Hello, is there a show that focuses on the use of the following commands in Svr 2016?
Set-TpmOwnerAuth
ConvertTo-TpmOwnerAuth
Import-TpmOwnerAuth
Regards,
Adam Tyler
-
Unsolved TpmOwnerAuth ?
-
Adam,
I hope all is well. We do not really have any shows/episodes that touch on or focus on the use of the commands for tpmownerauth.
Is there something specific that you need to know about them?
-
Hi Adam, I am still studying for my MCSA2012 > 2016 upgrade exam and a related practice question came up. I'm not sure why, but this exam prep is really kicking my butt. I ended up purchasing a practice exam that focused directly on this test, ITPro only has practice exam questions for each of the 740/741/742 tests as far as I could tell. Anyway, pretty much all the answers on this practice exam are incorrect and I am researching and correcting as I go. Taking forever, but I am learning a lot.
So the question about TpmOwnerAuth, when something like, "You have a server named Serve1. You enable BitLocker Drive Encryption on Server1. You need to change the password for the Trusted Platform Module (TPM) chip"
A. Initialize-Tpm
B. Import-TpmOwnerAuth
C. repair=bde.exe
D. bdehdcfg-exeMy research points to "Set-TpmOwnerAuth" as the correct command for this, but I couldn't really get a clear understanding of why these commands even exist.. I realize the recovery keys are stored in the TPM module, but these commands aren't even listed under Microsoft's Bitlocker suite. More of a guess from a process of elimination.
My exam is scheduled for the 15th. I've pushed it out now like 3 times.. Areas I am still pretty weak in are Network virtualization, Federated Services, Direct Access (RRAS), and Containers. Once I get through this practice exam (about 20 to go out of the 245) I'll go back through and try and arrange them in categories. See if I can drill down. I did sit through all of the classroom lectures mostly hosed by you (Adam G.), but I find that most of them are very introductory and don't focus on these nuance, actual exam questions.. I find myself doing everything in the lab, but it is time consuming.
Without a spare PC laying around with a TPM 2.0 chip and Server 16 loaded as a native OS, this particular one is difficult to lab. I see that VMware vSphere which is what I use in the lab supports TPM access from the guest now, but there is a specific set of hardware requirements still. We use whole disk encryption at work, a healthcare environment. We settled on a McAfee solution, so third party. I looked into deploying BitLocker, but the architecture around deploying it for a single point of management was pretty ridiculous. Our McAfee solution is pretty inexpensive, provides auditing, central point of management, and only required a single server.
Thanks for your help.
Regards,
Adam Tyler -
@adam-tyler said in TpmOwnerAuth ?:
Set-TpmOwnerAuth
Adam,
I feel your pain... Let's start with just the basics, which I think will help you get this squared away in your mind, and hopefully allow it all to gel and become something that makes sense.
A computer requires an owner authorization value to manage a TPM.
As a result, tis value can be (and is by default) supplied by the computer owner when they use whatever interface / management tools provided to initialize and configure the TPM. (in some cases, the OEM vendor would do this in pre-configured systems that are shipped already setup)
If, you as the owner want to change this value, or want to override the existing value in the registry (which is where it is stored in a Windows system), then the easiest way to do this without having to decommission the TPM is to use the PowerShell commands to so.
The ConvertTo-TpmOwnerAuth cmdlet creates a Trusted Platform Module (TPM) owner authorization value based on a pass phrase string, which you would provide.
The Import-TpmOwnerAuth cmdlet imports a valid Trusted Platform Module (TPM) owner authorization value to the registry.
The Set-TpmOwnerAuth cmdlet changes the current owner authorization value of the Trusted Platform Module (TPM) to a new value. You can specify the current owner authorization value or specify a file that contains the current owner authorization value. If you do not specify an owner authorization value, the cmdlet attempts to read the value from the registry.
I would suggest that if you have not already found, or seen the following article that you read through it, as it does a good job of giving you the background, and I think will finish filling in the gaps for you:
https://blogs.technet.microsoft.com/dubaisec/2017/02/28/tpm-owner-password/
Take a look, and thenn let me know if you have any additional questions. This is not one of those topics that I would spend a lot of time on for the exam, as it is not likely to be tested on too heavily.
Good Luck.
Cheers,
Adam