none
Windows 7 msTPM-OwnerInformaion Powershell update problem. RRS feed

  • Question

  • I have started debugging why TPM information isn't being extracted from laptops to Active Directory. I have checked the numerous scripts from Microsoft that need to be run and all schema objects and permissions within AD are there and seem to be ok. However, to start breaking things down and find out what is wrong, I thought I would try and emulate the update of msTPM-OwnerInformation manually. So I added this command to a PS1 file and created a scheduled task to be run by a laptop using the NT AUTHORITY\SYSTEM account against it's own object in Active Directory (using dummy data):

    Set-ADComputer "MYLAPPY" -Add @{msTPM-OwnerInformation="abc123"}

    However, the attribute "msTPM-OwnerInformation" isn't updated, even though SELF has read/write access to that attribute (confirmed via looking at "Effective Permissions" tab). However, changing the powershell script and running:

    Set-ADComputer "MYLAPPY" -Add @{carLicense="def456"}

    The carLicense attribute is updated. It also has "SELF" with read/write access so it seems odd only this command works. Is a script running under the "NT AUTHORITY\SYSTEM" account viewed as "SELF" with active directory? Or has anyone any other pointers as to why one attribute should be updated but not the other via what would seem like the same command and permissions?

    Regards,

    Mark

    The DC is 2012 R2, with a domain functional level of 2008 R2 and forest level of Windows server 2003.

    Tuesday, June 6, 2017 8:11 AM

All replies

  • Hi,

    Does the issue occur on a specific device or on all devices?

    “Set-ADComputer "MYLAPPY" -Add @{carLicense="def456"}”

    Are there any error messages occurred or recorded in Event Viewer (Windows Logs\Applications, System)?

    I suspect it would be caused by the inheritance permission. We could use Process Monitor the check if there were some “Access denied” error.

    If the issue only occur on a specific device, please disable antivirus software and firewall.

    If the issue occur on all devices, please refer to the following link to check your configuration.

    Backing Up BitLocker and TPM Recovery Information to AD DS

    https://technet.microsoft.com/en-us/library/dd875529(v=ws.10).aspx

    If you want know more information about configuration, I would recommend you to ask for help from Server support. They may have more resources to help you.

    Server forum:

    https://social.technet.microsoft.com/Forums/windowsserver/en-us/home?category=windowsserver

    Best regards,

    Joy.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, June 7, 2017 9:12 AM
    Moderator
  • Thanks for your reply Joy. A few minutes after you posted your response I came across my mistake. As per my previous testing this command to update AD does work via Task Scheduler and a powershell script:

    Set-ADComputer "MYLAPPY" -Add @{carLicense="abc123"}

    This command doesn’t work (and gives no error to powershell):

    Set-ADComputer "MYLAPPY "-Add @{msTPM-OwnerInformation="abc123"}

    But this command does update AD:

    Set-ADComputer "MYLAPPY "-Add @{“msTPM-OwnerInformation"="abc123"}

    Having a hyphen in the attribute name requires quotation marks. Found the hard way.

    Thanks again Joy. I'll start troubleshooting with this knowledge now.


    Wednesday, June 7, 2017 9:44 AM
  • Hi,

    I am glad you have figured out the issue by yourself and thanks for updating. Please remember to mark the reply.

    Best regards


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, June 9, 2017 9:43 AM
    Moderator