January 25, 2013

TPM and BitLocker passwords in Active Directory

The process of configuring and save Windows 7 (and 8?) TPM and BitLocker passwords to Active Directory (2008 R2) is multi-stepped.  First Active Directory and Group Policy need to be configured, then the clients needs to be setup, and you need to know how recover the passwords from Active Directory.  Generally I use this TechNet article as a guide with a few important notes added here.

Active Directory & Group Policy Setup
  • The Add-TPMSelfWriteACE.vbs script needs to be modified to reflect the correct GUIDs listed in the "TPM and FVE scheme object GUID's" mid-way through the script.  You can locate the GUIDs by using ADSIEdit and change the Action --> Settings --> Select a well known Naming Context: Schema.  From here you can look at the properties for the particular items to find the objectGUID.
  •  After executing the Add-TPMSelfWriteACE.vbs the permission for the computers to write to the Active Directory attribute needs to be completed.  This needs to be done before enabling TPM on any client or the passwords won't save.  Follow the information on this TechNet blog.  Failure to do this will result in an "Access is Denied. Error 0x80070005" when initializing TPM.
  • Follow the original TechNet article for setting Group Policy.
Enable TPM and BitLocker
I used the "Sample test scenario with Windows 7" from the same TechNet article as a reference instead of a step-by-step guide.  It is handy for verifying permissions are configured correctly, but I had trouble with some of the scripts so it was messy.  Plus, it's not a day-by-day guide for setting up several computers.

     TPM
  1. Add the Computer to AD and make sure Group Policy is applied (gpupdate.exe & gpresult.exe /SCOPE Computer /R).  Current user needs admin rights for the entire process.
  2. tpm.msc (or Control Panel > BitLocker Drive Encryption > TPM Administration)
  3. Click either 'Initialize TPM' or 'Change Owner Password.  Note: To change the password, you need the old one.
  4. If 'Initialize', shutdown when prompted, then upon booting acknowledge/allow the BIOS notice regarding TPM.  If  'Change', provide the current password file (if in AD, see Recovery below).
  5. Log in with the same account to continue the TPM process.  You can verify the TPM Owner Password is saved to AD by using the Recovery section below.
     BitLocker via Line Command
  1. This command will being the process for the C drive, repeat for others.  Run using an Elevated Prompt (run as Administrator):          manage-bde -on C: -RecoveryPassword
  2. Reboot, then run the following to see the encryption process status:          manage-bde -status
     BitLocker via GUI
  1. Control Panel > System and Security > BitLocker Drive Encyrption
  2. Click 'Turn on BitLocker' for the desired drives and follow any prompts.
BitLocker and Updates to BIOS, Hardware, or Startup Files (e.g. OS Upgrades)
See: this article on suspending BitLocker protection before applying certain kinds of updates.  The process involves suspending protection and then resuming protection once updates are complete.

Recovery
     TPM (reference: technet blog)
  1. Active Directory Users and Computers > enable 'Advnaced Features' in View.
  2. Open Properties on the desired computer, then the 'Attribute Editor' tab.
  3. Locate the attribute 'msTPM-OwnerInformation' and note the value.
  4. Enter the following into a text editor (such as notepad), but replace the "....." with the value found in AD.  Save the file with a .tpm extension at a location accessible by the computer.
    <?xml version="1.0" encoding="UTF-8"?>
    <ownerAuth>.....</ownerAuth>

     BitLocker
  1. Open Active Directory Users and Computers
  2. Open Properties on the desired computer, then the BitLocker tab.
  3. The BitLocker Recovery Password is in the details section.