Jump to content


brpo

Tpm backup to Mbam with Bitlocker Preprovisioning

Recommended Posts

Hi

I have deployed Mbam 2.5 in our environment and the first tests (manual deployment of mbam client and encryption) have been successfull.(tpm and volume recovery work fine)

 

However when trying to use the latest features, we can't get the TPM owner password to be backed up in Mbam.

We use pre provisionning wih used space during the task sequence and it works fine. The user is prompted at first logon for the Pin and drive recovery is reported to the DB. However TPM password is not present.

Whatever we tried, the TPM did not show up unless we suppressed pre provisionning.

 

Has someone been able to take ownership of the TPM with preprovisioning ?

 

During the TS, at the preprovisioning step, the Tpm shows as Enabled, Activated and Not owned, then in the log it shows that pre provisioning takes ownership. Of course, this prevents Mbam to do the same so no backup of TPM.

in the following post, someone from Microsoft states that ownership is not taken, but it seems it does anyway.

 

http://social.technet.microsoft.com/Forums/en-US/b915cd54-6371-4b28-aac7-bd3103dfd7ca/preprovisioning-bitlocker-mbam-and-tpm-password?forum=mdopmbam

 

Thanks in advance for your feedback

bruno

Share this post


Link to post
Share on other sites


I don't know if this is related as it's not MBAM, but we found that since SCCM SP1 or maybe R2, TPM passwords were no longer being stored in AD. We have since found this needs an AD schema change. Effectively you need Server 2012.

Share this post


Link to post
Share on other sites

Hi

thanks for the feedback.

What we would like is to store the TPM key into MBAM as we then have a single place to look for Support, as we don't have proper AD rights anyway.

Alternatively use a single password for TPM but start encryption during TS (I am working on this alternative right now).

Brgds

bruno

Share this post


Link to post
Share on other sites

Hi

I forgot to post feedback on this when i finally found the solution

we used Alex Semi s script to launch encryption and by default the mdt scripts force ownership to AD.

I put a few comments in the code and the Mbam part is now fully functional.

 

bruno

Share this post


Link to post
Share on other sites

hi bruno

can you link to the sript in question or post it here

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...