none
MBAM 2.5 SP1 - Failed to escrow TPM owner-auth RRS feed

  • Question

  • We have integrated the MBAM 2.5 SP1 client deployment in our Windows 7 and Windows 8 deployment task sequences and start MBAM encryption with the Invoke-Mbam-ClientDeployment.ps1 script. Everything works except that the TPM owner information is not uploaded to the MBAM database. The error that we get is this:

    Failed to escrow TPM owner-auth to https://xxx.xxx.xxx/MBAMRecoveryAndHardwareService/CoreService.svc. HRESULT: 0x80040203 - MBAM cannot read the TPM owner authorization value. The value may have been removed after a successful escrow. On Windows 7, MBAM cannot read the value if the TPM is owned by others.

    When we clear the TPM before deployment it will work but we like to get it working without clearing TPM, is that possible somehow?

    Thursday, August 27, 2015 2:55 PM

Answers

  • Hi,

    please check the Release notes for 2.5 SP1:

    -snip-

    MBAM can escrow OwnerAuth passwords without owning the TPM

    Previously, if MBAM did not own the TPM, the TPM OwnerAuth could not be escrowed to the MBAM database. To configure MBAM to own the TPM and to store the passwords, you had to disable TPM auto-provisioning and clear the TPM on the client computer.

    In Windows 8 and higher, MBAM 2.5 SP1 can now escrow the OwnerAuth passwords without owning the TPM. During service startup, MBAM queries to see if the TPM is already owned and if so, it requests the passwords from the operating system. The passwords are then escrowed to the MBAM database. In addition, Group Policy must be set to prevent the OwnerAuth from being deleted locally.

    In Windows 7, MBAM must own the TPM to automatically escrow TPM OwnerAuth information in the MBAM database.

    -snip-

    /Oliver

    Friday, August 28, 2015 8:06 PM
  • Aderuwe we run the script during task sequence with the -IgnoreEscrowOwnerAuthFailure parameter so at least it will encrypt and continue.

    The TpmPasswordHash table in the MBAM database only gets filled when we clear TPM on both Windows 7 and 8 clients. For new out of the box machines where the TPM wasn't owned before it works without problems.

    Thursday, September 3, 2015 8:32 AM

All replies

  • Hi,

    please check the Release notes for 2.5 SP1:

    -snip-

    MBAM can escrow OwnerAuth passwords without owning the TPM

    Previously, if MBAM did not own the TPM, the TPM OwnerAuth could not be escrowed to the MBAM database. To configure MBAM to own the TPM and to store the passwords, you had to disable TPM auto-provisioning and clear the TPM on the client computer.

    In Windows 8 and higher, MBAM 2.5 SP1 can now escrow the OwnerAuth passwords without owning the TPM. During service startup, MBAM queries to see if the TPM is already owned and if so, it requests the passwords from the operating system. The passwords are then escrowed to the MBAM database. In addition, Group Policy must be set to prevent the OwnerAuth from being deleted locally.

    In Windows 7, MBAM must own the TPM to automatically escrow TPM OwnerAuth information in the MBAM database.

    -snip-

    /Oliver

    Friday, August 28, 2015 8:06 PM
  • Vincent-


    Did you ever figure out what the problem was?  I'm having the same exact issue with my SCCM task sequence.

    Wednesday, September 2, 2015 5:08 PM
  • Aderuwe we run the script during task sequence with the -IgnoreEscrowOwnerAuthFailure parameter so at least it will encrypt and continue.

    The TpmPasswordHash table in the MBAM database only gets filled when we clear TPM on both Windows 7 and 8 clients. For new out of the box machines where the TPM wasn't owned before it works without problems.

    Thursday, September 3, 2015 8:32 AM