======Microsoft - Windows - BitLocker======


=====Documentation=====

[[https://technet.microsoft.com/en-us/library/dd875529(v=ws.10).aspx|Microsoft - Windows IT Pro Center - Backing Up BitLocker and TPM Recovery Information to AD DS]] \\
[[https://docs.microsoft.com/en-us/windows/device-security/tpm/change-the-tpm-owner-password|Microsoft - Windows IT Pro Center - Change the TPM owner password]] \\
[[https://technet.microsoft.com/en-us/library/cc732542(v=ws.11).aspx|Microsoft TechNet - Understand the TPM Owner Password]] \\

[[http://blogs.technet.com/b/askcore/archive/2010/03/30/access-denied-error-0x80070005-message-when-initializing-tpm-for-bitlocker.aspx|TechNet Blogs > Ask the Core Team > Access Denied Error 0x80070005 message when initializing TPM for Bitlocker]] a.k.a. assign the Write msTPM-OwnerInformation to SELF on the OU containing the computer object.

[[https://technet.microsoft.com/en-us/library/jj635854.aspx|Microsoft Windows IT Pro Center - Schema Extensions for Windows Server 2008 R2 to support AD DS backup of TPM information from Windows 8 clients]] via [[https://serverfault.com/questions/646955/cant-store-tpm-information-in-ad|serverfault - Can't store TPM information in AD]] and [[https://social.technet.microsoft.com/Forums/windows/en-US/c79dcdf8-c07e-4aa1-a059-aae5ab6c1bf8/windows-8-ent-tpm-activation-to-ad-ds?forum=w8itprosecurity|Microsoft TechNet Forums - Windows 8 Ent TPM Activation to AD DS]]


=====Notes=====

====Saving the TPMOwnerInformation from Active Director to a tpm file====

Apply the following [[http://unxutils.sourceforge.net/|patch]] to Get-TPMOwnerInfo.vbs version 5/15/2006 (available [[http://go.microsoft.com/fwlink/?LinkId=78953|here]]): \\
<code diff>
--- .\Get-TPMOwnerInfo.vbs	Tue May 16 18:47:12 2006
+++ .\Get-TPMOwnerInfo.vbs	Thu Jan 26 15:39:31 2012
@@ -9,6 +9,7 @@
 ' Change History:
 '  1/30/2006 - Initial release
 '  5/15/2006 - Updated GetStrPathToComputer to search the global catalog.
+'  1/26/2012 - Changed WScript.Echo to write to a properly formatted .tpm file.
 '
 ' Microsoft Corporation
 '
@@ -29,6 +30,7 @@
 ' 
 '=================================================================================
 
+strTpmFileBaseDir = "C:\Temp"
 
 ' --------------------------------------------------------------------------------
 ' Usage
@@ -137,8 +139,18 @@
 
 ' --------------------------------------------------------------------------------
 ' Get the TPM owner information from the Active Directory computer object
+' and write it out to a .tpm file.
 ' --------------------------------------------------------------------------------
 
 strOwnerInformation = objComputer.Get("msTPM-OwnerInformation")
-WScript.echo "msTPM-OwnerInformation: " + strOwnerInformation
 
+Set objFso = CreateObject("Scripting.FileSystemObject")
+
+Set tsTpmFile = objFso.CreateTextFile(strTpmFileBaseDir + "\" + strComputerName + ".tpm", true)
+
+tsTpmFile.WriteLine "<?xml version=" + chr(34) + "1.0" + chr(34) + " encoding=" + chr(34) + "UTF-8" + chr(34) + "?>"
+tsTpmFile.WriteLine "<ownerAuth>" + strOwnerInformation + "</ownerAuth>"
+
+' Clean up.
+tsTpmFile.Close
+Set objFso = Nothing

</code>
Source for the syntax of a .tpm file: [[http://blogs.technet.com/b/bitlocker/archive/2010/09/14/how-to-use-hash-of-tpm-from-ad-to-reset-your-tpm-password.aspx|TechNet Blogs > BitLocker™ Drive Encryption Team Blog > How to use Hash of TPM from AD to reset your TPM password]] \\
See also: \\
[[http://support.microsoft.com/kb/926187/en-us|Microsoft Support - Error message when you try to start a Windows Vista-based computer that is configured to use BitLocker: "The PIN has been entered incorrectly too many times"]] \\

====Windows 10 1607 removes storage of TPM password to Active Directory====

When following "To enable the local policy settings to back up BitLocker and TPM recovery information to AD DS from computers running Windows 7 or Windows Server 2008 R2" from [[https://technet.microsoft.com/en-us/library/dd875529(v=ws.10).aspx|Microsoft - Windows IT Pro Center - Backing Up BitLocker and TPM Recovery Information to AD DS]] and using the administrative templates from a Windows 10 1607 (or higher) version you will find that the "Turn on TPM backup to Active Directory Domain Services" setting is missing.

Your Windows 10 BitLocker clients will also no longer write to the msTPM-OwnerInformation and msTPM-TpmInformationForComputer.

The setting was removed because starting with Windows 10 1607 Windows 10 no longer retains the TPM password.

Sources:
  * [[https://social.technet.microsoft.com/Forums/en-US/c8ad5825-ecc7-4873-a2c0-d6b51789e12e/turn-on-tpm-backup-to-active-directory-domain-services?forum=winserverGP|Microsoft TechNet Forums - Turn on TPM Backup to Active Directory Domain Services]]
  * [[https://github.com/MicrosoftDocs/windows-itpro-docs/issues/27|GitHub - MicrosoftDocs/windows-itpro-docs - Issues - Backup BitLocker Recovery Keys from TPM to AD missing in 1607  #27]]
  * [[https://superuser.com/questions/1104810/clearing-tpm-does-not-ask-for-new-password-but-change-owner-password-asks-for|superuser - Clearing TPM does not ask for new password, but “change owner password” asks for the old one]]
  * [[https://docs.microsoft.com/en-us/windows/device-security/tpm/change-the-tpm-owner-password|Microsoft - Windows IT Pro Center - Change the TPM owner password]]