Windows 10 SCCM OSD TMP Bitlocker Backup

%3CLINGO-SUB%20id%3D%22lingo-sub-76262%22%20slang%3D%22en-US%22%3EWindows%2010%20SCCM%20OSD%20TMP%20Bitlocker%20Backup%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-76262%22%20slang%3D%22en-US%22%3E%3CP%3EWhat%20is%20the%20recomended%20process%20to%20ensure%20both%20the%20TPM%20and%20Bitlocker%20keys%20are%20backed%20up.%20I%20know%20AD%20backup%20was%20recently%20disabled%20for%20TPM%20keys%20in%20windows%2010.%20MBAM%20requires%20a%20licensed%20SQL%20database%2C%20which%20isn't%20ideal.%3CBR%20%2F%3E%3CBR%20%2F%3EIs%20there%20a%20process%20to%20do%20this%20as%20part%20of%20the%20OSD%20task%20sequence%20in%20SCCM%3F%3CBR%20%2F%3E%3CBR%20%2F%3EJoseph%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-76368%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%2010%20SCCM%20OSD%20TMP%20Bitlocker%20Backup%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-76368%22%20slang%3D%22en-US%22%3EIt%20sounds%20like%20there%20is%20a%20requirements%20for%20physical%20presence%20on%20your%20device.%20You%20may%20want%20to%20check%20with%20the%20manufacturer%20on%20their%20guidance%20and%20firmware%20scripting%20to%20help%20with%20the%20remote%20users.%20With%20regards%20to%20dual%20booting%2C%20it%20isn't%20related%20to%20that%2C%20instead%20we%20used%20it%20to%20switch%20the%20TPM%20owner%20between%20the%20OS%20and%20MBAM%2C%20if%20MBAM%20is%20used.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-76357%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%2010%20SCCM%20OSD%20TMP%20Bitlocker%20Backup%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-76357%22%20slang%3D%22en-US%22%3E%3CP%3EI%20had%20a%20manufacturer%20issue%20with%20the%20TPM%20module%20on%20a%20dell%20latitude%20E5270%2C%20where%20the%20TPM%20module%20refused%20to%20unlock%20or%20reset%20without%20the%20TPM%20owner%20password.%20It%20locked%20because%20of%20%22too%20many%20failed%20password%20attempts%22.%20It%20took%20over%20a%20week%20for%20the%20lock%20to%20timeout%2C%20in%20the%20mean%20time%20we%20had%20to%20disable%20bitlocker%20on%20the%20unit.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20support%20a%20lot%20of%20remote%20users%2C%20and%20reseting%20the%20tpm%20owner%20(which%20requires%20interaction%20on%20boot)%20isn't%20ideal.%20Having%20the%20TPM%20key%20has%20been%20usefull.%3CBR%20%2F%3E%3CBR%20%2F%3EAs%20a%20side%20question%3A%20I'm%20curious%20how%26nbsp%3Bautomatically%20taking%20ownership%20of%20a%20tpm%26nbsp%3Bwould%20effect%20dual%20booting.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-76324%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%2010%20SCCM%20OSD%20TMP%20Bitlocker%20Backup%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-76324%22%20slang%3D%22en-US%22%3EIf%20you%20are%20deploying%20Windows%2010%201607%2C%20the%20TPM%20owner%20password%20does%20not%20need%20to%20be%20backed%20up.%20The%20TPM%20owner%20password%20allowed%20the%20bearer%20of%20the%20password%20to%20take%20ownership.%20In%20Windows%2010%201607%2C%20only%20Windows%2010%20has%20the%20ownership%20of%20the%20TPM%2C%20which%20occurs%20during%20the%20installation%2C%20and%20then%20the%20ownership%20cannot%20be%20changed%20for%20the%20duration%20of%20the%20installation.%3C%2FLINGO-BODY%3E
New Contributor

What is the recomended process to ensure both the TPM and Bitlocker keys are backed up. I know AD backup was recently disabled for TPM keys in windows 10. MBAM requires a licensed SQL database, which isn't ideal.

Is there a process to do this as part of the OSD task sequence in SCCM?

Joseph

3 Replies
If you are deploying Windows 10 1607, the TPM owner password does not need to be backed up. The TPM owner password allowed the bearer of the password to take ownership. In Windows 10 1607, only Windows 10 has the ownership of the TPM, which occurs during the installation, and then the ownership cannot be changed for the duration of the installation.

I had a manufacturer issue with the TPM module on a dell latitude E5270, where the TPM module refused to unlock or reset without the TPM owner password. It locked because of "too many failed password attempts". It took over a week for the lock to timeout, in the mean time we had to disable bitlocker on the unit.

 

We support a lot of remote users, and reseting the tpm owner (which requires interaction on boot) isn't ideal. Having the TPM key has been usefull.

As a side question: I'm curious how automatically taking ownership of a tpm would effect dual booting.

It sounds like there is a requirements for physical presence on your device. You may want to check with the manufacturer on their guidance and firmware scripting to help with the remote users. With regards to dual booting, it isn't related to that, instead we used it to switch the TPM owner between the OS and MBAM, if MBAM is used.