How to Cleanup TPM information from AD for Windows 8 computers
For Windows 7 machines, TPM Owner Password is stored in msTPM-OwnerInformation which is attribute of Computer object in AD. So if you delete the computer object, TPM Owner Password is also deleted.
For Windows 8, TPM Owner Information is not stored directly under Computer Object. It is stored in a separate object which is linked to computer object. When we delete a computer object from AD, the msTPM-OwnerInformation attribute which holds the TPM Owner Password is not deleted automatically.
As per Best Practices, TPM Owner Information is also backed in AD DS for all domain joined computers.
In a Scenario, where an admin is doing a REFRESH of a computer and he will delete the existing computer object in AD, he should first delete the TPM information for the computer which is now stored under a different location in AD.
If you will not delete the msTPM-InformationObject under TPM devices, they will remain in AD as stale entry.
If administrator will not delete the original computer object from AD in a Refresh Scenario, then you do not have to delete the TPM Information under TPM devices container in AD.
In Windows 8 TPM auto-provisioning feature, initializes the TPM and can escrow the TPM Owner Password in AD DS if GPO to backup TPM password is enabled.
Windows 8 TPM GPO
https://technet.microsoft.com/en-us/library/jj679889.aspx
If your computer is not being joined to a domain the TPM owner authorization value will be stored in the local computer registry.
TPM Owner Information for a Windows 8 machine is stored under msTPM-InformationObject in TPM devices container in Active Directory Users and Computer MMC snap-in.
Note: If TPM devices container is not available then make sure you have done the schema extensions for Windows 8.
Schema Extensions for Windows Server 2008 R2 to support AD DS backup of TPM information from Windows 8 clients
https://technet.microsoft.com/en-us/library/jj635854.aspx
How to delete the msTPM-InformationObject in AD
1. Connect to Active Directory Users and Computer MMC Snap-in and select the computer object which you want to delete from AD.
2. Right Click on Computer Object and go to Properties and Select Attribute Editor tab.
3. Choose msTPM-TpmInformationForComputer from the list of attributes and get the CN name.
4. Now in Active Directory Users and Computers MMC Snap-in select TPM Devices container.
5. Search for the CN Name which you gather from Step 3. This is the msTPM-InformationObject for the computer.
6. Right click on msTPM-InfomationObject & select Properties.
7. In attribute list you will see the msTPM-OwnerInformation attribute under which holds the TPM owner password for the computer.
8. Delete the msTPM-InformationObject under TPM Devices Container which is collected from Step 5.
9. Now you can delete the original computer object from AD.
More Information:
TPM Provisioning Feature
https://technet.microsoft.com/en-us/library/jj131725.aspxWindows 8 TPM GPO
https://technet.microsoft.com/en-us/library/jj679889.aspxSchema Extensions for Windows Server 2008 R2 to support AD DS backup of TPM information from Windows 8 clients
https://technet.microsoft.com/en-us/library/jj635854.aspx
Manoj Sehgal
Senior Support Escalation Engineer
Microsoft Enterprise Platforms Support