MBAM TPM Password Hash and Windows 10 1607
In Windows 10 1607 the TPM Password Hash is no longer accessible from within windows. This is design change to increase the Security in windows 10 which you can read more about here: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/change-the-tpm-owner-password
Quote: “Starting with Windows 10, version 1607, Windows will not retain the TPM owner password when provisioning the TPM. The password will be set to a random high entropy value and then discarded.”
The ability to turn on TPM Backup to AD using Group Policy is also removed in the Windows 10 1607 .ADMX files as documented here: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/trusted-platform-module-services-group-policy-settings
The behavoiur is controlled by the registry key called “’HKLM\Software\Policies\Microsoft\TPM\OSManagedAuthLevel” it is default set to “2” which means it will discard the TPM Password Hash, if we set it to “4” it is retained.
When we upgrade ADK to 1607 we get the same behavior in WinPE so the script used before to capture the TPM Password Hash when we use Pre-provision Bitlocker and write it to registry doesn’t work anymore.
When me and my College Johan Schrewelius tested this, we found a Task Sequence variable that contains the TPM password hash if the Pre-Provision Bitlocker step is used in the Configuration Manager Task Sequence called “_OSDOAF”
Johan posted two Powershell Scripts here on Technet Galleries, one that read the TS variable and write it to the registry and set the “OSDManagedAuthLevel” to “4” otherwise it will be removed by Windows again. https://gallery.technet.microsoft.com/for-handling-TPM-Password-be7ee062
And one that simply sets the “OSDManagedAuthLevel” value back to default.
Here are the steps that are involved, I disabled the SaveWinPETPMOwnerAuth.wsf that we used before to achieve the same thing.
The “MBAM TPMPassTheHash” step which we call it, runs the following script. A Computer restart must be run before the Invoke-MbamClientDeployment step is run.
And the “Reset tpm policy” step will reset the value of the “OSDManagedAuthLevel” back to default.
Then we have the TPM password Hash in our MBAM database once again.
Note that it is recommended that the TPM Password Hash isn’t saved anymore as stated in one of the links above. “Microsoft strongly recommends that you do not change the default value of this registry key in order to retain the owner password.”
But in some scenarios we still want to be able to do it.
About Author
Jörgen Nilsson
Add a Comment
This site uses Akismet to reduce spam. Learn how your comment data is processed.
Could you write something about MBAM and your steps to activate XTS AES 256 and others steps in Windows 10 1607?
Hi,
Noted! I will do it as soon as I have finished my ongoing post.
Regards,
Jörgen
Jorgen, what is the difference betwen this old script (SaveWinPETPMOwnerAuth.wsf) and yours scripts?
Hi,
If you run the “old” one in WinPE 1607, it will not be able to read the TPM Password Hash anymore and write to registry so the MBAM agent cannot back it up anymore.
Regards,
Jörgen
Hi, thank you for reply.
Even if i use these patches this doesn’t work?
2.5.1119.0 MBAM 2.5 SP1 with Hotfix Package 1 (KB3122998 for server)
2.5.1125.0 MBAM 2.5 SP1 with September 2016 package (KB3168628 for client and server)
Is it worth to mention about these resources when you will posting about MBAM.
https://blogs.technet.microsoft.com/appv/2016/12/12/the-mdop-december-servicing-release-is-now-available/
https://blogs.technet.microsoft.com/dubaisec/2016/05/23/mbam-version-chart/
For MBAM 2.5 SP1, this servicing release Makes the following improvements:
The GPO description and the Invoke-MbamClientDeployment.ps1 MBAM deployment script for Bitlocker XTS-AES support are updated. The Microsoft Download Center provides the following download and installation instructions:
The updated GPO: Microsoft Desktop Optimization Pack Group Policy Administrative Templates
The updated deployment script: Microsoft BitLocker Administration and Monitoring – Client Deployment Scripts
Hi,
Great links totally missed the december update. Yes it will still not work as it is a Windows 10 1607 feature that you cannot access the TPM Password hash from Windows. You could open you WinPE image and add the registry value to allow Windows to access the Password Hash, will work as well..
Regards,
Jörgen
Hello, which registry value need to add?
Thank you for your answer.
Jörgen, do you have any experience with similar case:
1) When I’am using MBAM Drive Recovery Portal i have problem to see the key. The key is stored in database, i can see key using selfportal but when I am using Drive Recovery Portal I get information that “Recovery key not found”.
2) I have been using your scripts for tpm password hash but when I am checking the database i can see that TPMPasswordHass has value ‘NULL’.
Hi,
1. Have you installed the December Update? have the computer reported a user yet to MBAM?
2. When you deployed the machine was the TPM cleared and not owned?
Regards,
Jörgen
Hi
I’m using a TS step to force the computer to encrypt using MBAM and it works just fine, it starts encryption in TS and after the PC loads it asks for PIN code and I can see the recovery key is baked up in MBAM, so perfect. Except it does not backup TPM hash.
The image is Win 10 1511 and when I go to the reg key u mentioned, it doesn’t exist. There is no OSManagedAuthLevel there’s only a couple of keys speaking of AD back up both set to 1.
Do you know what i need to change, maybe during TS for it all to work?
Thanks
My task sequence fails in Invoke-MbamClientDeployment.ps1 step. error code is (0x00000001). Any idea about that? I’ve not included SaveWinPETPMOwnerAuth.wsf in my TS since it’s a Win 10 1607 deployment
Hi, ItzikT
seems we have the same issue here – TS encryption works with 1511 but no TPM Hash is available in MBAM.
Anyone who has a idea?
Thx!
After several attempts, I now successful- almost. I had similar error (0×00000001). I solved this with creating the packages, putting the powershell task in batch script.
@echo off
ECHO Running MBAMClientDeployment Powershell Script
powershell.exe -nologo -executionpolicy bypass -noprofile -file Invoke-MbamClientDeployment.ps1 –RecoveryServiceEndpoint https://fqdn/MBAMRecoveryAndHardwareService/CoreService.svc -EncryptAndEscrowDataVolume -EncryptionMethod XTSAES256 -IgnoreEscrowOwnerAuthFailure
exit /B 0
Tested with windows 10 1607, and now I can see the hash in database.
The only problem I have now type of encryption, I need full encryption but I ending only used encryption.
Hi,
If we are using an older version of the ADK but deploying Win 10 1607 will your script still work or will I need todo something different?
Thanks
Gary
Thanks for this information Jörgen, it explains a lot.
Please would you write something for those of us trying to save the TPM owner password to active directory as we don’t have MBAM?
M4R10,
If you are using pre-provisioning bitlocker step, disable it. you will get full disk encryption.
So if we’re not using pre-provisioning, do we still need this fix, or do we just go with the Invoke ps script by itself?
2 Questions on this:
1) We are using MDT 2013 to deploy windows 10 1607. afterfailed to capture the hash via the qsf file, I found this site. I used the powershell scripts, but still no hash is escrowed to the mbam server (TPM Owner Password file not found). otherwise the invoke command completes successfully.
2) If windows 10 1607 has removed the ability for windows to see the TPM password, and it is not recomended to let it, how is MBAM supposed to be used to unlock tpm chips in a lockout condition in the first place, let alone the “automatically unlock” feature?
Since we just upgraded to MBAM 2.5 sp1, and have never captured the TPM password in the past, I have been looking into if now is the chance to get this functionality working.
thanks
Shaun
I am trying to deploy 1607 with Pre-provision as need Full Encryption but doing this causes it not to record the TPM Owner. Any ideas? Thanks
Even with Pre-provision disabled the TPM owner info does not get written back to AD (have no MBAM) but assume it’s the same. Have ended up removing the PIN portion from the enable Bitlocker step and and now using TPM with secure boot. It was the user entering of the PIN incorrectly in my environment that caused the TPM lockout. Now with no PIN this is not an issue and secure boot makes up for this and is an extra layer of security and is probably more secure than a generic PIN anyway.
Trying to deploy 1607 with Mbam 2.5.1 in a Task Sequence. Seeing Invoke-MbamClientDeployment.ps1 return code of 1 and failing to escrow key to database. Using the latest updated scripts from Microsoft Dec 2016. Gave your method a go. Seem to be getting same problem as Gary above? Any suggestions?
How do you best update the agent with the latest hotfix? Is it even necessary?
Rich, if you are doing a pre-provision, try adding “-encryptionmethod UNSPECIFIED”
Have you had a chance to write an article explaining all the steps used in the sequence to enable this? Basically what had been requested by M4R10 several months ago. I search the blog and wasn’t able to come up with anything.
Thank you for posting this. After following the steps it does record a TPM Password hash into the MBAM database, but it doesn’t appear to be the correct one. I went to change the owner password as a test and when I entered in the TPM password stored in MBAM it said the TPM password is incorrect. Has anyone else tested to make sure it’s storing the correct password?
I’ve tried using this a couple of times now but don’t get the password in MBAM, where would be the best place to look to find out what’s going wrong? The task sequence is completing without any errors. it would be nice to get this working.
Please could you confirm the version of MBAM, both server, client and Invoke-MbamClientDeployment.ps1 that you used for your testing.
Thanks, G
Does anyone has a way to pre-provision all the partitions created in the task sequence? Thanks
Hi,
Thanks. This simply works. we are on 1807 and getting a password file note found error on the MBAM helpdesk console. A colleague then pointed us to this posting and it’s spot on and works. Prior to this if we go to our MBAM database an interrogate the database, SELECT [Id]
,[LastUpdateTime]
,[Name]
,[TpmPasswordHash]
,[DomainId]
FROM [MBAM Recovery and Hardware].[RecoveryAndHardwareCore].[Machines] where name=” we would get a Null value in TPMpasswordHash field. Now it’s populated. Perfect. Thanks. I can’t say enough of this word here but That’s why I love the SCCM community. The answers are out there. It’s a case of finding them.
anyone wants more details about our setup at our school please post a question here and I will try to respond.
For those having the 00000001 error in SCCM on Windows 10, 1703, I found a fix.
Before the invoke-MBAMClientDeployment.ps1 add the following command line:
powershell.exe -command “New-Item -Path HKLM:\SOFTWARE\Policies\Microsoft -Name FVE; Set-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\FVE -Name OSEnablePrebootInputProtectorsOnSlates -Value 1 -Type DWord -Force”
powershell.exe -command “New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft -Name FVE; Set-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\FVE -Name OSEnablePrebootInputProtectorsOnSlates -Value 1 -Type DWord -Force; Set-ItemProperty -Path HKLM:\System\CurrentControlSet\Services\Tpm\WMI -Name NoAutoProvision -Value 1 -Type DWord -Force”
I also have the NoAutoProvision in the unattend.xml. From a reddit post:
Add this in your unattend.xml as a “RunSynchronous” command in the “specialize” phase
reg add HKLM\System\CurrentControlSet\Services\Tpm\WMI /v NoAutoProvision /t REG_DWORD /d 1 /f
this disables autoprovision. This didn’t work for me, but adding the reg heck with powershell did work. If you don’t add to the unattend.xml, you might need another line in the powershell for new-item.
On the Invoke-MBAMClientDeployment add the following to optional switches: -IgnoreEscrowOwnerAuthFail -IgnoreReportStatusFailure
Once you login with the machine, you will see Bitlocker running. Hope this helps anyone having troubles.
Todd
Hello,
Many days we are triung to solve problem for retainig Lockout password to database while OSD.
we could not catch _OSDOAF while deploying OS. We dump all variables,but _OSDOAF was not there.
Why it could happend? could any action or step in the Task Sequence prevent gathering this variable while OSD? where to find it? Do you have any recommendations?
any ideas?
thanks for you assist.
“Failed to prepare TPM for encryption. HRESULT: 0x80040202 – MBAM cannot take the ownership of TPM because auto-provisioning is pending. Try again after the auto-provisioning is completed.”
Hmm i try PowerShell.exe -NoProfile -Command “Disable-TpmAutoProvisioning –OnlyForNextRestart”
and now Invoke-MbamClientDeployment.ps1
Nice ist works ! What you think for this Workaround ?