none
Turn on TPM Backup to Active Directory Domain Services

    Question

  • Has the "Turn on TPM Backup to Active Directory Domain Services" been removed from the latest Administrative Templates for Windows 10 and Windows Server 2016 (released 8/5/2016)?

    Is this no longer an available option for the latest builds?

    thanks

    Thursday, August 11, 2016 2:51 AM

Answers

  • I can't believe there has been no response to this in the last week, we've had to put our Windows 10 corporate roll out on hold because of this "change"

    I'm hoping it will be addressed soon but agree with Michael that it will be more than just a KB patch

    I'm equally frustrated.

    I see the followng guide has been updated to show it doesnt support 1607, with no alternative solution provided.

    I have logged a support call with Microsoft to progress this issue. I will update this thread with the results.

    Well this is disapointing...

    After speaking with Microsoft I can now confirm the TPM backup to Active Directory functionality has been removed in Windows 10 Red Stone 1 (1607).  This is why the GPO is missing in the latest Windows 10 ADMX.

    This functionality has been moved to MBAM which is part of the MDOP.  Access to these products is available with software assurance.

    https://technet.microsoft.com/en-us/windows/hh826072.aspx

    • Proposed as answer by JBeaven Wednesday, September 07, 2016 8:00 AM
    • Marked as answer by Jay GuModerator Wednesday, September 14, 2016 2:03 AM
    Wednesday, September 07, 2016 7:58 AM

All replies

  • Hi Martin,
    Thanks for your post.
    I have tested to install Anniversary Updates for Windows 10. And I do not see the setting.

    Best Regards,
    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, August 11, 2016 8:13 AM
    Moderator
  • I have found the "Turn on TPM Backup to Active Directory Domain Services" is no longer in the current TPM.ADMX file.

    If I update my central store by copying the current ADMX and ADML files from the "Windows 10 and Windows Server 2016 ADMX.msi", I can no longer see "Turn on TPM Backup to Active Directory Domain Services", and have verified that it is missing from the TPM.ADMX file.

    Is there an issue with the most recent release of Windows 10 and backing up TPM information to AD?

    If I don't update the ADMX files, I can configure the GPO to backup TPM, but I'm having mixed results with the latest release and or patched Windows 10 deployments.


    Friday, August 12, 2016 1:56 PM
  • Thank you for the confirmation that you are also finding the option missing.

    I found that if I do not update the central store with the newest templates and configure "Turn on TPM Backup to Active Directory Domain Services" as enabled, the Windows 10 clients updated with the anniversary update will just ignore the option and not backup the TPM owner information.

    But how important is this information if TPM is only being used for BitLocker?

    Saturday, August 13, 2016 4:35 PM
  • I can confirm your findings that if you do not update the Centeral Store, the backup TPM to AD settings settings are ignored on the Windows 10 Anniversary installation.  The local TPM,ADMX file is siimply missing the definition for "Turn on TPM Backup to Active Directory Domain Services".

    I can further confirm if I update an pre-Anniversary Winodows 10 installation with the current MS patches and updates, I can no longer backup TPM to AD.  The TPM backup will fail with Access denied error codes in the event log, and fail to initialize the TPM module for use.

    At this point, I'm stuck not backing up TPM information to AD, making recovery options a bit harder....


    Oh, and I believe TPM is also integrated with fingerprint scanners, but don't take my word 100%.

    Monday, August 15, 2016 6:56 PM
  • Am 13.08.2016 schrieb Martin Beall:
    Hi Martin,

    I found that if I do not update the central store with the newest templates and configure "Turn on TPM Backup to Active Directory Domain Services" as enabled, the Windows 10 clients updated with the anniversary update will just ignore the option and not backup the TPM owner information.

    Thats what I found too. I posted the information of this thread to a probably related thread here:
    https://social.technet.microsoft.com/Forums/windows/en-US/d6530d19-6ca6-4697-bf81-6d7c08492bdb/windows-10-14393-1607-enterprise-issues-with-tpm?forum=win10itprogeneral#9422a326-b653-4b24-96c2-6fab882ed65f

    Maybe someone will shed some light on the issue.

    But how important is this information if TPM is only being used for BitLocker?

    If you find an answer to that, I'd be interessted as well. :)

    Regards
    Norbert


    Dilbert's words of wisdom #04:
    There are very few personal problems that cannot be solved by a suitable application of high explosives.
    nntp-bridge Zugriff auf die MS Foren wieder möglich: https://communitybridge.codeplex.com/

    Wednesday, August 24, 2016 9:17 AM
  • I'm also experiencing this issue.

    I've tested several laptops over several days now and I have run out of options.  Its driving my crazy.

    Is there an official response from Microsoft?

    For us its a show stopper as I cant rollout any Windows 10 1607 laptops until this has been resolved! :-(



    • Edited by JBeaven Thursday, August 25, 2016 8:10 AM typo
    Wednesday, August 24, 2016 3:45 PM
  • Check if this Powershell Script can do the Job:

    $drive = Get-BitLockerVolume | ?{$_.KeyProtector | ?{$_.KeyProtectorType -eq 'RecoveryPassword'}} | select -f 1

    $key = $drive | select -exp KeyProtector | ?{$_.KeyProtectorType -eq 'RecoveryPassword'} | select -f 1

    Backup-BitLockerKeyProtector $drive.MountPoint $key.KeyProtectorId

    Write-Host "Backing up drive $drive, key $($key.KeyProtectorId), password $($key.RecoveryPassword)"

    Wednesday, August 24, 2016 4:39 PM
  • Check if this Powershell Script can do the Job:

    $drive = Get-BitLockerVolume | ?{$_.KeyProtector | ?{$_.KeyProtectorType -eq 'RecoveryPassword'}} | select -f 1

    $key = $drive | select -exp KeyProtector | ?{$_.KeyProtectorType -eq 'RecoveryPassword'} | select -f 1

    Backup-BitLockerKeyProtector $drive.MountPoint $key.KeyProtectorId

    Write-Host "Backing up drive $drive, key $($key.KeyProtectorId), password $($key.RecoveryPassword)"

    Your script is for backing up the BitLocker Recovery Key.  There is no issue with this!

    The issue is the TPM is not backing up to Active Directory.

    I dont see whay your post was marked as the answer by Jay Gu?  Its not an answer.

    Thursday, August 25, 2016 9:40 AM
  • As stated above, this is a total showstopper for new deployments of Anniversary Update laptops with BitLocker enabled where the TPM owner auth info needs to be automatically backed up to a central location.

    Also puzzling is why the still-existant policy setting "Configure the level of TPM owner authorization information available to the operating system" is still full of references to Backup to AD DS being the recommended method, delegated access, etc.

    Someone from Microsoft needs to explain why this change was made. If it was intentional, we need an alternate method for achieving the same goal of easily, securely backing up the auth info. If this was an oversight, a fix needs to be pushed out asap! (though I imagine such a fix will need to involve updated Win10-1607/Server 2016 admx files AND an OS patch, because just replacing TPM.admx file on client and server with the Version 1511 one does not alone do it...)

    Friday, August 26, 2016 1:33 PM
  • I can't believe there has been no response to this in the last week, we've had to put our Windows 10 corporate roll out on hold because of this "change"

    I'm hoping it will be addressed soon but agree with Michael that it will be more than just a KB patch

    Friday, September 02, 2016 2:22 PM
  • I can't believe there has been no response to this in the last week, we've had to put our Windows 10 corporate roll out on hold because of this "change"

    I'm hoping it will be addressed soon but agree with Michael that it will be more than just a KB patch

    I'm equally frustrated.

    I see the followng guide has been updated to show it doesnt support 1607, with no alternative solution provided.

    I have logged a support call with Microsoft to progress this issue. I will update this thread with the results.

    Friday, September 02, 2016 2:37 PM
  • I can't believe there has been no response to this in the last week, we've had to put our Windows 10 corporate roll out on hold because of this "change"

    I'm hoping it will be addressed soon but agree with Michael that it will be more than just a KB patch

    I'm equally frustrated.

    I see the followng guide has been updated to show it doesnt support 1607, with no alternative solution provided.

    I have logged a support call with Microsoft to progress this issue. I will update this thread with the results.

    Well this is disapointing...

    After speaking with Microsoft I can now confirm the TPM backup to Active Directory functionality has been removed in Windows 10 Red Stone 1 (1607).  This is why the GPO is missing in the latest Windows 10 ADMX.

    This functionality has been moved to MBAM which is part of the MDOP.  Access to these products is available with software assurance.

    https://technet.microsoft.com/en-us/windows/hh826072.aspx

    • Proposed as answer by JBeaven Wednesday, September 07, 2016 8:00 AM
    • Marked as answer by Jay GuModerator Wednesday, September 14, 2016 2:03 AM
    Wednesday, September 07, 2016 7:58 AM
  • Have you guy's read this "https://technet.microsoft.com/en-us/itpro/windows/keep-secure/change-the-tpm-owner-password"

    Quote : 

    "Starting with Windows 10, version 1607 , Windows will not retain the TPM owner password when provisioning the TPM. The password will be set to a random high entropy value and then discarded.

    In order to retain the TPM owner password, you will need to set the registry key 'HKLM\Software\Policies\Microsoft\TPM' [REG_DWORD] 'OSManagedAuthLevel' to 4. The default value for this key is 2"

    Then what if you also manually set both
    ''HKLM\Software\Policies\Microsoft\TPM' [REG_DWORD] 'ActiveDirectoryBackup' 1
    'HKLM\Software\Policies\Microsoft\TPM' [REG_DWORD] 'RequireActiveDirectoryBackup'  1

    Don't have Windows 10 1607 in our enviroment yet so can't test.


    • Edited by naimco Monday, September 19, 2016 4:00 PM fixed quote
    Monday, September 19, 2016 3:59 PM
  • I have checked a 1607 key which had a GPO applied to save the TPM password to AD.  After updating ADMX files to 1607 the option in gone in RSOP but the registry keys above are present.  That is the good news.  Bad news is the OS appears to ignore it and does NOT store the password in AD.
    Wednesday, January 04, 2017 12:25 PM
  • We still have the same problem. After research I found this new TechNet blog article: https://blogs.technet.microsoft.com/dubaisec/2017/02/28/tpm-owner-password/

    I still can not understand Microsofts decision to remove the backup functionality. 

    Monday, March 06, 2017 1:49 PM
  • What the heck?!?! I didn't even realize this was a problem until I started doing my GPO audit to move the workstation policies over into the new 2016 domain enviro... to my dismay the setting indeed was not possible to be located. I figured I could open RSAT with an older version of Windows (Lets say Windows 7) and configure the GPO setting that way, but reading further into this very post, other state the OS doesn't actually apply/use the registry settings the GPO sets on client machines.

    Where the heck is the backwards compat on this?!?! If I set it up the old way (Even if MS decides to implement a new service to handle it) the old way should still freaking work!!!!

    Has anyone seen what this does to older Windows 10 systems that this was working initially? I can't believe the list of stuff MS really screwed with in the 1607 release. It's a sysadmin nightmare release!

    Wednesday, May 17, 2017 6:26 PM
  • I wanted to report back here. While going through some of my user that I had upgraded to Windows 10 Ent 1703. I was surprised that a couple system that didn't have their existing BitLocker Keys saved to AD (That were originally encrypted under Windows 7).

    However, removing BitLocker (Complete Disc decrypt) and then re-enabling BitLocker did in fact manage to save the recovery Keys to the computer Object within AD. 

    Did MS fix this? cause it seems to be working for me at least on systems I manually upgraded to Windows 10 after doing a re-encryption of the drive. Can anyone else report similar results?

    Tuesday, August 29, 2017 7:04 PM