none
TPM Recovery backup to AD - Access is denied

    Question

  • Hello,

    We have 2012 and 2008r2 DCs in our domain and we have extended the schema to support win 8 tpm backup. The ACLs are present and the permissions for self are set to write for the attributes mstpm-ownerinformation as well as mstpm-tpminformationforcomputer. Policy is set to backup the recovery information for bitlocker and TPM to AD.

    We have system with a fresh image and the computer name never used in AD. We have enabled the TPM in the BIOS but when the client enables bitlocker from within windows the process will fail at initializing TPM with access is denied.

    If we go to the tpm management console and attempt to initialize the tpm form there we also get an error stating the tpm was not turned on due to an active directory backup failure.

    This is very frustrating when we have done the required prereqs, assigned correct perms for the computer (self), and it still fails.

    Thank you for any ideas as to where to go from here.

    Monday, October 17, 2016 7:19 PM

Answers

All replies

  • Hi,

    We have 2012 and 2008r2 DCs in our domain and we have extended the schema to support win 8 tpm backup. The ACLs are present and the permissions for self are set to write for the attributes mstpm-ownerinformation as well as mstpm-tpminformationforcomputer. Policy is set to backup the recovery information for bitlocker and TPM to AD.

    >>>How did you delegate write permission on the attributes msTPMownerinformation?

    The problem most likely due to incorrect permissions for the SELF account in AD for ms-TPMOwnerInformation attribute.

    Please refer to the article below to delegate write permission for SELF(NT AUTHORITY\SELF) on attribute.

    Access Denied Error 0x80070005 message when initializing TPM for Bitlocker

    https://blogs.technet.microsoft.com/askcore/2010/03/30/access-denied-error-0x80070005-message-when-initializing-tpm-for-bitlocker/

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, October 18, 2016 10:41 AM
    Moderator
  • Thank you for your replay but as stated in my original thread all objects have self write permissions for both attributes.

    The delegation was set at top level domain and set for all descendant computer objects and we verified it was set after the delegation was made.

    The odd things is it working for some machines but not others and the machines are in the same OU and have the same ACLs.

    I am thinking that maybe they are reusing a computer name that a TPM hash was already created for in the TPM Devices container and not deleted before reusing the name so therefore they are getting an access is denied because the system is not able to overwrite the current one but the client is stating they are using names that have never been used before but I am skeptical.

    So now I am trying to create a script that will get me the ACLs for all hash's in the tpm devices container since the computer that the hash was originally created is listed on that hash's security tab.

    Wednesday, October 19, 2016 2:10 PM
  • Hi,

    So now I am trying to create a script that will get me the ACLs for all hash's in the tpm devices container since the computer that the hash was originally created is listed on that hash's security tab.

    >>>To achieve your goal, you could use PowerShell command.

    For more information about how to use PowerShell get ACLs on computer, please refer to the article below.

    Use PowerShell to Explore Active Directory Security

    https://blogs.technet.microsoft.com/heyscriptingguy/2012/03/12/use-powershell-to-explore-active-directory-security/

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, October 25, 2016 3:37 AM
    Moderator