A tech recently came to me with a problem resetting the TPM lockout count on a laptop. It wouldn't accept the TPM owner password that we normally use. I tried it myself, and then tested on another recently imaged computer, and verified that both of them rejected the password that I knew it should be. (I understand that Win7 and Win8 store the TPM info differently. Most of our workstations run Win7, but I checked both to be safe.)
At one point, years ago, I had followed the doc and used the MS provided scripts to enable TPM Owner password backup to AD. It was working at the time, but apparently somewhere along the way, it stopped. I checked a handful of computers in AD that SHOULD have had the TPM owner info listed, and don't. (The bitlocker recovery info is still being backed up to AD - that one gets used more regularly, so we would have noticed right away if it wasn't working.) I'm going through the various settings now and trying to figure out why our TPM owner password isn't working, and why it's not backing up to AD. The trouble is, I started this TS years ago with an MDT task sequence for Windows 7, and eventually migrated to SCCM, then updated the TS to use the Pre-Provision bitlocker option that came with the newer WinPE, etc. It's hard to say where in there the TPM backup was broken... Here's how it's set currently/What I've checked so far: The GPO for "Turn on TPM backup to Active Directory Domain Services" is set. My OSD task sequence uses the Pre-provision bitlocker step, and later the "Enable Bitlocker" step (The Enable bitlocker step I'm using is the SCCM one, not the MDT version. I don't recall why I had to disable the MDT version and add the SCCM version at this point.) There is no step in the task sequence that specifically sets the TPM password. Should there be? Or is that handled by the bitlocker steps? My "Notebooks" collection has these collection variables: - BDEDriveLetter - BDEDriveSize - BDEInstall - BDEInstallSuppress - BDEKeyLocation - BDEPin - BDERecoveryKey - BDERecoveryPassword - OSDBitlockerMode - TPMOwnerPassword As far as I know, the TPM Owner password variable hasn't been changed, but I'll go ahead and re-set it to what I think it should be just in case. What am I missing, or what do I have mis-configured here? Any suggestions?
