TPM password not found in MBAM database

10-11  Source: Network gathering  Views:16 

Advertisement
There are other threads I have read through and did some troubleshooting, but still I´m stuck with this, how to get TPM password in MBAM database. Another question is, do I really need it? Isn´t recovery key enough?
My situation is this:
1. Computers are encrypted during Task Sequence and MBAM client is installed.
2. During first logon MBAM client promts for PIN and encryption is complete.
3. Bitlocker recovery key is found in MBAM Admin Web page, but not TPM password.
What I tried to do:
- There is no Group Policy for controling TPM password.
- I´m member of MBAM Admin group and Helpdesk groups.
- If I clear and initialize TPM from its mgmt console, there will not be any activity from MBAM client, and TPM password still does not go to DB
- I have checked from SQL mgmt studio, that TPM hash is NULL
- I tried to use TPM-EK vbs script before and after encryption, there is no effect.
So how to get TPM password to DP? Specially I´m intresting in scenario where Computer is already encrypted.
MBAM has to own the TPM to store the password. During a task sequence, follow the steps below. The steps assume pre-provisioning, but the concept is the same even if you don't use it.  If the machine is already encrypted and you want MBAM to store the
password, you will have to clear the TPM and reboot. Note that this requires physical presence - someone will have to hit F1 in the preboot screen. See below for info on how to clear it via PowerShell.  The reason you want the TPM OwnerAuth password is
that if a user types their PIN too many times in preboot, the TPM may put the machine into BitLocker Recovery and lock itself for some period of time (depends on manufacturer).  To unlock it faster after you have supplied the BitLocker Recovery Password
and are in the OS, you have to go to tpm.msc and choose Reset TPM Lockout, supplying the TPM Owner Auth password.  If MBAM stores it, you can get this info from the Helpdesk portal.
To configure MBAM to own the TPM and store OwnerAuth passwords
On the client computer, open an elevated Windows PowerShell command prompt.
Type the following Windows PowerShell commands:
Command
Description
$tpm=get-wmiobject -class Win32_Tpm -namespace root\cimv2\security\microsofttpm
Gets an instance of the TPM WMI class.
$tpm.DisableAutoProvisioning()
Disables TPM auto-provisioning.
$tpm. SetPhysicalPresenceRequest(22)
Clears the TPM.
Restart the computer, and then confirm that you want to clear the TPM.
For the task sequence to get MBAM to own it out of the box, do the following:
Capture and      sysprep a WIM as you normally would.
Mount the      captured WIM using
dism /mount-wim /wimfile:C:\WimImages\Win7.wim
/index:1 /mountdir:C:\AIKMount
Load the WIM      registry -
reg load
HKLM\WimRegistry
c:\AIKMount\windows\system32\config\system
Open regedit      and browse to hklm\WimRegistry\system\controlset001\services\TPM\WMI and      add the two reg keys that
Jim mentioned
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tpm\WMI: NoAutoProvision [REG_DWORD]
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tpm\WMI: NoDisableOwnerClear [REG_DWORD]
Close regedit
Unload the WIM      registry -
reg unload HKLM\WimRegistry
Commit changes      to the WIM and unmount -
dism /unmount-wim /mountdir:C:\AIKMount
     /commit
Went to MDT      2012 Update 1 and my deployment share.
Edited the      ZTIBDE.wsf script in MDT to tell it not to take ownership of the TPM. 
In that script, replace the TPMValidate      function with what I have below (I just commented out the SetTPMOwner      lines)
Function TpmValidate ()
Dim iRetVal, sCmd, sTpmOwnerPassword
iRetVal = Success
'// Set oTpm to valid instance
iRetVal = GetTpmInstance()
TestAndFail iRetVal, 6734, "Get TPM Instance"
'// Set global booleans for TPM state. Error bubble handled by subs
iRetVal    = GetTpmEnabled()
TestAndFail iRetVal, 6735, "Check to see if TPM is enabled"
iRetVal = GetTpmActivated()
TestAndFail iRetVal, 6736, "Check to see if TPM is activated"
iRetVal = GetTpmOwner()
TestAndFail iRetVal, 6737, "Check to see if TPM is owned"
iRetVal = GetTpmOwnershipAllowed()
TestAndFail iRetVal, 6738, "Check to see if TPM Ownership is allowed"
iRetVal = GetEndorsementKeyPairPresent()
oLogging.CreateEntry "TpmEnabled: " & bTpmEnabled, LogTypeInfo
oLogging.CreateEntry "TpmActivated: " & bTpmActivated, LogTypeInfo
oLogging.CreateEntry "TpmOwned: " & bTpmOwned, LogTypeInfo
oLogging.CreateEntry "TpmOwnershipAllowed: " & bTpmOwnershipAllowed, LogTypeInfo
oLogging.CreateEntry "EndorsementKeyPairPresent: " & bEndorsementKeyPairPresent, LogTypeInfo
'// Single instance check to allow future corrective action branching.
TestAndFail bTPMEnabled, 6739, "Check to see if TPM is enabled"
TestAndFail bTPMActivated, 6740, "Check to see if TPM is activated"
TestAndFail bTpmOwned or bTpmOwnershipAllowed , 6741, "Check to see if TPM is owned and ownership is allowed"
If bTpmOwned <> True AND bTpmOwnershipAllowed = True Then
If oEnvironment.Item("TpmOwnerPassword") <> "" Then
oLogging.CreateEntry "TPM Ownership being intiated.", LogTypeInfo
'iRetVal = SetTpmOwner(oEnvironment.Item("TpmOwnerPassword"))
TestAndFail iRetVal, 6741, "TPM Owner Password set"
ElseIf oEnvironment.Item("AdminPassword") <> "" Then
oLogging.CreateEntry "TPM Ownership being intiated with [email protected] (not [email protected]).", LogTypeInfo
'iRetVal = SetTpmOwner(oEnvironment.Item("AdminPassword"))
TestAndFail iRetVal, 6742, "TPM Owner [email protected] set to [email protected]"
Else
oLogging.CreateEntry "TPM Ownership being intiated with Default [email protected] (not [email protected]).", LogTypeInfo
'iRetVal = SetTpmOwner("M0nksH00d!4T3al")
TestAndFail iRetVal, 6743, "Set TPM Owner [email protected] to value"
End If
End If
TpmValidate = Success
End Function
Grab the      StartMBAMEncryption.wsf script from
here
and edit out those same lines as above.
Added the      following files to an MDT application.      
Set the app to run cscript.exe startmbamencryption.wsf      /MBAMServiceEndPoint:http://<yourmbamserver>/MBAMRecoveryAndHardwareService/CoreService.svc
Added the MBAM      agent installer as an application
Added the MBAM      agent to the task sequence
Added the Start      MBAM Encryption app to the task sequence
Set      OSDBitLockerMode=TPM and IsBDE=True in customsettings.ini
Made sure this was a bare metal machine where the TPM was clear (for testing, you can clear it from the BIOS, just make sure it is activated).
Ran the TS on      the box.
Result:
BitLocker was pre-provisioned and activated, and MBAM took ownership of the TPM which escrowed the OwnerAuth info to MBAM.
Related articles
  • TPM password not found in MBAM database 10-11

    There are other threads I have read through and did some troubleshooting, but still I´m stuck with this, how to get TPM password in MBAM database. Another question is, do I really need it? Isn´t recovery key enough? My situation is this: 1. Computers

  • SCCM OSD for Windows 8.1 - TPM Owner Password not found 10-11

    Hello, I have been actively using these forums and the TechNet Guidance for the MBAM 2.5 client deployment, however I am still seeing some issues and looking for appropriate steps to troubleshoot. I have a MDT Integrated Task Sequence to deploy Windo

  • SSO : krb_error 6 Client not found in Kerberos Database 11-30

    Hi All, We are trying to configure SSO for Win AD user to login to infoView OS - Windows 2003 SP2 Machine - 64 Bit BOE - XI 3.1 + SP2 + FP2.4 (32 Bit) CMS Database - SQL 2005 Server Domain Controller - Not sure if is 2003 or 2008 (awaiting informatio

  • Kinit: Client not found in Kerberos database while getting initial credentials 11-30

    Hi all, I am trying to configure application which uses Kerberos authentication. Error message:  kinit: Client not found in Kerberos database while getting initial credentials I use Windows Server 2003 domain controller as LDAP server, Tomcat applica

  • GSSAPI Error: Server not found in Kerberos database 11-30

    Hi all For about 3 days I'm now seeing this error message in system.log every 3 minutes: DirectoryService: GSSAPI Error: Miscellaneous failure (Server not found in Kerberos database) This happens on a fileserver which is connected to an OD server. I

  • Drive not found in library database 10-11

    Greetings. I'm new to OSB and am having tape drive, volume problems. File system backups only complete successfully when drive (IBM4_0_0_1_1) is used. When OSB attempts to use other drives in the library it logs the following errors listed in "Transc

  • This procedure name is not found in the database: wwv_flow.show 11-30

    I created an interactive report, which works fine in the APEX developer, using the Application Express Authentication scheme. To add it to our Self-Service web system, I change the authentication scheme to a custom scheme that has been working fine f

  • Client not found in Kerberos database 11-30

    Hi All, I am getting Client not found in Kerberos database* when i try to a create new connection from SQL Developer 2.1.1.64 to Oracle 10G database. I am sure that login credentials provided in connection properties are correct. pls respond, if you

  • File not found error after database migration 10-11

    Hi experts I recently decided to create a test environment for SharePoint 2010 production server but after  attach the content database  using power shell successfully I get " file not found " error when I try to login the top site collection I

  • Dump : Table not found in oracle database 10-11

    Hi, I am doing a program regarding analysis of tables belonging to archiving objects.In my program i am calling a RFC function module . 'DB02_ORA_TABLE_INDEX_ANALYSIS . But it is giving the dump for native sql statement . --- Oracle block size ------

  • Table "StoredProcedure" not found when changing Database location in VS 2005. 11-30

    <p>I'm having a problem changing the datasource location when generating a report using the report viewer in VS2005.  If the table is a stored procedure, I get the message "Table (StoredProcedureName) not found", but if the report referenc

  • Default username and password not found 11-30

    Hello all, Just bought the new WVC54GCA ip camera, tried to configure it with its setup but can't get in as I couldn't find the admin password anywhere.....Does anybody know what are the default settings for these username and password fields? (Linux

  • Column Not found error while trying to access database through JSP+Java Bea 10-11

    I am trying to access MS Access 2003 db through JSP using Tomcat 5.0.28.The code for accessing the database is incorporated in the bean.The JSP only calls the particular method of the bean . Code for Java Bean: package ActiveViewer; import java.sql.*

  • Shared Services database content not found in the specified database - EPM 11-30

    I installed three VM machines (Workstation) for the following on Windows 2003 OS: VM1 : Oragle DB 11g, Shared Services. Workspace VM2 : Financial Management, EPMA, Calc Manager VM3 : Microsoft Active Directory I have configured Database and Shared se

  • Show Database Get "Object was not found"error 10-11

    Hi there, I have a weird situation here. I created Data Guard Broker setup and show configuration return good result. It is running for quite a while, and I can see if I switch log file on Primary, the Max Seq# is matched between Primary and Standby.

  • Physical database not found 11-30

    Post Author: madan.76 CA Forum: Data Connectivity and SQL Hi All, I'm facing this problem. When I run my Crystal Report in it give error "Physical database not found", but all database related settings are correct, I'm using Access 97 database.

  • Column Not found error while trying to access databse through JSP+Java Bean 10-11

    I am trying to acees MS Access 2003 db through JSP using Tomcat 5.0.28.The code for accessing the databse is incorporated in the bean.The jsp only calls the particular method of the bean . Code for Java Bean: package ActiveViewer; import java.sql.*;

  • JPub Error User-defined type not found 11-26

    I just have found about Jpub could help me with my problem, so i try it, but when i try to publish a package it gives me this error: J2T-118, ERROR: User-defined type "ADMCAD.PKG_CONSULTA_BR_NOME.TAB_ELEITOR" was not found in the database This i

  • How to properly detect object not found in query? 11-30

    Generally, we'd prefer to catch the unchecked exceptions which JDO throws in response to database operations that go awry. That said, there's one in particular that's bothering us: The most important and common one of these which we'd like to know ab

  • Error "kdc: Server not found in database" on attempted connections using Network User Credentials 11-30

    I am rebuilding my system after a recent debacle with Time Machine, which resulted in a complete wiping of my Open Directory contents. At this point, users can log into various computers on the network, when the hosts have been reconnected to the new