none
Can a TMP passcode be stored in Active Directory like the Bitlocker Recovery Key can? RRS feed

  • Question

  • Forum Members,

    We have enabled BitLocker on all of our Windows 7 Enterprise machines (laptop computers) in the company.  We've also configured the schema and GPOs for BitLocker on the domain.

    We also need to enable a TPM passcode that has to be entered on boot-up.  I have done it successfully in testing via GPO.  However, is there a way to store that TPM passcode for the particular computer in Active Directory or do I need to resort to using a spreadsheet to track the passcodes assigned?

    We are using a Windows 2008 R2 domain.

    Thanks in advance,

    Joe

    Tuesday, December 15, 2015 8:30 PM

Answers

  • Hi

     The TPM owner password can be saved as a file on a USB flash drive, or in a folder in a location away from the local computer.(Maybe on a network folder,but only administrators able to access this folder) The password can also be printed( maybe not secure).

     However, is there a way to store that TPM passcode for the particular computer in Active Directory or do I need to resort to using a spreadsheet to track the passcodes assigned? >>> So,i recommend you that store tpm passcodes on network share but only the admins can able to acces this folder share.


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Tuesday, December 15, 2015 10:14 PM

All replies

  • Hi

     The TPM owner password can be saved as a file on a USB flash drive, or in a folder in a location away from the local computer.(Maybe on a network folder,but only administrators able to access this folder) The password can also be printed( maybe not secure).

     However, is there a way to store that TPM passcode for the particular computer in Active Directory or do I need to resort to using a spreadsheet to track the passcodes assigned? >>> So,i recommend you that store tpm passcodes on network share but only the admins can able to acces this folder share.


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Tuesday, December 15, 2015 10:14 PM
  • Hi Joe,
     
    If you mean TPM owner password, you can use AD DS to store TPM owner information for use in recovery situations where the TPM owner has forgotten the password or where you must take control of the TPM.
     
    There is only one TPM owner password per computer; therefore, the hash of the TPM owner password can be stored as an attribute of the computer object in AD DS.
     
    Please take a look at this article and see if it is helpful:
     
    https://technet.microsoft.com/en-us/library/dn466534.aspx
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Wednesday, December 16, 2015 6:24 AM
    Moderator
  • Thanks, all!

    Joe

    Thursday, December 17, 2015 3:35 PM