOwnerAuthFailure

      exit /B 0

      Tested with windows 10 1607, and now I can see the hash in database.

      The only problem I have now type of encryption, I need full encryption but I ending only used encryption.

      Reply
    9. Gary says:
      January 26, 2017 at 9:36 am

      Hi,

      If we are using an older version of the ADK but deploying Win 10 1607 will your script still work or will I need todo something different?

      Thanks
      Gary

      Reply
    10. MP says:
      January 27, 2017 at 12:59 pm

      Thanks for this information Jörgen, it explains a lot.

      Please would you write something for those of us trying to save the TPM owner password to active directory as we don’t have MBAM?

      Reply
    11. Laiya says:
      January 29, 2017 at 4:37 pm

      M4R10,

      If you are using pre-provisioning bitlocker step, disable it. you will get full disk encryption.

      Reply
    12. Matt Bradley says:
      February 2, 2017 at 10:00 pm

      So if we’re not using pre-provisioning, do we still need this fix, or do we just go with the Invoke ps script by itself?

      Reply
    13. Shaun says:
      February 10, 2017 at 6:31 pm

      2 Questions on this:
      1) We are using MDT 2013 to deploy windows 10 1607. afterfailed to capture the hash via the qsf file, I found this site. I used the powershell scripts, but still no hash is escrowed to the mbam server (TPM Owner Password file not found). otherwise the invoke command completes successfully.
      2) If windows 10 1607 has removed the ability for windows to see the TPM password, and it is not recomended to let it, how is MBAM supposed to be used to unlock tpm chips in a lockout condition in the first place, let alone the “automatically unlock” feature?
      Since we just upgraded to MBAM 2.5 sp1, and have never captured the TPM password in the past, I have been looking into if now is the chance to get this functionality working.
      thanks
      Shaun

      Reply
    14. Gary says:
      February 20, 2017 at 5:16 pm

      I am trying to deploy 1607 with Pre-provision as need Full Encryption but doing this causes it not to record the TPM Owner. Any ideas? Thanks

      Reply
    15. Dallan says:
      March 1, 2017 at 4:42 pm

      Even with Pre-provision disabled the TPM owner info does not get written back to AD (have no MBAM) but assume it’s the same. Have ended up removing the PIN portion from the enable Bitlocker step and and now using TPM with secure boot. It was the user entering of the PIN incorrectly in my environment that caused the TPM lockout. Now with no PIN this is not an issue and secure boot makes up for this and is an extra layer of security and is probably more secure than a generic PIN anyway.

      Reply
    16. Rich says:
      March 6, 2017 at 12:18 pm

      Trying to deploy 1607 with Mbam 2.5.1 in a Task Sequence. Seeing Invoke-MbamClientDeployment.ps1 return code of 1 and failing to escrow key to database. Using the latest updated scripts from Microsoft Dec 2016. Gave your method a go. Seem to be getting same problem as Gary above? Any suggestions?

      Reply
    17. Hakan says:
      May 5, 2017 at 8:09 pm

      How do you best update the agent with the latest hotfix? Is it even necessary?

      Rich, if you are doing a pre-provision, try adding “-encryptionmethod UNSPECIFIED”

      Reply
    18. Zak says:
      June 8, 2017 at 3:52 pm

      Have you had a chance to write an article explaining all the steps used in the sequence to enable this? Basically what had been requested by M4R10 several months ago. I search the blog and wasn’t able to come up with anything.

      Reply
    19. Justin Stradley says:
      June 15, 2017 at 2:52 pm

      Thank you for posting this. After following the steps it does record a TPM Password hash into the MBAM database, but it doesn’t appear to be the correct one. I went to change the owner password as a test and when I entered in the TPM password stored in MBAM it said the TPM password is incorrect. Has anyone else tested to make sure it’s storing the correct password?

      Reply
    20. Ray says:
      June 29, 2017 at 12:24 pm

      I’ve tried using this a couple of times now but don’t get the password in MBAM, where would be the best place to look to find out what’s going wrong? The task sequence is completing without any errors. it would be nice to get this working.

      Reply
    21. Graham says:
      July 11, 2017 at 11:37 am

      Please could you confirm the version of MBAM, both server, client and Invoke-MbamClientDeployment.ps1 that you used for your testing.
      Thanks, G

      Reply
    22. sylstylz says:
      July 18, 2017 at 10:26 am

      Does anyone has a way to pre-provision all the partitions created in the task sequence? Thanks

      Reply
    23. Nalin says:
      July 19, 2017 at 3:23 pm

      Hi,

      Thanks. This simply works. we are on 1807 and getting a password file note found error on the MBAM helpdesk console. A colleague then pointed us to this posting and it’s spot on and works. Prior to this if we go to our MBAM database an interrogate the database, SELECT [Id]
      ,[LastUpdateTime]
      ,[Name]
      ,[TpmPasswordHash]
      ,[DomainId]
      FROM [MBAM Recovery and Hardware].[RecoveryAndHardwareCore].[Machines] where name=” we would get a Null value in TPMpasswordHash field. Now it’s populated. Perfect. Thanks. I can’t say enough of this word here but That’s why I love the SCCM community. The answers are out there. It’s a case of finding them.

      anyone wants more details about our setup at our school please post a question here and I will try to respond.

      Reply
    24. Todd Lamothe says:
      August 11, 2017 at 5:22 am

      For those having the 00000001 error in SCCM on Windows 10, 1703, I found a fix.

      Before the invoke-MBAMClientDeployment.ps1 add the following command line:

      powershell.exe -command “New-Item -Path HKLM:\SOFTWARE\Policies\Microsoft -Name FVE; Set-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\FVE -Name OSEnablePrebootInputProtectorsOnSlates -Value 1 -Type DWord -Force”
      powershell.exe -command “New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft -Name FVE; Set-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\FVE -Name OSEnablePrebootInputProtectorsOnSlates -Value 1 -Type DWord -Force; Set-ItemProperty -Path HKLM:\System\CurrentControlSet\Services\Tpm\WMI -Name NoAutoProvision -Value 1 -Type DWord -Force”

      I also have the NoAutoProvision in the unattend.xml. From a reddit post:

      Add this in your unattend.xml as a “RunSynchronous” command in the “specialize” phase
      reg add HKLM\System\CurrentControlSet\Services\Tpm\WMI /v NoAutoProvision /t REG_DWORD /d 1 /f
      this disables autoprovision. This didn’t work for me, but adding the reg heck with powershell did work. If you don’t add to the unattend.xml, you might need another line in the powershell for new-item.

      On the Invoke-MBAMClientDeployment add the following to optional switches: -IgnoreEscrowOwnerAuthFail -IgnoreReportStatusFailure

      Once you login with the machine, you will see Bitlocker running. Hope this helps anyone having troubles.

      Todd

      Reply
    25. alexandr says:
      October 18, 2017 at 4:55 pm

      Hello,
      Many days we are triung to solve problem for retainig Lockout password to database while OSD.
      we could not catch _OSDOAF while deploying OS. We dump all variables,but _OSDOAF was not there.
      Why it could happend? could any action or step in the Task Sequence prevent gathering this variable while OSD? where to find it? Do you have any recommendations?
      any ideas?
      thanks for you assist.

      Reply
    26. lueths says:
      January 18, 2018 at 9:10 am

      “Failed to prepare TPM for encryption. HRESULT: 0x80040202 – MBAM cannot take the ownership of TPM because auto-provisioning is pending. Try again after the auto-provisioning is completed.”

      Hmm i try PowerShell.exe -NoProfile -Command “Disable-TpmAutoProvisioning –OnlyForNextRestart”
      and now Invoke-MbamClientDeployment.ps1

      Nice ist works ! What you think for this Workaround ?

      Reply
    27. Pingback: Top 5 new features in Configuration Manager 2103 - CCMEXEC.COM - Enterprise Mobility
    28. Pingback: Important! - MEMCM enabling BitLocker during OSD post 2103 - CCMEXEC.COM - Enterprise Mobility

    Leave a Reply Cancel reply

    Your email address will not be published. Required fields are marked *

    This site uses Akismet to reduce spam. Learn how your comment data is processed.

    My name is Jörgen Nilsson and I work as a Senior Consultant at Onevinn in Malmö, Sweden. This is my blog where I will share tips and stuff for my own and everyone elses use on Enterprise Mobility and Windows related topics.
    All code is provided "AS-IS" with no warranties.

    Tweets by ccmexec

    Recent Posts

    • Logging the Co-management and Defender onboarding process during OSD
    • Show DP information during OSD using TSBackground
    • Using Install-language during AutoPilot Windows 11 insider
    • Co-Management and the importance of device token enrollment.
    • Windows 11 Insider Start Menu layout registry customizations

    ©2022 CCMEXEC.COM – Enterprise Mobility | WordPress Theme by Superb Themes
    This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish.Accept Reject Read More
    Privacy & Cookies Policy

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT