Anmelden
 
HomeLibraryDownloadsSupportWebcasts & EventsCommunityForenBlogs
Ressourcen für IT-Professionals >
BitLocker - Backup TPM Information to AD

Answered BitLocker - Backup TPM Information to AD

  • Donnerstag, 15. März 2012 15:33
     
     
    Anmelden
    0

    My notebook is beeing encrypted. The Recovery Key and TPM Owner Info were in AD.

    I changed the TPM Password and I have the new hash (tpm file).

    • I can store the Recovery Key in the AD with the command manage-bde -protectors c: -adbackup -id '{xxxxx}'
    • I can not backup the TPM Owner Infomation ito AD. I receive only the error code 0x8031003a. How can I do this?

    • Bearbeitet Dawid Mitura Donnerstag, 15. März 2012 15:36
    •  
     

Alle Antworten

  • Donnerstag, 15. März 2012 20:24
     
     
    Anmelden
    0
    Where in AD DS did you see TPM owner info?  I have about 100 machines Bitlocker'ed and only see drive recovery keys in AD DS.  In all that I have read and researched, I don't believe TPM info gets imported into AD DS.  Please enlighten me if I am wrong  :)
     
  • Freitag, 16. März 2012 09:17
     
     Vorgeschlagene Antwort
    Anmelden
    0

    1) View >> "Advanced Featires"

    2) Active Directory Users & Computers >> Properties of Computer >> Attribute Editor >> "msTPM-OwnerInformation"

    Guide - Backing Up BitLocker and TPM Recovery Information to AD DS

    --------

    If I decript the whole drive, deactivate the TPM Chip, then I activate it again, encrypt the drive -> I see both information - RecoveryKey and TPMOwnerInfo in AD. But this is only the test machine with 30 GB. I don't want to decrypt and enrypt the rest productive machines with 300+ GB onboard. I just want to backup the TPMOnwerInfo into AD, when the drive is beeing already encripted. Any ideas?

    • Als Antwort vorgeschlagen DrewMilizia Montag, 19. März 2012 20:44
    •  
     
  • Freitag, 16. März 2012 09:36
     
     Beantwortet
    Anmelden
    0

    I'm noob. I created the 2nd GPO for MBAM and forgot to enbale the setting Turn on TPM backup to Active Directory Domain Services. When I change the TPM Password in tpm.msc now, then I can see the right value for TPMOwnerInfo in AD.

    I tested the decription and encription process (which I described above) with the 1st correct GPO. My mistake, sorry.

    • Als Antwort markiert Dawid Mitura Freitag, 16. März 2012 09:36
    •  
     
  • Freitag, 16. März 2012 13:04
     
     
    Anmelden
    0

    Where in GP is that?  I have not found that option..??

    Edit: I found it under System.. so enabled it but the machines are not pulling it down.  I noticed you said you created another GPO, so does that mean that setting needs to be in its own object?

    • Bearbeitet DrewMilizia Freitag, 16. März 2012 14:19
    •  
     
  • Montag, 19. März 2012 10:08
     
     
    Anmelden
    0

    Let's look at this. I tried 2 diffrent solutions:

    1) Backup the RecoveryKey and TPM OwnerInfomation in AD

    I created the 1st GPO for it. Guide - Backing Up BitLocker and TPM Recovery Information to AD DS

    I linked the GPO to the OU with my Clients' PCs. After that, when I encrypted the HDD and created the TPM Password with the PIN, I noticed, that AD backed up both informations.

    2) Backup the RecoveryKey and TPM OwnerInfomation in MBAM Database.

    I created the 2nd diffrent GPO. Guide - MBAM Step by Step ( BitLocker Administration and Monitoring )

    I linked the GPO to the OU with my Clients' PCs. Of course I deactivated the previous GPO. After that, when I encrypted the HDD and created the TPM Password with the PIN, I noticed, that MBAM backed up both informations.