Can't store TPM information in AD
Turns out that the function of storing the TPM info to AD (or the attempt of storing the TPM info to AD) only occurs when you change password. I was not changing the password but using the same password.
Due to the fact that shamefully our AD schema is super-duper old school [looks like server 2008 SP1, not even R2], I used BitLockerTPMSchemaExtension.ldf
(available here) to extend the schema to include the properties:
- msTPM-OwnerInformation
- msFVE-RecoveryGuid
- msFVE-RecoveryPassword
- msFVE-RecoveryInformation
- msFVE-VolumeGuid
- msFVE-KeyPackage
(granted and worth noting that msTPM-OwnerInformation
was already present)
So, expecting this to work without issue, I proceeded to actually change the TPM password, and immediately received the error code There is no such object on the server (error code: 0x80072030).
with the specific error Cannot change TPM owner password.
Very simply, the msTPM-OwnerInformation
attribute is used by Windows 7 and below, but Windows 8+ (which my test box was), uses msTPM-TPMInformationForComputer
as discussed more thoroughly in this MSFT TechNet thread.
To solve this problem, follow the MSFT documentation, extending the AD schema using TpmSchemaExtension.ldf
and TpmSchemaExtensionACLChanges.ldf
.
ldifde -i -v -f TpmSchemaExtension.ldf -c "DC=X" "dc=contoso,dc=corp" -k -j .
ldifde -i -v -f TpmSchemaExtensionACLChanges.ldf -c "DC=X" "dc=contoso,dc=corp" -k -j .
Related videos on Youtube
Comments
-
mbrownnyc almost 2 years
I am attempting to use GP to store TPM information in AD. I have verified that the schema contains the proper object property, and verified that the property and the ACE is present on the given computer object.
I did notice that with the latest ADMX, it appears that
Require TPM back to AD DS
is missing in the GPTurn on TPM backup to Active Directory Domain Services
, replaced with the statement:If you enable this policy setting, TPM owner information will be automatically and silently backed up to AD DS when you use Windows to set or change a TPM owner password.
I use both
dsa.msc's Attribute Editor
,adsiedit.msc
and the scriptGet-TPMOwnerInfo.vbs
to check the presence of the data, after resetting the TPM password, without luck.Why can't I store TPM info in AD?
[Updates re: comments]
Could you maybe add some details about precisely how you're trying to get the TPM recovery info into AD, and precisely how it's failing?
As stated in documentation, after having a GP (
Turn on TPM backup to Active Directory Domain Services
) applied to a client computer:TPM recovery information is backed up when you: - Set the TPM owner password during TPM initialization. - Change the TPM owner password.
I am not sure, at this point, where to see errors related... other than I do not see the updated TPM info stored in the
msTPM-OwnerInformation
attribute of the computer object. To be clear, the issue is that the TPM information isn't being stored in AD, and I would like to have it stored in AD.What operating system(s) are running on the machine(s) with the TPM(s)?
I am running Windows 8.1, but will be targeting both Windows 8.1 and Windows 7.
[additional info]
Note that in the Group Policy Settings Reference, the following registry keys reflect the GP application:
HKLM\Software\Policies\Microsoft\TPM REG_DWORD: ActiveDirectoryBackup = 0x1 HKLM\Software\Policies\Microsoft\TPM REG_DWORD: RequireActiveDirectoryBackup = 0x1
I performed the following:
- verify that there is an ACE for
SELF
with theWrite msTPM-OwnerInformation
permission set on the computer object in AD. - these registry values are set as expected on the client
- I then use tpm.msc to reset the password
- There is no value is set for the
msTPM-OwnerInformation
-
Spence over 9 yearsWhat operating system(s) are running on the machine(s) with the TPM(s)?
-
mbrownnyc over 9 yearsThanks for your comments. I have updated the original question.
- verify that there is an ACE for