none
TPM info not importing to new MBAM production environment from test MBAM environment

    שאלה

  • At work we are moving from a test environment to a production environment of MBAM.  Reading forum posts in multiple places says that if we get the new group policy on the machine that is pointing to the new environment, it should import the keys.  This is partly true..  While it does import the drive recovery keys into the new prod environment, it does not import the TPM owner information.  Is there a way to get the TPM info into our new production environment?  I do realize that we could do it by decrypting and re-encrypting all the machines, but we are trying to avoid that if at all possible.
    יום חמישי 08 מרץ 2012 20:55

תשובות

כל התגובות

  • Hi,

    I have found some threads for your reference.

    http://social.technet.microsoft.com/Forums/en-IE/w7itprosecurity/thread/d758604d-8bad-4fa8-975f-db446f6d11de

    http://social.technet.microsoft.com/Forums/en-US/w7itprosecurity/thread/307f1aaa-6b1a-4de5-9d29-eda1e91c954a

    It seems that TPM hash information is only captured when we initialize the TPM for first time on the machine.

    If you want this information in MBAM, you need to suspend Bitlocker and clear TPM from TPM management console.

    After this, MBAM will prompt you to initialize TPM and then you can see info in Manage TPM in MBAM console.

    If your drive is already encrypted, make sure you have 48 digit recovery password handy in case you are prompted to key in.

    Note: You are not supposed to initialize the TPM manually by using TPM Management console.

    MBAM will prompt you to start encryption and once you hit that it will initialize TPM and tell you to reboot the machine.


    Hope this helps.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    יום שלישי 13 מרץ 2012 01:47
    מנחה דיון
  • Adding to Jeremy_Wu answer, if you hit an error while MBAM is initializing TPM, you can check this KB

    2640178 MBAM fails to take ownership of TPM
    http://support.microsoft.com/kb/2640178

    I hope this helps.

    </p%3


    Manoj Sehgal

    יום רביעי 14 מרץ 2012 10:13
  • Adding to Jeremy_Wu answer, if you hit an error while MBAM is initializing TPM, you can check this KB

     

    2640178 MBAM fails to take ownership of TPM
    http://support.microsoft.com/kb/2640178


    I hope this helps.

    &n


    Manoj Sehgal

    יום רביעי 14 מרץ 2012 10:14
  • Hi,

    I have found some threads for your reference.

    http://social.technet.microsoft.com/Forums/en-IE/w7itprosecurity/thread/d758604d-8bad-4fa8-975f-db446f6d11de

    http://social.technet.microsoft.com/Forums/en-US/w7itprosecurity/thread/307f1aaa-6b1a-4de5-9d29-eda1e91c954a

    It seems that TPM hash information is only captured when we initialize the TPM for first time on the machine.

    If you want this information in MBAM, you need to suspend Bitlocker and clear TPM from TPM management console.

    After this, MBAM will prompt you to initialize TPM and then you can see info in Manage TPM in MBAM console.

    If your drive is already encrypted, make sure you have 48 digit recovery password handy in case you are prompted to key in.

    Note: You are not supposed to initialize the TPM manually by using TPM Management console.

    MBAM will prompt you to start encryption and once you hit that it will initialize TPM and tell you to reboot the machine.


    Hope this helps.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    I have done what you said in this post, but MBAM never comes back up asking to start encryption again after being suspended.  When I try to resume protection to see if that will help, I get an error message:

    "Wizard initialization failed. You must initialize the Trusted Platform Module (TPM) before you can use Bitlocker Drive Encryption."

    Is there a point at which I should be resuming to get this to work properly?  The status of the TPM right now is "TPM is off and ownership has not been taken." The machine is checking into MBAM just fine as I have a script written to do a check-in manually and I can see it checked in on the SQL server and in the MBAM console.

    @manojsehgal: I also tried the vbs you referred me to, and that hasn't helped either.  Do you think part of the reason it doesn't work is the fact that Bitlocker is suspended and in order to resume, the TPM must be initialized and in order for the TPM to be initialized by MBAM it needs to be resumed?  Am I stuck in a loop?  At this point I am not sure what to do so any help would be great.  Thanks guys, I appreciate your help.

    יום חמישי 15 מרץ 2012 19:57
  • I think we should turn on the TPM first.

    Thanks
    Zero

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    יום שישי 16 מרץ 2012 08:37
  • I think we should turn on the TPM first.

    Thanks
    Zero

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.


    I initialized the TPM and did the restart, accepted permission for the OS ownership and let it boot into Windows.  I cancelled the "Create password" prompt and now my TPM is "TPM is on and ownership has not been taken".  I have forced it to check in and MBAM does not come up asking to re-encrypt.  I really wanted to move the people we have already encrypted in our test environment over to production without decrypting but it seems it may not work.  Any other ideas?  :)
    יום שישי 16 מרץ 2012 12:55
  • if you want MBAM to prompt to start encryption again, for drives which are already encrypted, you need to decrypt them.

    At this time, this is the only way, MBAM will prompt to start encryption and it will first initialize TPM and then start encryption.

    I hope this helps.


    Manoj Sehgal

    שבת 17 מרץ 2012 13:28