Clearing TPM does not ask for new password, but "change owner password" asks for the old one

15

7

I recently cleared my TPM (Dell e7240, Windows 10). During the process, at no point did Bios or Windows ask for a new TPM password. (And at no point since I bought this laptop did I ever set a TPM password, to the best of my knowledge.) I have tried clearing both via Windows (with TPM.MSC) and via Bios, and with neither method was I asked for a new password.

TPM.MSC reports that the TPM is "ready for use", but if I click "change owner password", it asks for the old password, despite me having just cleared the TPM.

Is it possible to clear the TPM password?

cfp

Posted 2016-07-25T09:56:04.537

Reputation: 263

Have you tried "Change owner password" while leaving the "old password" field blank? – Nathan.Eilisha Shiraini – 2016-07-25T10:13:09.420

Yes. It doesn't accept the (empty) password. – cfp – 2016-07-26T11:20:36.533

I just cleared my TPM as well. When it rebooted, Windows said something to the effect of "Windows can keep your key secure so you don't need to remember it". I want that key for a reason! – vaindil – 2016-08-11T05:53:53.787

Sounds like you cleared it, but you haven't re-initialized it. Maybe this will help: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm

– lightwing – 2016-08-16T16:38:42.447

@lightwing There doesn't appear to be a way to clear it without reinitializing it. I cleared it from both the BIOS and Windows, and my BIOS said the TPM was "unowned", but when I log back into Windows it's shown in the TPM Administration menu as "Ready to use". The "Prepare TPM" option is grayed out. – vaindil – 2016-08-18T17:36:34.910

Clearing it doesn't automatically initialize it. It's two separate processes. I sounds like previous attempts to clear the TPM have failed. According to Microsoft's documentation, you should be able to clear it without needing the current password. See the link below and scroll down to the section "Clear the TPM". Before doing that, verify in your BIOS, Security section, make sure TPM Security is set to Enabled. https://technet.microsoft.com/en-us/library/cc749022(v=ws.10).aspx#BKMK_S2

– lightwing – 2016-08-19T14:11:16.083

The other possibility is a bad TPM driver. I had this issue when I was building an image for deployment. I installed what I thought was a compatible driver (Infineon Trusted Platform Module) according to the PnPID, but it apparently wasn't the right one. I had to remove the device and let Windows detect and install the driver (Trusted Platform Module 1.2). – lightwing – 2016-08-19T14:13:39.180

@lightwing I was able to get it to not reinitialize automatically. I cleared it in Windows, then the computer reboots so the BIOS can confirm. After that it reboots again, so I caught it and went into my BIOS settings and turned the TPM off. Windows didn't automatically initialize it. I chose the option to do so manually, then it rebooted, but when I logged back in a dialog popped up saying "Windows can remember your owner password so you don't have to". At no point was I given the option to set or even view it. – vaindil – 2016-08-19T17:12:36.567

If this vbs script runs on your computer, could you post the results ?

– harrymc – 2016-08-20T10:59:44.673

@harrymc TPM is Enabled, TPM is Activated, TPM is Owned, Owner clear of TPM Is disabled, TPM has an endorsement key, Owner can be installed on this TPM, A TPM physical presence operation can clear the TPM., This computer does not support a dedicated hardware path to signal physical presence., The Storage Root Key (SRK) is compatible with Windows Vista, Tpm status script finished – vaindil – 2016-08-20T22:23:25.870

As TPM is owned, there is always an owner password that cannot be cleared, so what exactly are you trying to do? Also, the post is confusing as it says "at no point ... did I ever set a TPM password" together with "asks for the old password". So, did the computer arrive with TPM preset, or what ? It would also help to know the computer model. – harrymc – 2016-08-21T09:46:32.270

Question: In the registry entry of HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\TPM, what is the value of OSManagedAuthLevel ? – harrymc – 2016-08-22T14:03:26.170

@harrymc That script gives exactly the same messages as it did for viandil . The laptop is a Dell Latitude e7240, as stated in the OP. The TPM manufacturer is ATML. Manufacturer version 41.1, Specification version 1.2. The registry key you mention is: 0x00000002. – cfp – 2016-08-22T18:26:27.240

2

According to this Microsoft article, OSManagedAuthLevel=2 means Delegated. You might try to set it to 4 (Full) and reboot, then clear again the TPM. Read the relevant parts of the article.

– harrymc – 2016-08-22T20:13:16.550

Have you tried it ? – harrymc – 2016-08-24T06:24:38.747

Apparently not. – harrymc – 2016-08-26T08:42:23.283

Apologies for the delay. I changed the key as you suggested, rebooted, cleared TPM in bios, ran TPM.msc, "prepared the TPM for use", rebooted again, pressed "F10" when asked to prove I was at the PC", and then when I came back into Windows, I was given the "Windows can save your password for you" screen. However, the screen now had a button to save the password as a file, which I do not remember seeing before. So although I still couldn't enter a password, at least I have a copy of the password file now, which is an improvement. – cfp – 2016-08-27T09:51:38.027

Answers

10

I had the same problem. This is what I found after a lot of searching: Later versions of Windows 10 do not allow you to set, save or change the TPM owner password by default. The password is generated by windows, used by windows to configure the TPM then discarded. That way nobody can tamper with the TPM after it has been activated. In effect, the owner password no longer exists. You can disable this security feature by changing a registry value, clearing the TPM and rebooting. After that, you will be able to set and change the TPM owner password. See this article: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/change-the-tpm-owner-password?f=255&MSPPError=-2147217396

After reading the article, I decided to leave things as they are, with the new Windows default (i.e. no way to access or change TPM owner password). You only need the TPM owner password if the PC security is being centrally managed in an enterprise setup with the need for a security admin to access the TPM remotely. In a stand-alone application, remote access to the TPM is not needed or desirable. You can do everything you need without the TPM password if you have physical access to the PC.

James Tattersall

Posted 2016-07-25T09:56:04.537

Reputation: 116

The linked TechNet article has clarified everything. Thanks! Great to have a clear answer at least. – cfp – 2016-09-19T21:29:42.490

@cfp ... If you get a chance, please confirm what you did exactly to fix your problem. I was just curious if this clears things up or if it actually allowed you to complete what you were otherwise unable to get done. And if you were able to complete what you weren't otherwise, just curious what from that post specifically you did to resolve your inquiry. I think that part of the post would be extremely helpful to quote in the answer if you actually applied it and confirmed that doing it resolved your problem. – Pimp Juice IT – 2016-09-21T02:47:33.587

The article made clear that there was no point trying to set the TPM password. I did not attempt to follow its steps to enable manual setting, as I was convinced that there was no benefit to this. I agree entirely with the question answerer: "after reading the article, I decided to leave things as they are, with the new Windows default". – cfp – 2016-11-15T14:36:55.767

Thanks. This answer really clarified things to me. For a secure personal computer, I will stay with the randomly created unknown password. – Brainski – 2016-12-13T12:04:54.240

Also you can disable the automatic initialisaton if you would like to do this yourself with the Disable-TpmAutoProvisioning powershell command.

https://technet.microsoft.com/en-us/library/jj603114.aspx

– Tom Jenkinson – 2016-12-15T19:25:00.673

7

PowerShell Resetting TPM

You can give some of the PowerShell TPM commands a shot by running them from an elevated (run as administrator) PowerShell command prompt to reset the TPM settings.

Clearing

See Clear-Tpm and Set-TpmOwnerAuth for further detail but below are a few to give a shot:

  • Clear-Tpm
  • Initialize-Tpm -AllowClear -AllowPhysicalPresence

Default Value

You may also want to consider looking over Initialize-Tpm and note that if you do not specify an owner authorization value, the cmdlet attempts to read the value from the registry so this may be reading and setting by default what you don't know from this value.

New Value

You may want to consider running ConvertTo-TpmOwnerAuth command to explicitly specify the new owner passphrase. So incorporate this into your process accordingly:

  • ConvertTo-TpmOwnerAuth -PassPhrase "<newpasswordstring>"

Configuring Local Group Policy Settings for BitLocker

As I said I'd do in a comment below a few days ago, below are the steps I take to setup TPM encryption on non-domain joined PCs in one of the environments I support.

NOTE: Please note that some of these options may have to restart afterwards which I did not mention specifically but I don't remember which ones exactly except for where I mentioned that. So if it restarts or needs you to restart after setting an option, then that is normal, I just didn't mention it.

During one of the restarts, the machine may detect a TPM security change and prompt you to accept or reject the changes to enable, activate, or take ownership of the TPM device. So you will want to accept these changes if you get such a prompt after one of the reboots per the changes to make mentioned below.

  1. Go to Start > Run > type in gpedit.msc and press Enter, and then navigate to #6 as in the below screen shot

    enter image description here

  2. You will want to set the settings from the above #6 location with the values from the two below screen shots next

    enter image description here

    enter image description here

  3. Next go to Control Panel > Bitlocker Drive Encryption > select Turn on BitLocker and then press Next in the window as in the below screen shot

    enter image description here

  4. On the Preparing your Drive for BitLocker window press Next

  5. When the Drive preparation is complete windows pops up, click the Restart Now option

  6. After the restart, sign back onto the machine and when the BitLocker Drive Encryption setup window pops up, select the Next option

  7. When the Turn on the TPM security hardware windows pops up on your screen, select the Restart option

  8. After the restart, sign back onto the machine and when the BitLocker Drive Encryption setup window pops up, select the Next option

  9. You will then be prompted to Enter a PIN so type the PIN in both those fields as in the below screen shot and then press the Set PIN option

    enter image description here

  10. When the How do you want to back up your recovery key window, you will want to press the Save to a file option and then press the Next option. You will need to ensure you put this on a USB thumb drive and save this recovery key to it and then copy it somewhere else later such as a network drive, etc.

    enter image description here

  11. In the Choose how much of your drive to encrypt, in my case I've selected the Encrypt used disk space only since I do this for new PC setups, but you can select the most appropriate option here for your requirements and then press the Next option

    enter image description here

  12. In the Choose which encryption mode to use window you will want to check the appropriate option for your environment but the one I select in this environment on my side is shown in the below screen shot

    enter image description here

Also see How to Clear the TPM Chip of any previous Ownership Credentials and be sure to follow those instructions step-by-step if you've not already done so.

How to Clear the TPM Chip of any previous Ownership Credentials

This article provides information on how to reset the TPM chip and clear all previous owner details.

You are unable to reset DDPA or DCP credentials on your system

You may encounter an issue whilst attempting to reset the DDP|A or DCP credentials, where you are prompted for a Trusted Platform Module (TPM) ownership password.

If you have lost the TPM password, the TPM chip can be cleared using Windows.

Notice: This will completely erase the TPM credential store, including hard drive encryption, fingerprints, smart cards, etc. Please check which security devices you are using that may be affected. Make sure you have a Windows password set up and set for login.

How to reset and clear the TPM Chip

The first thing to do is to remove any pre-boot passwords in the DDP|A console.

This will not affect the Windows password.

You must be able to validate just as in any credential scenario, and you must be an administrator on this system in order to perform this function.

  1. Click Start. In the Search\Run box, type tpm.msc and press ENTER.

  2. Under the Actions section on the right, click Clear TPM.

  3. In the Clear the TPM Security Hardware box, check I don't have the TPM owner password and click OK.

  4. You will be asked to Reboot. Just after the Dell POST screen, you will be prompted to press a key (usually F10) to clear TPM. Press that key.

  5. Once the system reboots, you will be prompted to restart and follow the instructions to enable TPM. Restart.

  6. Just after the Dell POST screen, you will be prompted to press a key to enable TPM. Press that key (usually F10).

    Note: If you do not use TPM, press the ESC key.

  7. Once back at the desktop, either the TPM Setup Wizard appears for you to enter a TPM owner password or you can choose Change Owner Password.

You can now clear DDP|A credentials through the DDP|A console.

For more information, please check out the article below :

source

Pimp Juice IT

Posted 2016-07-25T09:56:04.537

Reputation: 29 425

This was discussed in the comments (I'm not OP but I put the bounty on this; I can't edit the question). I'm able to follow these steps but I'm never given the opportunity by Windows to set the owner password. After the TPM is cleared and Windows reboots, a window pops up saying that the TPM is cleared and that "Windows can remember the owner password for [me] so that [I] don't have to". – vaindil – 2016-08-20T22:18:28.897

I cleared the TPM with Clear-Tpm and that went fine. Before restarting, I also ran Disable-TpmAutoProvisioning. After rebooting everything said the TPM was not ready. I then ran Initialize-Tpm -AllowClear -AllowPhysicalPresence. The command took a moment, then it returned that the TPM is ready. tpm.msc also says that it is ready. I was never prompted for an owner password. – vaindil – 2016-08-21T01:04:12.033

The example's flags of -ForceClearAllowed and -PhysicalPresenceAllowed are both invalid, and a comment on the article says that as well. – vaindil – 2016-08-21T01:06:21.277

@vaindil I added other PowerShell cmdlets to try for a solution but it'd help to know what your ultimate goal is: like to set a new owner password, keep it fully disabled, or what? I added additional PowerShell cmdlets to change owner password to a new value. – Pimp Juice IT – 2016-08-21T02:04:18.037

Initialize-Tpm doesn't appear to have a way of specifying the new owner password as you mentioned to do. ConvertTo-TpmOwnerAuth does not actually set anything--it only converts a string to an owner authorization value (whatever that means). – vaindil – 2016-08-21T04:02:09.220

@vaindil In your comments on your question you say I cleared it from both the BIOS and Windows, and my BIOS said the TPM was "unowned", but when I log back into Windows it's shown in the TPM Administration menu as "Ready to use", and then on a comment on this answer you say After rebooting everything said the TPM was not ready so do this again to make that happen, and then try initializing from BIOS, or do again and initialize via TPM.msc, and so on. If oyu don't specify a value then it take some default... What is your ultimate goal, to set a new owner password and know what it is? – Pimp Juice IT – 2016-08-21T04:54:02.923

@vaindil Make it not ready & unowned & then try to initialize through BIOS rather than Windows if you have such an option. I do this with all Group Policy in the office and for a few non-domain joined PCs and save recovery key to a file on the network for non-AD domain joined PC. I do this with Windows 10 but I'm not back in that office for a week or so or I'd send you detail step-by-step detail with all GP configs, screen shots, etc. of how I do this without ever having a problem. You just need to reset the settings & do it like you would if you were initializing it the first time. – Pimp Juice IT – 2016-08-21T04:57:52.243

The PowerShell commands do not appear to provide a way round the problem. Clear-Tpm requires an OwnerAuthorization string. The ConvertTo-TpmOwnerAuth command converts a pass phrase (which I do not have, since I never set one, see the OP) to an OwnerAuthorization string. The command to set a new password appears to be Set-TpmOwnerAuth, but again, it requires the old OwnerAuthorization.

The content in the shaded box above details steps that I'd already taken. – cfp – 2016-08-22T18:42:12.417

3

I suspect it is a bug with Windows 10. I had exact same problem as OP. Here is my findings. I have two PCs, A and B, both have TPM spec 1.2; both have bitlocker enabled. A is Windows 10 1607, B is on Windows 10 1511.

Use TPM.MSC on A. I can clear TPM without supplying owner password, but anything else requires owner password. However on B, non of these actions requires owner password.

Further, on PC A, I cleared TPM via BIOS, reboot, double checked the TPM status was disabled and unowned in BIOS. Boot into windows via recovery password(make sure you have your recovery password if you are going to try this on your PC), prepared TPM via TPM.MSC, followed the wizard, after reboot, windows TPM wizard says TPM is ready and "Windows automatic remember owner password, blah blah ..." (same as vaindil observed), never I had a chance to save the TPM owner password. I then reboot into BIOS and TPM now has status enabled and owned. This confirmed windows indeed took the TPM ownership. It just never offered user a chance to save the owner password. I also wonder where the password was saved, registery?

Interestingly, on PC B, similar procedure, I had chance to save the owner password to AD, file or print it.

It appears to me the issue is related to 1607 build. If somehow I can get 1511 install media, I definitely will try it on PC A to confirm it.

user37066

Posted 2016-07-25T09:56:04.537

Reputation: 31

0

hi there i have beaten my head in wall and finally found a solution next morning. just follow the mentioned below steps.

set your TPM owner if not set already. not very difficult. go to bios setting enable it and give permission to manage from windows as well. if your bit locker is enabled. disable BitLocker Drive Encryption and follow the steps

Run CMD as administrator...

1---- reg add HKLM\SOFTWARE\Policies\Microsoft\TPM /f /v OSManagedAuthLevel /t REG_DWORD /d 4 2---- WMIC /namespace:\root\cimv2\Security\MicrosoftTpm Path Win32_Tpm Where __RELPATH="Win32_Tpm=@" Call SetPhysicalPresenceRequest 14 3---- shutdown -r -t 15 courtesy original author. and after restart just run step it will run smoothly. woooaahhh!!! all done.

ahmar

Posted 2016-07-25T09:56:04.537

Reputation: 1

Asked: 2016-07-25T09:56:04.537

Viewed: 45 217 times

Active: 2018-05-21T13:52:06.960