cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Windows 10 SCCM OSD TMP Bitlocker Backup

Joseph Perry
Copper Contributor

‎Jun 08 2017 09:14 AM

‎Jun 08 2017 09:14 AM

Windows 10 SCCM OSD TMP Bitlocker Backup

What is the recomended process to ensure both the TPM and Bitlocker keys are backed up. I know AD backup was recently disabled for TPM keys in windows 10. MBAM requires a licensed SQL database, which isn't ideal.

Is there a process to do this as part of the OSD task sequence in SCCM?

Joseph

1,831 Views
1 Like
3 Replies
Reply
3 Replies
Samesh Singh

‎Jun 08 2017 09:35 AM

‎Jun 08 2017 09:35 AM

Re: Windows 10 SCCM OSD TMP Bitlocker Backup

If you are deploying Windows 10 1607, the TPM owner password does not need to be backed up. The TPM owner password allowed the bearer of the password to take ownership. In Windows 10 1607, only Windows 10 has the ownership of the TPM, which occurs during the installation, and then the ownership cannot be changed for the duration of the installation.
0 Likes
Reply
Joseph Perry

‎Jun 08 2017 09:49 AM

‎Jun 08 2017 09:49 AM

Re: Windows 10 SCCM OSD TMP Bitlocker Backup

I had a manufacturer issue with the TPM module on a dell latitude E5270, where the TPM module refused to unlock or reset without the TPM owner password. It locked because of "too many failed password attempts". It took over a week for the lock to timeout, in the mean time we had to disable bitlocker on the unit.

 

We support a lot of remote users, and reseting the tpm owner (which requires interaction on boot) isn't ideal. Having the TPM key has been usefull.

As a side question: I'm curious how automatically taking ownership of a tpm would effect dual booting.

0 Likes
Reply
Samesh Singh

‎Jun 08 2017 09:54 AM

‎Jun 08 2017 09:54 AM

Re: Windows 10 SCCM OSD TMP Bitlocker Backup

It sounds like there is a requirements for physical presence on your device. You may want to check with the manufacturer on their guidance and firmware scripting to help with the remote users. With regards to dual booting, it isn't related to that, instead we used it to switch the TPM owner between the OS and MBAM, if MBAM is used.
0 Likes
Reply