Thanks, I'll give that a shot. On Fri, Apr 17, 2015 at 11:54 AM, Niall Brady <[email protected]> wrote:
> you can take ownership of the tpm password prior to pre-prov, it works > just fine using this script and step, i've a version of this file to take > variables so that you can define the password in the task sequence also. > > [image: Inline image 1] > > On Fri, Apr 17, 2015 at 6:32 PM, <[email protected]> > wrote: > >> It broke when you started pre-provisioning. >> >> Since the tpm password is set while in WinPE, there is no way to back >> it up. >> Its one of the things you give up, when you pre-provision. >> >> Sent from Windows Mail >> >> *From:* Steve Whitcher <[email protected]> >> *Sent:* Friday, April 17, 2015 11:56 AM >> *To:* [email protected] >> >> A tech recently came to me with a problem resetting the TPM lockout >> count on a laptop. It wouldn't accept the TPM owner password that we >> normally use. I tried it myself, and then tested on another recently imaged >> computer, and verified that both of them rejected the password that I knew >> it should be. (I understand that Win7 and Win8 store the TPM info >> differently. Most of our workstations run Win7, but I checked both to be >> safe.) >> >> At one point, years ago, I had followed the doc and used the MS provided >> scripts to enable TPM Owner password backup to AD. It was working at the >> time, but apparently somewhere along the way, it stopped. I checked a >> handful of computers in AD that SHOULD have had the TPM owner info listed, >> and don't. (The bitlocker recovery info is still being backed up to AD - >> that one gets used more regularly, so we would have noticed right away if >> it wasn't working.) >> >> I'm going through the various settings now and trying to figure out why >> our TPM owner password isn't working, and why it's not backing up to AD. >> The trouble is, I started this TS years ago with an MDT task sequence for >> Windows 7, and eventually migrated to SCCM, then updated the TS to use the >> Pre-Provision bitlocker option that came with the newer WinPE, etc. It's >> hard to say where in there the TPM backup was broken... >> >> Here's how it's set currently/What I've checked so far: >> >> The GPO for "Turn on TPM backup to Active Directory Domain Services" is >> set. >> >> My OSD task sequence uses the Pre-provision bitlocker step, and later >> the "Enable Bitlocker" step (The Enable bitlocker step I'm using is the >> SCCM one, not the MDT version. I don't recall why I had to disable the MDT >> version and add the SCCM version at this point.) >> >> There is no step in the task sequence that specifically sets the TPM >> password. Should there be? Or is that handled by the bitlocker steps? >> >> My "Notebooks" collection has these collection variables: >> >> - BDEDriveLetter >> - BDEDriveSize >> - BDEInstall >> - BDEInstallSuppress >> - BDEKeyLocation >> - BDEPin >> - BDERecoveryKey >> - BDERecoveryPassword >> - OSDBitlockerMode >> - TPMOwnerPassword >> >> As far as I know, the TPM Owner password variable hasn't been changed, >> but I'll go ahead and re-set it to what I think it should be just in case. >> >> What am I missing, or what do I have mis-configured here? Any >> suggestions? >> >> >> > >
