Tpm backup to Mbam with Bitlocker Preprovisioning

[brpo]

Hi

I have deployed Mbam 2.5 in our environment and the first tests (manual deployment of mbam client and encryption) have been successfull.(tpm and volume recovery work fine)

 

However when trying to use the latest features, we can't get the TPM owner password to be backed up in Mbam.

We use pre provisionning wih used space during the task sequence and it works fine. The user is prompted at first logon for the Pin and drive recovery is reported to the DB. However TPM password is not present.

Whatever we tried, the TPM did not show up unless we suppressed pre provisionning.

 

Has someone been able to take ownership of the TPM with preprovisioning ?

 

During the TS, at the preprovisioning step, the Tpm shows as Enabled, Activated and Not owned, then in the log it shows that pre provisioning takes ownership. Of course, this prevents Mbam to do the same so no backup of TPM.

in the following post, someone from Microsoft states that ownership is not taken, but it seems it does anyway.

 

http://social.technet.microsoft.com/Forums/en-US/b915cd54-6371-4b28-aac7-bd3103dfd7ca/preprovisioning-bitlocker-mbam-and-tpm-password?forum=mdopmbam

 

Thanks in advance for your feedback

bruno

[Config Mangler]

I don't know if this is related as it's not MBAM, but we found that since SCCM SP1 or maybe R2, TPM passwords were no longer being stored in AD. We have since found this needs an AD schema change. Effectively you need Server 2012.

[brpo]

Hi

thanks for the feedback.

What we would like is to store the TPM key into MBAM as we then have a single place to look for Support, as we don't have proper AD rights anyway.

Alternatively use a single password for TPM but start encryption during TS (I am working on this alternative right now).

Brgds

bruno

[brpo]

Hi

I forgot to post feedback on this when i finally found the solution

we used Alex Semi s script to launch encryption and by default the mdt scripts force ownership to AD.

I put a few comments in the code and the Mbam part is now fully functional.

 

bruno

[anyweb]

hi bruno

can you link to the sript in question or post it here