Table of Contents
Microsoft - Windows - BitLocker
Documentation
Microsoft - Windows IT Pro Center - Backing Up BitLocker and TPM Recovery Information to AD DS
Microsoft - Windows IT Pro Center - Change the TPM owner password
Microsoft TechNet - Understand the TPM Owner Password
TechNet Blogs > Ask the Core Team > Access Denied Error 0x80070005 message when initializing TPM for Bitlocker a.k.a. assign the Write msTPM-OwnerInformation to SELF on the OU containing the computer object.
Microsoft Windows IT Pro Center - Schema Extensions for Windows Server 2008 R2 to support AD DS backup of TPM information from Windows 8 clients via serverfault - Can't store TPM information in AD and Microsoft TechNet Forums - Windows 8 Ent TPM Activation to AD DS
Notes
Saving the TPMOwnerInformation from Active Director to a tpm file
Apply the following patch to Get-TPMOwnerInfo.vbs version 5/15/2006 (available here):
--- .\Get-TPMOwnerInfo.vbs Tue May 16 18:47:12 2006 +++ .\Get-TPMOwnerInfo.vbs Thu Jan 26 15:39:31 2012 @@ -9,6 +9,7 @@ ' Change History: ' 1/30/2006 - Initial release ' 5/15/2006 - Updated GetStrPathToComputer to search the global catalog. +' 1/26/2012 - Changed WScript.Echo to write to a properly formatted .tpm file. ' ' Microsoft Corporation ' @@ -29,6 +30,7 @@ ' '================================================================================= +strTpmFileBaseDir = "C:\Temp" ' -------------------------------------------------------------------------------- ' Usage @@ -137,8 +139,18 @@ ' -------------------------------------------------------------------------------- ' Get the TPM owner information from the Active Directory computer object +' and write it out to a .tpm file. ' -------------------------------------------------------------------------------- strOwnerInformation = objComputer.Get("msTPM-OwnerInformation") -WScript.echo "msTPM-OwnerInformation: " + strOwnerInformation +Set objFso = CreateObject("Scripting.FileSystemObject") + +Set tsTpmFile = objFso.CreateTextFile(strTpmFileBaseDir + "\" + strComputerName + ".tpm", true) + +tsTpmFile.WriteLine "<?xml version=" + chr(34) + "1.0" + chr(34) + " encoding=" + chr(34) + "UTF-8" + chr(34) + "?>" +tsTpmFile.WriteLine "<ownerAuth>" + strOwnerInformation + "</ownerAuth>" + +' Clean up. +tsTpmFile.Close +Set objFso = Nothing
Source for the syntax of a .tpm file: TechNet Blogs > BitLocker™ Drive Encryption Team Blog > How to use Hash of TPM from AD to reset your TPM password
See also:
Microsoft Support - Error message when you try to start a Windows Vista-based computer that is configured to use BitLocker: "The PIN has been entered incorrectly too many times"
Windows 10 1607 removes storage of TPM password to Active Directory
When following “To enable the local policy settings to back up BitLocker and TPM recovery information to AD DS from computers running Windows 7 or Windows Server 2008 R2” from Microsoft - Windows IT Pro Center - Backing Up BitLocker and TPM Recovery Information to AD DS and using the administrative templates from a Windows 10 1607 (or higher) version you will find that the “Turn on TPM backup to Active Directory Domain Services” setting is missing.
Your Windows 10 BitLocker clients will also no longer write to the msTPM-OwnerInformation and msTPM-TpmInformationForComputer.
The setting was removed because starting with Windows 10 1607 Windows 10 no longer retains the TPM password.
Sources: