![]() Note that it is recommended that the TPM Password Hash isn’t saved anymore as stated in one of the links above. ![]() Then we have the TPM password Hash in our MBAM database once again. A Computer restart must be run before the Invoke-MbamClientDeployment step is run.Īnd the “Reset tpm policy” step will reset the value of the “OSDManagedAuthLevel” back to default. The “MBAM TPMPassTheHash” step which we call it, runs the following script. Here are the steps that are involved, I disabled the f that we used before to achieve the same thing. Onevinn – Scripts ()Īnd one that simply sets the “OSDManagedAuthLevel” value back to default. Johan posted two Powershell Scripts here on Technet Galleries, one that read the TS variable and write it to the registry and set the “OSDManagedAuthLevel” to “4” otherwise it will be removed by Windows again. When me and my College Johan Schrewelius tested this, we found a Task Sequence variable that contains the TPM password hash if the Pre-Provision BitLocker step is used in the Configuration Manager Task Sequence called “_OSDOAF” When we upgrade ADK to 1607 we get the same behavior in WinPE so the script used before to capture the TPM Password Hash when we use Pre-provision BitLocker and write it to registry doesn’t work anymore. The behavior is controlled by the registry key called “’HKLM\Software\Policies\Microsoft\TPM\OSManagedAuthLevel” it is default set to “2” which means it will discard the TPM Password Hash, if we set it to “4” it is retained. The ability to turn on TPM Backup to AD using Group Policy is also removed in the Wind.ADMX files as documented here: Onevinn – Scripts () The password will be set to a random high entropy value and then discarded.” Quote: “Starting with Windows 10, version 1607, Windows will not retain the TPM owner password when provisioning the TPM. ![]() This is design change to increase the Security in windows 10 which you can read more about here: In Windthe TPM Password Hash is no longer accessible from within windows. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |