none
Turn on TPM Backup to Active Directory Domain Services

    Question

  • Has the "Turn on TPM Backup to Active Directory Domain Services" been removed from the latest Administrative Templates for Windows 10 and Windows Server 2016 (released 8/5/2016)?

    Is this no longer an available option for the latest builds?

    thanks

    Thursday, August 11, 2016 2:51 AM

Answers

  • I can't believe there has been no response to this in the last week, we've had to put our Windows 10 corporate roll out on hold because of this "change"

    I'm hoping it will be addressed soon but agree with Michael that it will be more than just a KB patch

    I'm equally frustrated.

    I see the followng guide has been updated to show it doesnt support 1607, with no alternative solution provided.

    I have logged a support call with Microsoft to progress this issue. I will update this thread with the results.

    Well this is disapointing...

    After speaking with Microsoft I can now confirm the TPM backup to Active Directory functionality has been removed in Windows 10 Red Stone 1 (1607).  This is why the GPO is missing in the latest Windows 10 ADMX.

    This functionality has been moved to MBAM which is part of the MDOP.  Access to these products is available with software assurance.

    https://technet.microsoft.com/en-us/windows/hh826072.aspx

    • Proposed as answer by JBeaven Wednesday, September 7, 2016 8:00 AM
    • Marked as answer by Jay GuModerator Wednesday, September 14, 2016 2:03 AM
    Wednesday, September 7, 2016 7:58 AM

All replies

  • Hi Martin,
    Thanks for your post.
    I have tested to install Anniversary Updates for Windows 10. And I do not see the setting.

    Best Regards,
    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, August 11, 2016 8:13 AM
    Moderator
  • I have found the "Turn on TPM Backup to Active Directory Domain Services" is no longer in the current TPM.ADMX file.

    If I update my central store by copying the current ADMX and ADML files from the "Windows 10 and Windows Server 2016 ADMX.msi", I can no longer see "Turn on TPM Backup to Active Directory Domain Services", and have verified that it is missing from the TPM.ADMX file.

    Is there an issue with the most recent release of Windows 10 and backing up TPM information to AD?

    If I don't update the ADMX files, I can configure the GPO to backup TPM, but I'm having mixed results with the latest release and or patched Windows 10 deployments.


    Friday, August 12, 2016 1:56 PM
  • Thank you for the confirmation that you are also finding the option missing.

    I found that if I do not update the central store with the newest templates and configure "Turn on TPM Backup to Active Directory Domain Services" as enabled, the Windows 10 clients updated with the anniversary update will just ignore the option and not backup the TPM owner information.

    But how important is this information if TPM is only being used for BitLocker?

    Saturday, August 13, 2016 4:35 PM
  • I can confirm your findings that if you do not update the Centeral Store, the backup TPM to AD settings settings are ignored on the Windows 10 Anniversary installation.  The local TPM,ADMX file is siimply missing the definition for "Turn on TPM Backup to Active Directory Domain Services".

    I can further confirm if I update an pre-Anniversary Winodows 10 installation with the current MS patches and updates, I can no longer backup TPM to AD.  The TPM backup will fail with Access denied error codes in the event log, and fail to initialize the TPM module for use.

    At this point, I'm stuck not backing up TPM information to AD, making recovery options a bit harder....


    Oh, and I believe TPM is also integrated with fingerprint scanners, but don't take my word 100%.

    Monday, August 15, 2016 6:56 PM
  • Am 13.08.2016 schrieb Martin Beall:
    Hi Martin,

    I found that if I do not update the central store with the newest templates and configure "Turn on TPM Backup to Active Directory Domain Services" as enabled, the Windows 10 clients updated with the anniversary update will just ignore the option and not backup the TPM owner information.

    Thats what I found too. I posted the information of this thread to a probably related thread here:
    https://social.technet.microsoft.com/Forums/windows/en-US/d6530d19-6ca6-4697-bf81-6d7c08492bdb/windows-10-14393-1607-enterprise-issues-with-tpm?forum=win10itprogeneral#9422a326-b653-4b24-96c2-6fab882ed65f

    Maybe someone will shed some light on the issue.

    But how important is this information if TPM is only being used for BitLocker?

    If you find an answer to that, I'd be interessted as well. :)

    Regards
    Norbert


    Dilbert's words of wisdom #04:
    There are very few personal problems that cannot be solved by a suitable application of high explosives.
    nntp-bridge Zugriff auf die MS Foren wieder möglich: https://communitybridge.codeplex.com/

    Wednesday, August 24, 2016 9:17 AM
  • I'm also experiencing this issue.

    I've tested several laptops over several days now and I have run out of options.  Its driving my crazy.

    Is there an official response from Microsoft?

    For us its a show stopper as I cant rollout any Windows 10 1607 laptops until this has been resolved! :-(



    • Edited by JBeaven Thursday, August 25, 2016 8:10 AM typo
    Wednesday, August 24, 2016 3:45 PM
  • Check if this Powershell Script can do the Job:

    $drive = Get-BitLockerVolume | ?{$_.KeyProtector | ?{$_.KeyProtectorType -eq 'RecoveryPassword'}} | select -f 1

    $key = $drive | select -exp KeyProtector | ?{$_.KeyProtectorType -eq 'RecoveryPassword'} | select -f 1

    Backup-BitLockerKeyProtector $drive.MountPoint $key.KeyProtectorId

    Write-Host "Backing up drive $drive, key $($key.KeyProtectorId), password $($key.RecoveryPassword)"

    Wednesday, August 24, 2016 4:39 PM
  • Check if this Powershell Script can do the Job:

    $drive = Get-BitLockerVolume | ?{$_.KeyProtector | ?{$_.KeyProtectorType -eq 'RecoveryPassword'}} | select -f 1

    $key = $drive | select -exp KeyProtector | ?{$_.KeyProtectorType -eq 'RecoveryPassword'} | select -f 1

    Backup-BitLockerKeyProtector $drive.MountPoint $key.KeyProtectorId

    Write-Host "Backing up drive $drive, key $($key.KeyProtectorId), password $($key.RecoveryPassword)"

    Your script is for backing up the BitLocker Recovery Key.  There is no issue with this!

    The issue is the TPM is not backing up to Active Directory.

    I dont see whay your post was marked as the answer by Jay Gu?  Its not an answer.

    Thursday, August 25, 2016 9:40 AM
  • As stated above, this is a total showstopper for new deployments of Anniversary Update laptops with BitLocker enabled where the TPM owner auth info needs to be automatically backed up to a central location.

    Also puzzling is why the still-existant policy setting "Configure the level of TPM owner authorization information available to the operating system" is still full of references to Backup to AD DS being the recommended method, delegated access, etc.

    Someone from Microsoft needs to explain why this change was made. If it was intentional, we need an alternate method for achieving the same goal of easily, securely backing up the auth info. If this was an oversight, a fix needs to be pushed out asap! (though I imagine such a fix will need to involve updated Win10-1607/Server 2016 admx files AND an OS patch, because just replacing TPM.admx file on client and server with the Version 1511 one does not alone do it...)

    Friday, August 26, 2016 1:33 PM
  • I can't believe there has been no response to this in the last week, we've had to put our Windows 10 corporate roll out on hold because of this "change"

    I'm hoping it will be addressed soon but agree with Michael that it will be more than just a KB patch

    Friday, September 2, 2016 2:22 PM
  • I can't believe there has been no response to this in the last week, we've had to put our Windows 10 corporate roll out on hold because of this "change"

    I'm hoping it will be addressed soon but agree with Michael that it will be more than just a KB patch

    I'm equally frustrated.

    I see the followng guide has been updated to show it doesnt support 1607, with no alternative solution provided.

    I have logged a support call with Microsoft to progress this issue. I will update this thread with the results.

    Friday, September 2, 2016 2:37 PM
  • I can't believe there has been no response to this in the last week, we've had to put our Windows 10 corporate roll out on hold because of this "change"

    I'm hoping it will be addressed soon but agree with Michael that it will be more than just a KB patch

    I'm equally frustrated.

    I see the followng guide has been updated to show it doesnt support 1607, with no alternative solution provided.

    I have logged a support call with Microsoft to progress this issue. I will update this thread with the results.

    Well this is disapointing...

    After speaking with Microsoft I can now confirm the TPM backup to Active Directory functionality has been removed in Windows 10 Red Stone 1 (1607).  This is why the GPO is missing in the latest Windows 10 ADMX.

    This functionality has been moved to MBAM which is part of the MDOP.  Access to these products is available with software assurance.

    https://technet.microsoft.com/en-us/windows/hh826072.aspx

    • Proposed as answer by JBeaven Wednesday, September 7, 2016 8:00 AM
    • Marked as answer by Jay GuModerator Wednesday, September 14, 2016 2:03 AM
    Wednesday, September 7, 2016 7:58 AM
  • Have you guy's read this "https://technet.microsoft.com/en-us/itpro/windows/keep-secure/change-the-tpm-owner-password"

    Quote : 

    "Starting with Windows 10, version 1607 , Windows will not retain the TPM owner password when provisioning the TPM. The password will be set to a random high entropy value and then discarded.

    In order to retain the TPM owner password, you will need to set the registry key 'HKLM\Software\Policies\Microsoft\TPM' [REG_DWORD] 'OSManagedAuthLevel' to 4. The default value for this key is 2"

    Then what if you also manually set both
    ''HKLM\Software\Policies\Microsoft\TPM' [REG_DWORD] 'ActiveDirectoryBackup' 1
    'HKLM\Software\Policies\Microsoft\TPM' [REG_DWORD] 'RequireActiveDirectoryBackup'  1

    Don't have Windows 10 1607 in our enviroment yet so can't test.


    • Edited by naimco Monday, September 19, 2016 4:00 PM fixed quote
    Monday, September 19, 2016 3:59 PM
  • I have checked a 1607 key which had a GPO applied to save the TPM password to AD.  After updating ADMX files to 1607 the option in gone in RSOP but the registry keys above are present.  That is the good news.  Bad news is the OS appears to ignore it and does NOT store the password in AD.
    Wednesday, January 4, 2017 12:25 PM
  • We still have the same problem. After research I found this new TechNet blog article: https://blogs.technet.microsoft.com/dubaisec/2017/02/28/tpm-owner-password/

    I still can not understand Microsofts decision to remove the backup functionality. 

    Monday, March 6, 2017 1:49 PM
  • What the heck?!?! I didn't even realize this was a problem until I started doing my GPO audit to move the workstation policies over into the new 2016 domain enviro... to my dismay the setting indeed was not possible to be located. I figured I could open RSAT with an older version of Windows (Lets say Windows 7) and configure the GPO setting that way, but reading further into this very post, other state the OS doesn't actually apply/use the registry settings the GPO sets on client machines.

    Where the heck is the backwards compat on this?!?! If I set it up the old way (Even if MS decides to implement a new service to handle it) the old way should still freaking work!!!!

    Has anyone seen what this does to older Windows 10 systems that this was working initially? I can't believe the list of stuff MS really screwed with in the 1607 release. It's a sysadmin nightmare release!

    Wednesday, May 17, 2017 6:26 PM
  • I wanted to report back here. While going through some of my user that I had upgraded to Windows 10 Ent 1703. I was surprised that a couple system that didn't have their existing BitLocker Keys saved to AD (That were originally encrypted under Windows 7).

    However, removing BitLocker (Complete Disc decrypt) and then re-enabling BitLocker did in fact manage to save the recovery Keys to the computer Object within AD. 

    Did MS fix this? cause it seems to be working for me at least on systems I manually upgraded to Windows 10 after doing a re-encryption of the drive. Can anyone else report similar results?

    Tuesday, August 29, 2017 7:04 PM
  • Not 100% sure what impact this has. You can still store the Recovery Password to ADDS, with one of the three the GPOs like:

    Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives\Choose how BitLocker-protected fixed drives can be recovered

    There you find the setting:

    "Configure storage of BitLocker recovery information to AD DS"

    This is normally the Recovery Password you use when asked. Maybe somebody has a good comment on this?


    Boudewijn Plomp | Conclusion FIT

    Please remember, if you see a post that helped you please click "Vote as Helpful", and if it answered your question, please click "Mark as Answer". This posting is provided "AS IS" with no warranties, and confers no rights.

    Monday, October 30, 2017 8:28 AM
  • This is BitLocker Recovery Key. The main point is the Recovery for TPM itself. In most cases it does not needed, but in some enterprise scenario also unlock for devices and lockedout TPM chips is needed. For that reason is MBAM available.
    Monday, October 30, 2017 12:39 PM
  • The real main point is to have the Key that the HDD is encrypted with via the TPM. So if you the computer itself is dead (bad mobo, screen or otherwise) you can plug that person HDD into another computer and unlock the hard-drive to recover that users data.

    Wednesday, December 20, 2017 8:26 PM
  • Has their been any update to this?  I've spent quite a bit of time trying to figure out why my bitlocker recovery passwords are successfully being written to AD, but NOT the msTPM-OwnerInformation attribute.....

    I've only had to use the tpm recovery once or twice (vs. semi-frequently with the bitlocker recovery keys), but when you need - YOU NEED IT.

    The fact that this functionality appears to have been removed by MS is concerning.

    Did anyone try this?

    In order to retain the TPM owner password, you will need to set the registry key 'HKLM\Software\Policies\Microsoft\TPM' [REG_DWORD] 'OSManagedAuthLevel' to 4. The default value for this key is 2"

    I have the other 2 registry entries already set, and my Windows 7 clients haven't had any problems writing recovery info to AD.  Windows 10 clients seem to do what they want regardless of the GPO's applied.


    Tim Magnuson | MCTS, MCITP | MCCA 2011 |
    Ok, so I changed my name...you can still call me Tom if you like. It's a...jump...to conclusions...mat.
    My Blog Site: http://tmagnuson.wordpress.com

    Tuesday, January 9, 2018 8:16 PM
  • Tim can you elaborate? when did you need the TPM recovery? In theory as long as you can recover the HDD contents you can simply decrypt it, reset the TPM (if its hardware related issue) and re-encrypt with a new TPM code.

    Friday, January 12, 2018 6:10 AM
  • I had a failing hdd that would not accept the recovery password and the tpm went into lockout mode.  As I said it's pretty rare, but it has saved my bacon before.

    Although re-reading this sheds some light on the behavior I'm seeing. (thank you soch234)

    https://blogs.technet.microsoft.com/dubaisec/2017/02/28/tpm-owner-password/

    specifically -

    "For Windows 10 1607 and above:

    TPM Owner Password is not stored in the AD at all. Even though you can configure GPO on previous operating system (Windows 8/Windows Server 2012 R2) “Turn on TPM backup to Active Directory Domain Services” or registry keys directly on the client machine:

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\TPM\ActiveDirectoryBackup = 1

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\TPM RequireActiveDirectoryBackup = 1

    Windows 10 1607 will ignore these values.

     

    Another thing which is worth to mention that GPO

    Computer Configuration\Administrative Templates\System\Trusted Platform Module Services\Turn on TPM backup to Active Directory Domain Services

    has been removed from ADMX templates in Windows 10 1607 and Windows Server 2016. Thus most of information provided in this article is for pre Windows 10 1607 editions."

      


    Tim Magnuson | MCTS, MCITP | MCCA 2011 |
    Ok, so I changed my name...you can still call me Tom if you like. It's a...jump...to conclusions...mat.
    My Blog Site: http://tmagnuson.wordpress.com


    • Edited by Tim Magnuson Wednesday, January 17, 2018 2:02 AM
    Wednesday, January 17, 2018 1:56 AM
  • That is correct.

    I still don't get how having the TPM password helps you, when the HDD (That's failing...) won't accept the password... The TPM would use the same password to make the drive usable to the OS...

    If the drives shot...? The drives shot?

    The only time it would be helpful is if you are making Hardware changes to an existing system and didn't want to reset the TPM, which would require you to re-encrypt the HDD with new BitLocker keys.


    • Edited by Zewwy Thursday, February 1, 2018 9:40 PM
    Thursday, February 1, 2018 9:39 PM
  • right, so I put the failing drive in another system because bitlocker would not accept the correct password nor the recovery password stored in AD.

    so my drive seeing a new system would require the tpm owner key in order to unlock


    Tim Magnuson | MCTS, MCITP | MCCA 2011 |
    Ok, so I changed my name...you can still call me Tom if you like. It's a...jump...to conclusions...mat.
    My Blog Site: http://tmagnuson.wordpress.com

    Sunday, February 4, 2018 8:16 PM
  • Sorry for my ignorance. I'm still confused. 

    If the drives shot the drives shot, the only thing is you wouldn't be able to run file recovery, via apps like lets say PhotoRec (TestDisc) from Linux which normally bypasses a corrupt Allocation Table, and digs for files directly on the disc, this would fail since the discs contents are encrypted.

     I still don't get what you mean to unlock the drive? You use the bit locker Key to gain access to the data on the drive, if the TPM key is lost, and the drive itself isn't actually shot just the allocation table is, you can simply re-initialize the disc as a new drive (DiskPart - Select Disk - Clean).

    If you need to make hardware changes re-initialize a new TPM key for the configuration to be saved as and setup bitlocker a new on a new drive or the new re-initialized drive.

    Maybe you can elaborate on exactly what you'd do with a shot drive and the TPM password?

    Thursday, February 8, 2018 9:26 PM
  • Well here Microsoft says that Turn on TPM Backup to Active Directory Domain Services is not available anymore in Server 2016 or =>Windows 10 1607 

    https://blogs.technet.microsoft.com/dubaisec/2017/02/28/tpm-owner-password/

    "Remember: starting from Windows 10 1607 we dropped export of TPM Owner password to AD. This (change) is because TPM Owner Password could be retrieved from the registry in some scenarios and be used in offline attacks against TPM anti-hammering. Additionally, most lockouts of TPM come from Bitlocker thus you don’t even have access to tpm.msc to unlock your TPM. When TPM is completely locked by Bitlocker, you are stuck in preboot phase of Windows. So the workflow was not very convenient for both users and helpdesk people."

    Tuesday, February 13, 2018 10:46 AM