Can't store TPM information in AD

windows group-policy bitlocker tpm
12,379

Turns out that the function of storing the TPM info to AD (or the attempt of storing the TPM info to AD) only occurs when you change password. I was not changing the password but using the same password.

Due to the fact that shamefully our AD schema is super-duper old school [looks like server 2008 SP1, not even R2], I used BitLockerTPMSchemaExtension.ldf (available here) to extend the schema to include the properties:

  • msTPM-OwnerInformation
  • msFVE-RecoveryGuid
  • msFVE-RecoveryPassword
  • msFVE-RecoveryInformation
  • msFVE-VolumeGuid
  • msFVE-KeyPackage

(granted and worth noting that msTPM-OwnerInformation was already present)

So, expecting this to work without issue, I proceeded to actually change the TPM password, and immediately received the error code There is no such object on the server (error code: 0x80072030). with the specific error Cannot change TPM owner password.

Very simply, the msTPM-OwnerInformation attribute is used by Windows 7 and below, but Windows 8+ (which my test box was), uses msTPM-TPMInformationForComputer as discussed more thoroughly in this MSFT TechNet thread.

To solve this problem, follow the MSFT documentation, extending the AD schema using TpmSchemaExtension.ldf and TpmSchemaExtensionACLChanges.ldf.

ldifde -i -v -f TpmSchemaExtension.ldf -c "DC=X" "dc=contoso,dc=corp" -k -j .
ldifde -i -v -f TpmSchemaExtensionACLChanges.ldf -c "DC=X" "dc=contoso,dc=corp" -k -j .
Share:
12,379

Related videos on Youtube

mbrownnyc
Author by

mbrownnyc

My about me is blank.

Updated on September 18, 2022

Comments

  • mbrownnyc
    mbrownnyc almost 2 years

    I am attempting to use GP to store TPM information in AD. I have verified that the schema contains the proper object property, and verified that the property and the ACE is present on the given computer object.

    I did notice that with the latest ADMX, it appears that Require TPM back to AD DS is missing in the GP Turn on TPM backup to Active Directory Domain Services, replaced with the statement:

    If you enable this policy setting, TPM owner information will be automatically and silently backed up to AD DS when you use Windows to set or change a TPM owner password.

    I use both dsa.msc's Attribute Editor, adsiedit.msc and the script Get-TPMOwnerInfo.vbs to check the presence of the data, after resetting the TPM password, without luck.

    Why can't I store TPM info in AD?

    [Updates re: comments]

    Could you maybe add some details about precisely how you're trying to get the TPM recovery info into AD, and precisely how it's failing?

    As stated in documentation, after having a GP (Turn on TPM backup to Active Directory Domain Services) applied to a client computer:

    TPM recovery information is backed up when you:
- Set the TPM owner password during TPM initialization.
- Change the TPM owner password.

    I am not sure, at this point, where to see errors related... other than I do not see the updated TPM info stored in the msTPM-OwnerInformation attribute of the computer object. To be clear, the issue is that the TPM information isn't being stored in AD, and I would like to have it stored in AD.

    What operating system(s) are running on the machine(s) with the TPM(s)?

    I am running Windows 8.1, but will be targeting both Windows 8.1 and Windows 7.

    [additional info]

    Note that in the Group Policy Settings Reference, the following registry keys reflect the GP application:

    HKLM\Software\Policies\Microsoft\TPM REG_DWORD: ActiveDirectoryBackup = 0x1
HKLM\Software\Policies\Microsoft\TPM REG_DWORD: RequireActiveDirectoryBackup = 0x1

    I performed the following:

    1. verify that there is an ACE for SELF with the Write msTPM-OwnerInformation permission set on the computer object in AD.
    2. these registry values are set as expected on the client
    3. I then use tpm.msc to reset the password
    4. There is no value is set for the msTPM-OwnerInformation
    • Spence
      Spence over 9 years
      What operating system(s) are running on the machine(s) with the TPM(s)?
    • mbrownnyc
      mbrownnyc over 9 years
      Thanks for your comments. I have updated the original question.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to enable BitLocker with no prompts to the end user
Is USB based bitlocker as safe as tpm based?
Reason for TPM lockout
How to unblock the program from the group policy in Android Studio for a Flutter application?
How to install Ubuntu alongside BitLocker encrypted Windows 10?
Dual Boot Ubuntu (with LUKS, TPM) and Windows 10 (with BitLocker)
Windows Components section is missing from my Add/Remove Programs
How can I fix a Bitlocker protected laptop which doesn't have a local admin account that's displaying the orange screen of death
Folder Redirection GPO setting desktop but not showing it
GPO Denied (Security Filter) not applying