none
Windows 8 Ent TPM Activation to AD DS RRS feed

  • Question

  • Existing BitLocker deployment on Windows 7 Enterprise laptops is working fine.  msTPM-OwnerInformation attribute and the BitLocker volume recovery child objects are visible using ADSIEdit for Windows 7 laptops.  The BitLocker deployment was configured according to this classic TechNet article:

    http://technet.microsoft.com/en-us/library/dd875529%28WS.10%29.aspx

    All working great under Windows 7 laptops.  Began testing Windows 8 Enterprise RTM about a week ago.  Looking to test BitLocker but first have to deal with the TPM.

    In Windows 8 "Prepare the TPM" through TPM.msc asks for a Restart per usual, the TPM text UI shows up immediately after post (a Dell Latitude E6430 running latest A03 BIOS) asking to confirm.  Press F10 to confirm and the machine reboots again and Windows boots successfully.  Login using the same domain credentials and this screenshot is on the desktop (have to flip to the desktop to see it)

    First hunch was msTPM-OwnerInforamation attribute under the Computer object not getting updated.  It was correct, the msTPM-OwnerInformation attribute is not populated with the recovery string.  Most of the other topics and posts related to this centered around permissions of SELF to write the msTPM-OwnerInformation attribute:

    http://blogs.technet.com/b/bitlocker/archive/2010/09/14/access-denied-error-0x80070005-message-when-initializing-tpm-for-bitlocker.aspx

    http://blog.concurrency.com/infrastructure/enable-bitlocker-automatically-save-keys-to-active-directory/

    However, the permissions are correct, inherited -- you can see on the exact computer object below:

    Here is the real kicker.  This same laptop, running Windows 7 Enterprise -- I spent an hour popping in a new drive and rebuilding, different computer name, same OU and member of same groups -- saves the TPM data just fine in the msTPM-OwnerInformation attribute.  It bombs out on Windows 8 as noted above.

    In Windows 8 I can get Windows to properly assign the owner details by unlinking the GPO that forces Windows to either save TPM recovery data to AD DS or give up.  With that requirement out of the way the TPM assigns an owner fine and I can then continue on with enabling BitLocker -- which has AD DS save policy configured in a separate GPO.  When continuing with BitLocker the BitLocker recovery data is saved successfully to AD DS -- in both Windows 7 and 8.  This issue seems limited to the msTPM-OwnerInformation attribute and GPO in Windows 8.

    What has me flummoxed is how the same laptop, same OU, same groups, writes the attribute fine in Windows 7 but errors out in Windows 8 with the screenshot above.

    -Weaver


    • Edited by WeaverVS Thursday, September 20, 2012 4:28 AM
    Thursday, September 20, 2012 4:24 AM

Answers

  • The Schema update did the trick.  I was not able to locate specific schema LDF's for the Windows 8/2012 BitLocker/TPM updates.  Instead I used ADPrep off the Server 2012 media which took the Schema level to 56.

    To anyone having this problem -- for now update the AD DS schema using ADPrep off of the Server 2012 media similar to if you were going to add a Server 2012 domain controller.  (Although now technically Microsoft has added the adprep steps to the Server Role Wizard in 2012, eliminating the need manually run it beforehand.  Nevertheless, running it manually as we have been doing for years can still be done.)

    If you haven't done it before, a nice introduction is below.

    Running Adprep.exe

    I was then able to successfully assign owner information to a Windows 8 Enterprise TPM using TPM.msc and have it back up to AD DS.  I also now see why the Schema update was necessary...

    Windows 8, instead of using the msTPM-OwnerInformation attribute under the Computer Object, instead creates a msTPM-TPMInformationForComputer attribute which itself is a reference another object located underneath CN=TPM Devices, DC=example, DC=local.  Under this referenced object (not the computer object) is the msTPM-OwnerInformation attribute with the TPM data (and other attributes).

    -Weaver


    • Edited by WeaverVS Wednesday, September 26, 2012 1:31 PM
    • Marked as answer by Juke ChouModerator Thursday, September 27, 2012 1:36 AM
    Wednesday, September 26, 2012 1:30 PM

All replies

  • Hi,

    Seems it isnot a permission issue according to the error message "There is no such object on the server" Can you please try to unjoin Windows 8 Box form Domain, then rejoin it to Domain for a test?


    Juke Chou

    TechNet Community Support

    Monday, September 24, 2012 7:46 AM
    Moderator
  • Unjoined from the domain.

    Cleared the TPM owner via BIOS.

    Deleted the Computer object from AD DS.

    Rejoined Computer to domain.  Verified GPO applied successfully via gpresult.

    Attempted to "Prepare the TPM" again via TPM.msc.  Reboot, authorize via BIOS screen.

    Same errors on login to Windows 8 -- seemingly when trying to backup the TPM owner information to AD DS.  TPM.msc

    Reminder that this same hardware running Windows 7 does not have the problem backing up the TPM owner information to AD DS.  Several laptops on this AD DS domain running Windows 7 with TPM owner and BitLocker volume recovery details backed up to AD DS per Group Policy without issues.

    Tuesday, September 25, 2012 5:04 AM
  • Hi,

    We need to update schema for Windows 8 on DC so that we can backup TPM information in AD DS.

    Thanks,

    Spencer


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Tuesday, September 25, 2012 11:05 AM
  • I'm having the exact same problem as Weaver. Win7 works fine Win8 does not. We don't have a WS2012 DC, only 2008 R2.

    Spencer, could you please outline the steps for upgrading the schema if we only have 2008 R2 DC's. I have access to a WS2012 member server and Win8 computers.

    Wednesday, September 26, 2012 8:37 AM
  • The Schema update did the trick.  I was not able to locate specific schema LDF's for the Windows 8/2012 BitLocker/TPM updates.  Instead I used ADPrep off the Server 2012 media which took the Schema level to 56.

    To anyone having this problem -- for now update the AD DS schema using ADPrep off of the Server 2012 media similar to if you were going to add a Server 2012 domain controller.  (Although now technically Microsoft has added the adprep steps to the Server Role Wizard in 2012, eliminating the need manually run it beforehand.  Nevertheless, running it manually as we have been doing for years can still be done.)

    If you haven't done it before, a nice introduction is below.

    Running Adprep.exe

    I was then able to successfully assign owner information to a Windows 8 Enterprise TPM using TPM.msc and have it back up to AD DS.  I also now see why the Schema update was necessary...

    Windows 8, instead of using the msTPM-OwnerInformation attribute under the Computer Object, instead creates a msTPM-TPMInformationForComputer attribute which itself is a reference another object located underneath CN=TPM Devices, DC=example, DC=local.  Under this referenced object (not the computer object) is the msTPM-OwnerInformation attribute with the TPM data (and other attributes).

    -Weaver


    • Edited by WeaverVS Wednesday, September 26, 2012 1:31 PM
    • Marked as answer by Juke ChouModerator Thursday, September 27, 2012 1:36 AM
    Wednesday, September 26, 2012 1:30 PM
  • I can confirm this works for me as well. Thank you very much!

    Any pointers as to how to adapt the current Get-TPMOwnerInfo.vbs script to get the TPM information in an easier fashion?

    Friday, September 28, 2012 6:48 AM
  • It appears I spoke too soon.

    While I did adprep /forestprep and then adprep /domainprep and actually got a few TPM keys into AD, I'm now unable to do so. It's like I didn't do anything.

    When trying to backup TPM to AD I get Access is Denied, and an entry in Event Viewer, ID 514:

    Failed to backup TPM Owner Authorization information to Active Directory Domain Services.
    Errorcode: 0x80070005
    Check that your computer is connected to the domain.  If your computer is connected to the domain, have your Domain Administrator check that the Active Directory schema is appropriate for backup of Windows 8 TPM Owner Authorization information and that the current Computer object has write permission to the TPM object.  Installations of Windows Server 2008 R2 or before need a schema extension in order to be ready for backup of Windows 8 TPM Owner Authorization information.  Consult online documentation for more information about setting up Active Directory Domain Services for TPM.

    I can ping all DCs, I get GPOs, I'm quite sure connectivity is not an issue. Domain Computers have Security permissions on CN=TPM Devices that allow them to Create all child objects (not sure what the correct permissions are, what is needed).

    dsquery * cn=schema,cn=configuration,dc=interexport,dc=local -scope base -attr objectVersion" returns:
      objectVersion
      56

    Any assistance is greatly appreciated.

    • Edited by CypherMike Friday, October 19, 2012 6:58 AM
    Friday, October 19, 2012 6:51 AM
  • The solution was quite simple. Deleting the existing (I already enabled Bitlocker/TPM on that same machine before) entry under CN=TPM Devices and it works.

    I'm wondering why the entry can't be overwritten or perhaps why it's not deleted if I delete the computer (it was easier in Windows 7 where the TPM information was part of the computer object).

    Thursday, October 25, 2012 7:16 AM
  • Weaver,

    Your issue might have been resolved by now.

    FYI..

    Read this article which will be give you more info.

    http://technet.microsoft.com/en-us/library/jj635854.aspx


    Manoj Sehgal

    Monday, October 29, 2012 1:35 AM
  • In Windows 8 [and Windows Server 2012], instead of using the msTPM-OwnerInformation attribute under the Computer Object, instead creates a msTPM-TPMInformationForComputer attribute which itself is a reference another object located underneath CN=TPM Devices, DC=example, DC=local.  Under this referenced object (not the computer object) is the msTPM-OwnerInformation attribute with the TPM data (and other attributes).
    Thank you!  After 5 hours on the phone with Microsoft, their technician couldn't tell me this simple fact.  That in Windows 2012, the location for storing the TPM Owner Information has changed.  It's no longer located in an attribute called msTPM-OwnerInformation, but instead the msTPM-TpmInformationForComputer contains a reference to a node under the TPM Devices which then contains the password hash.  It's just a shame that Microsoft support couldn't tell me this and save me half a day.
    Tuesday, August 13, 2013 2:33 PM
  • can you share the mssuport case number?


    Manoj Sehgal

    Wednesday, August 14, 2013 2:55 AM
  • Our domain controllers are running Server 2008 R2 and we have updated the schema to 2012 R2, version 69.  Do we also have to run TpmSchemaExtension.ldf and TpmSchemaExtensionACLChanges.ldf to enable Bitlocker to backup to AD on Windows 8/8.1?  If so, what is the proper way to run them?  In referencing http://technet.microsoft.com/en-us/library/jj635854.aspx Nothing specifically says you must to make things work, however we do NOT have a container in AD called CN=TPM Devices which makes me think I need to but nothing says I must to make it work.
    Monday, May 19, 2014 8:29 PM
  • Heh, my schema version is 69, I got all DCs running on 2012 R2 and this AD has been "upgraded" to support Bitlocker with scripts above in the past. Still I cannot initialize TPM on Windows 8. Funny thing is, that I can enable encryption automatically during OSD, but not manually. Adprep tells that information has laready been updated.
    Tuesday, November 25, 2014 8:25 PM
  • I'd like to share the solution with you

    1. move the computer account to computers OU or another OU doesn't have TPM Policy
    2. run tpm.msc Prepare TPM then reboot
    3. regedit the client computer and set to 0 :
      HKLM\Software\Policies\Microsoft\TPM!ActiveDirectoryBackup
      HKLM\Software\Policies\Microsoft\TPM!RequireActiveDirectoryBackup
    4.  run tpm.msc and change the owner password manually
    5. start encryption
    6. reboot
    7. Regedit and set to 1 in :
      HKLM\Software\Policies\Microsoft\TPM!ActiveDirectoryBackup
      HKLM\Software\Policies\Microsoft\TPM!RequireActiveDirectoryBackup
    8. move the computer back to the desired OU

    the trick is changing the owner password

    this applies to windows 8 & 2012 AD

    move the computer back to the desired OU

    • Edited by Ra_aly Wednesday, June 1, 2016 8:30 PM
    Wednesday, June 1, 2016 7:53 PM
  • I'd like to share the solution with you

    1. move the computer account to computers OU or another OU doesn't have TPM Policy
    2. run tpm.msc Prepare TPM then reboot
    3. regedit the client computer and set to 0 :
      HKLM\Software\Policies\Microsoft\TPM!ActiveDirectoryBackup
      HKLM\Software\Policies\Microsoft\TPM!RequireActiveDirectoryBackup
    4.  run tpm.msc and change the owner password manually
    5. start encryption
    6. reboot
    7. Regedit and set to 1 in :
      HKLM\Software\Policies\Microsoft\TPM!ActiveDirectoryBackup
      HKLM\Software\Policies\Microsoft\TPM!RequireActiveDirectoryBackup
    8. move the computer back to the desired OU

    the trick is changing the owner password

    this applies to windows 8 & 2012 AD

    move the computer back to the desired OU

    Hi Ra_aly,

    I'm on a Windows 2012 R2 server trying to get the TPM keys to back up to AD.  I've delegated write of the following attributes to self in the OU I intend to keep this server in (that has my backup BitLocker/TPM GPO) as well as the temp OU (no GPOs applied) I've moved the server to so I could change the TPM owner password:

    msTPM-OwnerInformation

    msTPM-TPMInformationForComputer

    I don't have the option to prepare the TPM (it's greyed out), but I've tried turning it off or clearing it, then reboot but do not have the following registry keys:

    HKLM\Software\Policies\Microsoft\TPM!ActiveDirectoryBackup
    HKLM\Software\Policies\Microsoft\TPM!RequireActiveDirectoryBackup

    Nor is there any value in the Microsoft key.

    After the re-encrypt and moving the server back into the OU with the TPM/BitLocker backup to AD setting enabled I still have no hash in the msTPM attributes of the computer object.  The BitLocker key is backed up though.

    Any ideas?

    Friday, June 3, 2016 10:15 PM