TPM Provisioning in Windows 10

The following is taken from a post by someotherguy in our Enterprise Client Management Forum. It has some very important details that will become even more important as customers look to transition Windows 7 hardware to Windows 10 so we thought it would be a good idea to include it on this blog.  If you have questions about this topic, please visit the forum post and make a reply. 

We received the following information from Microsoft about bugs/changes in TPM provisioning:

In the Windows 10 Anniversary Update changes were made to the behavior of the “TPM.msc” management application.
  • A change was made to the behavior of the TPM and the “Owner Password”.  The new behavior is such that if Auto-provisioning is enabled (the default) the “Owner Password” will not be available.  For use cases which require the “Owner Password”, custom provisioning of the TPM must be done to retain the password for later use and the existing password must be provided by the user at the time they select “Change Owner Password…” even in such cases.
  • A known bug exists which prevents the “Prepare the TPM…” button from successfully provisioning the TPM.

In the Windows 10 Anniversary Update, the TPM “Owner Password” will no longer be backed up to Active Directory.

Old Behavior – Pressing the “Change Owner Password…” button in TPM.msc would prompt the user to provide a new password.
New Behavior – Pressing the “Change Owner Password…” button in TPM.msc will prompt the user to provide the old password file or password.  With Auto-provisioning enabled, this will not be available.

What this means is:
1.  Windows 10 14393 will take ownership of the TPM automatically (unless you disable automatic provisioning).  If you clear the TPM in TPM.msc or BIOS Setup, Windows 10 14393 will automatically take ownership of it again.
2.  The owner password that Windows 10 14393 configures is random, and not saved/stored anywhere (unlike previous versions)
3.  If you allow Windows 10 14393 to take ownership of the TPM automatically, you cannot change the owner password later.
4.  You cannot use TPM.msc to take ownership of the TPM, because of a Windows bug.

If you have a use-case that requires setting a specific/known TPM owner password, here is how to do it:
A.  Make sure your image has TPM automatic provisioning disabled, to prevent Windows from taking ownership with a password that you don't know
B.  Make sure the TPM is enabled and cleared (this is how it is shipped from Lenovo factory)
C.  Take ownership of the TPM using the Win32_TPM class.  A sample script is provided as attached.  Run the script like "cscript.exe tpm_take_ownership.vbs".  Note that the TPM owner password "password" is hard-coded in this script.  You may want to modify it.

One more comment on this topic.  If you are impacted by this issue, consider whether you really need to know what the TPM owner password is.  Microsoft tells us that they "highly recommend using Windows auto-provisioning for the best security posture and usability with Windows features" (their quote).  For more information on TPM provisioning, please contact Microsoft.