MBAM TPM Password Hash and Windows 10 1607

In Windows 10 1607 the TPM Password Hash is no longer accessible from within windows. This is design change to increase the Security in windows 10 which you can read more about here:

Quote: “Starting with Windows 10, version 1607, Windows will not retain the TPM owner password when provisioning the TPM. The password will be set to a random high entropy value and then discarded.”

The ability to turn on TPM Backup to AD using Group Policy is also removed in the Windows 10 1607 .ADMX files as documented here: Onevinn – Scripts (

The behavior is controlled by the registry key called “’HKLM\Software\Policies\Microsoft\TPM\OSManagedAuthLevel” it is default set to “2” which means it will discard the TPM Password Hash, if we set it to “4” it is retained.

When we upgrade ADK to 1607 we get the same behavior in WinPE so the script used before to capture the TPM Password Hash when we use Pre-provision BitLocker and write it to registry doesn’t work anymore.

When me and my College Johan Schrewelius tested this, we found a Task Sequence variable that contains the TPM password hash if the Pre-Provision BitLocker step is used in the Configuration Manager Task Sequence called “_OSDOAF”

Johan posted two Powershell Scripts here on Technet Galleries, one that read the TS variable and write it to the registry and set the “OSDManagedAuthLevel” to “4” otherwise it will be removed by Windows again. Onevinn – Scripts (

And one that simply sets the “OSDManagedAuthLevel” value back to default.

Here are the steps that are involved, I disabled the SaveWinPETPMOwnerAuth.wsf that we used before to achieve the same thing.

TPM Pass the Hash

The “MBAM TPMPassTheHash” step which we call it, runs the following script. A Computer restart must be run before the Invoke-MbamClientDeployment step is run.

TPM Pass the Hash Step1

And the “Reset tpm policy” step will reset the value of the “OSDManagedAuthLevel” back to default.

TPM Pass the Hash Step2

Then we have the TPM password Hash in our MBAM database once again.

Note that it is recommended that the TPM Password Hash isn’t saved anymore as stated in one of the links above. “Microsoft strongly recommends that you do not change the default value of this registry key in order to retain the owner password.”

But in some scenarios we still want to be able to do it.


Add a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.