The process of configuring and save Windows 7 TPM and BitLocker passwords to Active Directory (2008 R2 and above) is multi-stepped. First, Active Directory and Group Policy need to be configured, then the clients needs to be setup, and then you need to know how recover the passwords from Active Directory.
Active Directory & Group Policy Setup
The Add-TPMSelfWriteACE.vbs script needs to be modified to reflect the correct GUIDs listed in the “TPM and FVE scheme object GUID’s” mid-way through the script. You can locate the GUIDs by using ADSIEdit and change the Action –> Settings –> Select a well known Naming Context: Schema. From here, you can look at the properties for the particular items to find the objectGUID.
- After executing the Add-TPMSelfWriteACE.vbs the permission for the computers to write to the Active Directory attribute needs to be completed. This needs to be done before enabling TPM on any client or the passwords won’t save. Follow the information on this TechNet blog. Failure to do this will result in an “Access is Denied. Error 0x80070005” when initializing TPM.
- Follow the original TechNet article for setting Group Policy.
TPM
- Add the Computer to AD and make sure Group Policy is applied (gpupdate.exe & gpresult.exe /SCOPE Computer /R). Current user needs admin rights for the entire process.
- tpm.msc (or Control Panel > BitLocker Drive Encryption > TPM Administration)
- Click either ‘Initialize TPM’ or ‘Change Owner Password. Note: To change the password, you need the old one.
- If ‘Initialize’, shutdown when prompted, then upon booting acknowledge/allow the BIOS notice regarding TPM. If ‘Change’, provide the current password file (if in AD, see Recovery below).
- Log in with the same account to continue the TPM process. You can verify the TPM Owner Password is saved to AD by using the Recovery section below.
BitLocker via Line Command
- This command will being the process for the C drive, repeat for others. Run using an Elevated Prompt (run as Administrator): manage-bde -on C: -RecoveryPassword
- Reboot, then run the following to see the encryption process status: manage-bde -status
BitLocker via GUI
Control Panel > System and Security > BitLocker Drive Encyrption
- Click ‘Turn on BitLocker’ for the desired drives and follow any prompts.
BitLocker and Updates to BIOS, Hardware, or Startup Files (e.g. OS Upgrades)
Recovery
TPM (reference: technet blog)
- Active Directory Users and Computers > enable ‘Advnaced Features’ in View.
- Open Properties on the desired computer, then the ‘Attribute Editor’ tab.
- Locate the attribute ‘msTPM-OwnerInformation’ and note the value.
- Enter the following into a text editor (such as notepad), but replace the “…..” with the value found in AD. Save the file with a .tpm extension at a location accessible by the computer.
<?xml version=”1.0″ encoding=”UTF-8″?> <ownerAuth>…..</ownerAuth>
BitLocker
- Open Active Directory Users and Computers
- Open Properties on the desired computer, then the BitLocker tab.
- The BitLocker Recovery Password is in the details section.