Change TPM Owner password?

[mgarr682]

When trying to change the tpm owner password on my SurfacePro 3 I am getting the following error:

Cannot change TPM owner password
The TPM may not be in the correct state to perform this action. Try refreshing the TPM management console screen to see whether the action is still available.
Authentication failed.
Error code: 0x80280001

Does anyone have any idea what the problem might be?

 

[mgarr682]

After close to an hour on the phone with Microsoft support I was informed that Microsoft does not "support" issues with the TPM on the Surface Pro 3. Frankly, the three support people I spoke with had only minimal knowledge of TPM and how it works.

If anyone here has any idea about how to take ownership of the TPM on the Surface Pro 3 I would appreciate any help.

 

[GreyFox7]

Um, your last sentence leads me to believe there is already a password on the TPM is that correct? If so that may explain the bailout.

 

[Votality]

The tpm chip used by the surface 3,4 i believe is the Infineon OPTIGA[emoji769] TPM 2.0. The package is called the tpm professional package but like a giant bunch of assholes Infineon don't allow you to download the package from them. (No end user support). Windows has built in tpm management but it sounds like you tried that. You might be able to google around and try to find the most recent version from another vendor. Maybe try here (untested) support:download detail:550949:TPM Professional Package Update (Infineon) Update version 4.3.3137.0.

If you somehow break your sp3 or loose its data .. Don't blame me


Edit: After googling a bit it seems people couldn't upgrade to win10 without removing it. There may be no version that works with win10


Edit 1: "Microsoft has built in support for the TPM and extended management functions directly in Windows. The Infineon TPM Professional Package therefore is no longer required and Infineon has stopped further development and support for this product."

Products - Infineon Technologies

 

[GreyFox7]

When trying to change the tpm owner password on my SurfacePro 3 I am getting the following error:

Cannot change TPM owner password
The TPM may not be in the correct state to perform this action. Try refreshing the TPM management console screen to see whether the action is still available.
Authentication failed.
Error code: 0x80280001

Does anyone have any idea what the problem might be?

It would help to have some additional background information and what was done to get the error also other procedures attempted. Without a valid TPM authorization, wipe and reload is the only option.
TPM_E_AUTHFAIL
2150105089 (0x80280001)
The current TPM owner authorization value is incorrect.
ChangeOwnerAuth method of the Win32_Tpm class (Windows)

Initialize and configure ownership of the TPM (Windows)

It may be possible to use TPM.msc as Administrator to Clear the TPM however
Important
Clearing the TPM can result in the loss of data. To avoid data loss, make sure you have a backup or recovery method for any data protected or encrypted by the TPM.

Clearing the Trusted Platform Module (TPM) resets the TPM to an unowned state. After clearing the TPM, you need to complete the TPM initialization process before using software that relies on the TPM, such as BitLocker Drive Encryption.

Important
Clearing the TPM can result in the loss of data. To avoid data loss, make sure you have a backup or recovery method for any data protected or encrypted by the TPM.

i.e. Clearing the TPM would invalidate the contents of the C drive and you would have to reinstall Windows. Verify you have a bootable USB recovery drive or partition FIRST and have backed up any data you wish to preserve.

 

[mgarr682]

After spending more time on this issue I found that the status of the TPM was showing as "The TPM is ready for use, with reduced functionality." An explanation of that message was found at the bottom of this page:

TPM fundamentals (Windows)

I cleared the TPM as outlined on that page, selected reboot, and was taken to an AMI bios page telling me to hit F12 to clear the TPM along with a warning that I would lose all keys and data protected by those keys, much like the warning at the bottom of the page cited above. I hit F12 to approve the action and the SP3 then booted to the windows log in screen. That surprised me as I assumed clearing the key would clear whatever key bitlocker was using to encrypt the drive and I would have to reinstall the operating system. After logging in I ran tpm.msc and the status of the TPM showed "ready for use." I was then able to change the owner password for the TPM.

Checking the status of bitlocker still showed the drive to be a bitlocker drive and still encrypted. I printed a backup of the recovery key and found it unchanged from the recovery key printed last summer when the tablet was new. I then ran "manage-bde -status" to get the bitlocker status of the drive and found that it was using software encryption at the AES 128 level.

I had assumed that Microsoft would use a drive capable of hardware encryption, at least in the "Pro" versions of their tablets since bitlocker is a key feature of the SP3. Is that not the case?

 

[GreyFox7]

I don't know, its a miracle or a horrendous bug.
I guess the FBI wishes San Bernardino guy had a MS phone.

 

[leeshor]

If an Android phone user has not modified their original systems settings, and they are on Marshmallow, and it's PIN or PW protected it isn't that much different from an Apple phone. If you try to reset the phone you can't access it without inputting your original account info. Google is trying to stop phone theft too but they have made it a little harder for someone to sell their phone.

If you have access and remove the account first it's supposed to be OK to reset.