none
New Surface Book with UEFI says TPM ready for use with reduced functionality RRS feed

  • Question

  • Surface Book is Domain joined, I checked UEFI settings and TPM is on. Bitlocker GPO applied ok, ran Bitlocker wizard ok, can see pw recovery in AD. No PIN required, selected use TPM to automatically unlock drive. On reboot after encryption 100% encrypted, took long time to reach login screen. Then in Event Viewer, the last TPM-WMI event is 1026 "The Trusted Platform Module (TPM) hardware on this computer cannot be provisioned for use automatically. To set up the TPM interactively use the TPM management console and use the action to make TPM ready." The TPM mmc says Ready with reduced functionality. There is no "make ready" there is "Prepare the TPM..." but when I click Prepare the TPM, the check says TPM is ready. The only KB I can find for reduced functionality is when the BIOS is MBR.

    This is a new Surface Book just purchased this month and with the November 1511 update. Did I miss something? Like, GPO not correct, or what?

    Thanks,

    Joan


    • Edited by jremmc Thursday, July 14, 2016 3:12 AM initial did not save properly and event message half entered.
    Wednesday, July 13, 2016 10:02 PM

Answers

  • Teemo,

    Final results: (long post but maybe help someone else)

    1. Cannot backup TPM info to AD, error is No such object on server. When the TPM GPO setting is enabled, TPM on Surface Book is Ready, with reduced functionality, and cannot change TPM Owner password. When the setting is Not Configured, TPM on Surface Book is Ready, and can change TPM Owner password. In contrast, BitLocker recovery information is written to AD with no issues.

    2. All AD settings have been verified, over and over and over again. Write Permissions match all the screenshots I see in the posts and articles of what they should be for msTPM-TPMOwnerInformation and (relevant to Windows 10) ms-TPM-TPMInformationforComputer. Permissions were set at the domain top-level in both root and child domains and spot checking various OUs show them intact, as inherited. There is a TPM Devices OU in the root domain and it has the write permissions. (There is no TPM Devices OU in the child domain, just the one in the root domain.) My Surface Book is in the child domain. Inheritance in AD is on and working. Replication to the other DCs is working and I can certainly see the permissions set when looking in ADUC on the other DCs (healthy paranoia). ADSIEdit shows the schema additions for TPM from TPMSchemaExtensions.ldf

    3. Tried the following: a. As previously noted, moved Surface Book out of the OU that has BitLocker GPO, ran gppupdate /force, moved Surface Book back into OU, ran gpupdate /force. b. (Today) Unjoined domain, renamed Surface Book, deleted old account from AD (first took screenshot of BitLocker Recovery Tab info and the underlying sub object, even though hard drive had been decrypted), rejoined domain, re-enabled TPM setting to back up to AD (had left it Not Configured after tried #a), moved Surface Book into OU that has Bitlocker GPO. Regardless, end up with #1 results. Reset TPM setting in GPO back to Not Configured, ran gpupdate /force, and Surface Book TPM again showed Ready in the tpm.msc. (Do not even need to reboot to see tpm.msc change from Ready, with reduced functionality to Ready; just need to run gpupdate /force.)

    4. Gave up on backing up TPM info to AD. So, bottom line status: TPM is Ready for use, drive is encrypted, Bitlocker recovery info is in AD and I can see it in Bitlocker Recovery tab in computer properties. Moving on after spending a week on this.

    5. Just fyi, had the following issues running the .ldf scripts to add the schema extensions and the .vbs scripts to write and verify ACL. At least one other person had same issues, because I found the solutions in forum posts. Didn't bookmark and can't locate those posts otherwise would give credit where credit due.

    a. The ldf scripts as posted on https://technet.microsoft.com/en-us/itpro/windows/keep-secure/ad-ds-schema-extensions-to-support-tpm-backup are missing the blank lines needed for ldifde (e.g after the dashes - ). The apparently* same scripts posted on https://technet.microsoft.com/en-us/library/jj635854(v=ws.11).aspx do have the blank lines and worked for me - I say apparently* because I do not see a difference in the scripts text.

    b. The ACL .vbs scripts as posted on https://technet.microsoft.com/library/dd875529.aspx: As I interpreted it, the instruction for this line:

    strPathToDomain = "LDAP://" & objRootLDAP.Get("defaultNamingContext") ' e.g. string dc=fabrikam,dc=com

    was to replace "LDAP://" with "LDAP://DC=mydomain,dc=com" and leave the remaining portion & objRootLDAP.Get("defaultNamingContext") intact. In fact, I needed to remove the & objRootLDAP.Get("defaultNamingContext") entirely when using the whole domain string. So, what worked for the root domain was simply strPathToDomain = "LDAP://dc=mydomain,dc=com" and for the child domain was strPathToDomain = "LDAP://dc=child,dc=mydomain,dc=com"

    c. That said, the AddTPMSelfWriteACE.vbs script only adds the ACL for the msTPM-TPMOwnerInformation used by Windows 7, not the msTPM-TPMINformationforComputer which is used by Windows 8/8.1 and 10. Fortunately, I had already followed the section "Setting the correct permissions in AD DS" on https://technet.microsoft.com/en-us/itpro/windows/keep-secure/prepare-your-organization-for-bitlocker-planning-and-policies, which includes setting permissions for both attributes. [Note: I initially set the permissions on only the OU with Bitlocker GPO as instructed in the section, but during troubleshooting I set permissions at top-level of both root and child domain. I removed the initially set OU only permissions, as it was duplicating the inherited. Regardless, permissions duplicated or not, TPM would not back up to AD.]

    Thanks, Joan

    Tuesday, July 19, 2016 6:05 PM

All replies

  • Hi Joan,

    Have you checked this kb3123365? On the operating systems that are listed in the “Applies To” section, TPM 2.0 is supported in UEFI mode only.

    https://support.microsoft.com/en-us/kb/3123365

    from my survey, you can try clear the TPM to see the result.

    Also, refer to this similar case for assistance.

    http://www.surfaceforums.net/threads/new-user-tpm-setup.10355/

    Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Regards


    Please mark the reply as an answer if you find it is helpful.

    If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Thursday, July 14, 2016 6:16 AM
    Moderator
  • Teemo,

    Ok, this is where I am at: I turned off Bitlocker and C:\ drive is decrypted. The TPM is cleared and says Not Ready in the tpm.msc. I'm not sure my AD configuration is correct, so I stopped at that point.

    We have an empty root domain (e.g. CORP) and a child domain (e.g. US) with all our users and computers and the forest is at 2008 R2 level. Before enabling Bitlocker, I had run the TPM schema extensions TPMSchemaExtension.ldf and TPMSchemaExtensionsACLChanges.ldf successfully on the root DC Schema Master, and the TPM Devices OU does exist in the root CORP domain. There is no TPM Devices OU in child US domain, however. Should there be a TPM Devices OU in the child as well as the root domain?

    I had also applied the write permission manually to the child OU where my computer is stored, per TechNet article on Windows 10 Bitlocker. I had not applied the Add-TPMSelfWriteAce.vbs from a different article on Windows 7. After turning off Bitlocker and before clearing TPM, I noticed there was no object for my computer in TPM Devices OU in the root. I then ran the Add-TPMSelfWriteAce.vbs script in both root CORP and child US. I then cleared TPM on my computer. I also ran the List-ACEs.vbs and it says 1 ACE found (in each domain).

    The GPO with Bitlocker and TPM settings has "Turn on TPM backup to AD DS" enabled. The other Trusted Platform Module Services section settings are set to Not Configured. The GPO is being applied to my computer, I can see in gpresult /h output.

    Before I initialize TPM on my computer by clicking Prepare the TPM, am I missing anything in AD and how can I verify that TPM can write to AD ok before I try to initialize?

    Thanks,

    Joan

    Thursday, July 14, 2016 5:31 PM
  • Teemo or anyone else who might be able to help, here's a further update. Still not working to back up to AD. AD has the msTPM-OwnerInformation and msTPM-TPMInformationForComputer attributes and the SELF for Computer Objects has write on both attributes from the top of domain down, in both the root and child domains. I cannot see what I am missing in AD. When I tried to "Prepare the TPM" I got error 0x80072030 no such object on server, then TPM Ready for use, with limited functionality. Nothing written to msTPM-TPMInformationForComputer and nothing in TPM Devices OU. On Surface Book, event 769 ""TPM owner authorization configuration changed from 12 to 10".

    I then tried what worked for someone else: move computer out of OU with Bitlocker gpo to another OU, run gpudate /force, move computer back into OU with Bitlocker gpo. That did nothing.

    I cleared TPM again, rebooted, and at BIOS message to Yes/No to clear, before saying Yes I went into GPO mmc and unlinked the gpo then removed the gpo from the OU it was applied. I then said Yes at BIOS. In Event Viewer I saw event 769 again but this time changed from 10 to 12. Then event 1282 TPM device identifier has been generated, followed by event 1025 The TPM was successfully provisioned and is now ready for use. Sure enough tpm.msc says The TPM is ready for use.

    Except TPM Ownership info is not backed up to AD and there is no Bitlocker gpo applied to the Surface Book. I could remove the TPM backup to AD setting and just apply Bitlocker only settings, but the idea is to get the TPM info into AD.

    Any ideas?

    Monday, July 18, 2016 7:12 PM
  • Dear Joan,

    What you have done is reasonable, move computer out of OU and clear TPM again is a good idea, I agree with you, this way can make TPM is ready for use.

    You can enable BitLocker now to test result, for your worry, I think you can refer to this documentation for assistance

    Backing Up BitLocker and TPM Recovery Information to AD DS

    https://technet.microsoft.com/en-us/library/dd875529(v=ws.10).aspx

    Regards

     

     


    Please mark the reply as an answer if you find it is helpful.

    If you have feedback for TechNet Support, contact tnmff@microsoft.com


    Tuesday, July 19, 2016 8:25 AM
    Moderator
  • Teemo,

    Final results: (long post but maybe help someone else)

    1. Cannot backup TPM info to AD, error is No such object on server. When the TPM GPO setting is enabled, TPM on Surface Book is Ready, with reduced functionality, and cannot change TPM Owner password. When the setting is Not Configured, TPM on Surface Book is Ready, and can change TPM Owner password. In contrast, BitLocker recovery information is written to AD with no issues.

    2. All AD settings have been verified, over and over and over again. Write Permissions match all the screenshots I see in the posts and articles of what they should be for msTPM-TPMOwnerInformation and (relevant to Windows 10) ms-TPM-TPMInformationforComputer. Permissions were set at the domain top-level in both root and child domains and spot checking various OUs show them intact, as inherited. There is a TPM Devices OU in the root domain and it has the write permissions. (There is no TPM Devices OU in the child domain, just the one in the root domain.) My Surface Book is in the child domain. Inheritance in AD is on and working. Replication to the other DCs is working and I can certainly see the permissions set when looking in ADUC on the other DCs (healthy paranoia). ADSIEdit shows the schema additions for TPM from TPMSchemaExtensions.ldf

    3. Tried the following: a. As previously noted, moved Surface Book out of the OU that has BitLocker GPO, ran gppupdate /force, moved Surface Book back into OU, ran gpupdate /force. b. (Today) Unjoined domain, renamed Surface Book, deleted old account from AD (first took screenshot of BitLocker Recovery Tab info and the underlying sub object, even though hard drive had been decrypted), rejoined domain, re-enabled TPM setting to back up to AD (had left it Not Configured after tried #a), moved Surface Book into OU that has Bitlocker GPO. Regardless, end up with #1 results. Reset TPM setting in GPO back to Not Configured, ran gpupdate /force, and Surface Book TPM again showed Ready in the tpm.msc. (Do not even need to reboot to see tpm.msc change from Ready, with reduced functionality to Ready; just need to run gpupdate /force.)

    4. Gave up on backing up TPM info to AD. So, bottom line status: TPM is Ready for use, drive is encrypted, Bitlocker recovery info is in AD and I can see it in Bitlocker Recovery tab in computer properties. Moving on after spending a week on this.

    5. Just fyi, had the following issues running the .ldf scripts to add the schema extensions and the .vbs scripts to write and verify ACL. At least one other person had same issues, because I found the solutions in forum posts. Didn't bookmark and can't locate those posts otherwise would give credit where credit due.

    a. The ldf scripts as posted on https://technet.microsoft.com/en-us/itpro/windows/keep-secure/ad-ds-schema-extensions-to-support-tpm-backup are missing the blank lines needed for ldifde (e.g after the dashes - ). The apparently* same scripts posted on https://technet.microsoft.com/en-us/library/jj635854(v=ws.11).aspx do have the blank lines and worked for me - I say apparently* because I do not see a difference in the scripts text.

    b. The ACL .vbs scripts as posted on https://technet.microsoft.com/library/dd875529.aspx: As I interpreted it, the instruction for this line:

    strPathToDomain = "LDAP://" & objRootLDAP.Get("defaultNamingContext") ' e.g. string dc=fabrikam,dc=com

    was to replace "LDAP://" with "LDAP://DC=mydomain,dc=com" and leave the remaining portion & objRootLDAP.Get("defaultNamingContext") intact. In fact, I needed to remove the & objRootLDAP.Get("defaultNamingContext") entirely when using the whole domain string. So, what worked for the root domain was simply strPathToDomain = "LDAP://dc=mydomain,dc=com" and for the child domain was strPathToDomain = "LDAP://dc=child,dc=mydomain,dc=com"

    c. That said, the AddTPMSelfWriteACE.vbs script only adds the ACL for the msTPM-TPMOwnerInformation used by Windows 7, not the msTPM-TPMINformationforComputer which is used by Windows 8/8.1 and 10. Fortunately, I had already followed the section "Setting the correct permissions in AD DS" on https://technet.microsoft.com/en-us/itpro/windows/keep-secure/prepare-your-organization-for-bitlocker-planning-and-policies, which includes setting permissions for both attributes. [Note: I initially set the permissions on only the OU with Bitlocker GPO as instructed in the section, but during troubleshooting I set permissions at top-level of both root and child domain. I removed the initially set OU only permissions, as it was duplicating the inherited. Regardless, permissions duplicated or not, TPM would not back up to AD.]

    Thanks, Joan

    Tuesday, July 19, 2016 6:05 PM
  • Dear Joan,

    Thanks for your detailed description, the complete troubleshooting process is worth considering and consulting. You mentioned that you gave up backing up TPM information to AD, I think this is a key point, which should be the most suitable choice for current condition.

    I will introduce your experience and study result to other forum users and my colleagues.

    Sincere regards



    Please mark the reply as an answer if you find it is helpful.

    If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Wednesday, July 20, 2016 9:41 AM
    Moderator