Sign in
 
HomeWindows 8Windows 7Windows VistaWindows XPMDOPWindows IntuneLibraryForums
Windows Client >
BitLocker - Backup TPM Information to AD

Beantwortet BitLocker - Backup TPM Information to AD

  • Thursday, March 15, 2012 3:33 PM
     
     
    Sign In to Vote
    0

    My notebook is beeing encrypted. The Recovery Key and TPM Owner Info were in AD.

    I changed the TPM Password and I have the new hash (tpm file).

    • I can store the Recovery Key in the AD with the command manage-bde -protectors c: -adbackup -id '{xxxxx}'
    • I can not backup the TPM Owner Infomation ito AD. I receive only the error code 0x8031003a. How can I do this?

    • Edited by Dawid Mitura Thursday, March 15, 2012 3:36 PM
    •  
     

All Replies

  • Thursday, March 15, 2012 8:24 PM
     
     
    Sign In to Vote
    0
    Where in AD DS did you see TPM owner info?  I have about 100 machines Bitlocker'ed and only see drive recovery keys in AD DS.  In all that I have read and researched, I don't believe TPM info gets imported into AD DS.  Please enlighten me if I am wrong  :)
     
  • Friday, March 16, 2012 9:17 AM
     
     Proposed Answer
    Sign In to Vote
    0

    1) View >> "Advanced Featires"

    2) Active Directory Users & Computers >> Properties of Computer >> Attribute Editor >> "msTPM-OwnerInformation"

    Guide - Backing Up BitLocker and TPM Recovery Information to AD DS

    --------

    If I decript the whole drive, deactivate the TPM Chip, then I activate it again, encrypt the drive -> I see both information - RecoveryKey and TPMOwnerInfo in AD. But this is only the test machine with 30 GB. I don't want to decrypt and enrypt the rest productive machines with 300+ GB onboard. I just want to backup the TPMOnwerInfo into AD, when the drive is beeing already encripted. Any ideas?

    • Proposed As Answer by DrewMilizia Monday, March 19, 2012 8:44 PM
    •  
     
  • Friday, March 16, 2012 9:36 AM
     
     Answered
    Sign In to Vote
    0

    I'm noob. I created the 2nd GPO for MBAM and forgot to enbale the setting Turn on TPM backup to Active Directory Domain Services. When I change the TPM Password in tpm.msc now, then I can see the right value for TPMOwnerInfo in AD.

    I tested the decription and encription process (which I described above) with the 1st correct GPO. My mistake, sorry.

    • Marked As Answer by Dawid Mitura Friday, March 16, 2012 9:36 AM
    •  
     
  • Friday, March 16, 2012 1:04 PM
     
     
    Sign In to Vote
    0

    Where in GP is that?  I have not found that option..??

    Edit: I found it under System.. so enabled it but the machines are not pulling it down.  I noticed you said you created another GPO, so does that mean that setting needs to be in its own object?

    • Edited by DrewMilizia Friday, March 16, 2012 2:19 PM
    •  
     
  • Monday, March 19, 2012 10:08 AM
     
     
    Sign In to Vote
    0

    Let's look at this. I tried 2 diffrent solutions:

    1) Backup the RecoveryKey and TPM OwnerInfomation in AD

    I created the 1st GPO for it. Guide - Backing Up BitLocker and TPM Recovery Information to AD DS

    I linked the GPO to the OU with my Clients' PCs. After that, when I encrypted the HDD and created the TPM Password with the PIN, I noticed, that AD backed up both informations.

    2) Backup the RecoveryKey and TPM OwnerInfomation in MBAM Database.

    I created the 2nd diffrent GPO. Guide - MBAM Step by Step ( BitLocker Administration and Monitoring )

    I linked the GPO to the OU with my Clients' PCs. Of course I deactivated the previous GPO. After that, when I encrypted the HDD and created the TPM Password with the PIN, I noticed, that MBAM backed up both informations.