TPM info not importing to new MBAM production environment from test MBAM environment
At work we are moving from a test environment to a production environment of MBAM. Reading forum posts in multiple places says that if we get the new group policy on the machine that is pointing to the new environment, it should import the keys. This is partly true.. While it does import the drive recovery keys into the new prod environment, it does not import the TPM owner information. Is there a way to get the TPM info into our new production environment? I do realize that we could do it by decrypting and re-encrypting all the machines, but we are trying to avoid that if at all possible.
March 9th, 2012 3:44pm

Hi, I have found some threads for your reference. http://social.technet.microsoft.com/Forums/en-IE/w7itprosecurity/thread/d758604d-8bad-4fa8-975f-db446f6d11de http://social.technet.microsoft.com/Forums/en-US/w7itprosecurity/thread/307f1aaa-6b1a-4de5-9d29-eda1e91c954a It seems that TPM hash information is only captured when we initialize the TPM for first time on the machine. If you want this information in MBAM, you need to suspend Bitlocker and clear TPM from TPM management console. After this, MBAM will prompt you to initialize TPM and then you can see info in Manage TPM in MBAM console. If your drive is already encrypted, make sure you have 48 digit recovery password handy in case you are prompted to key in. Note: You are not supposed to initialize the TPM manually by using TPM Management console. MBAM will prompt you to start encryption and once you hit that it will initialize TPM and tell you to reboot the machine. Hope this helps.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
March 13th, 2012 9:41pm

Adding to Jeremy_Wu answer, if you hit an error while MBAM is initializing TPM, you can check this KB 2640178 MBAM fails to take ownership of TPM http://support.microsoft.com/kb/2640178 I hope this helps. </p%3Manoj Sehgal
March 15th, 2012 5:59am

Adding to Jeremy_Wu answer, if you hit an error while MBAM is initializing TPM, you can check this KB 2640178 MBAM fails to take ownership of TPM http://support.microsoft.com/kb/2640178 I hope this helps. &nManoj Sehgal
Free Windows Admin Tool Kit Click here and download it now
March 15th, 2012 6:00am

I think we should turn on the TPM first. Thanks Zero Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. I initialized the TPM and did the restart, accepted permission for the OS ownership and let it boot into Windows. I cancelled the "Create password" prompt and now my TPM is "TPM is on and ownership has not been taken". I have forced it to check in and MBAM does not come up asking to re-encrypt. I really wanted to move the people we have already encrypted in our test environment over to production without decrypting but it seems it may not work. Any other ideas? :)
March 16th, 2012 9:02am

Hi, I have found some threads for your reference. http://social.technet.microsoft.com/Forums/en-IE/w7itprosecurity/thread/d758604d-8bad-4fa8-975f-db446f6d11de http://social.technet.microsoft.com/Forums/en-US/w7itprosecurity/thread/307f1aaa-6b1a-4de5-9d29-eda1e91c954a It seems that TPM hash information is only captured when we initialize the TPM for first time on the machine. If you want this information in MBAM, you need to suspend Bitlocker and clear TPM from TPM management console. After this, MBAM will prompt you to initialize TPM and then you can see info in Manage TPM in MBAM console. If your drive is already encrypted, make sure you have 48 digit recovery password handy in case you are prompted to key in. Note: You are not supposed to initialize the TPM manually by using TPM Management console. MBAM will prompt you to start encryption and once you hit that it will initialize TPM and tell you to reboot the machine. Hope this helps. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. I have done what you said in this post, but MBAM never comes back up asking to start encryption again after being suspended. When I try to resume protection to see if that will help, I get an error message: "Wizard initialization failed. You must initialize the Trusted Platform Module (TPM) before you can use Bitlocker Drive Encryption." Is there a point at which I should be resuming to get this to work properly? The status of the TPM right now is "TPM is off and ownership has not been taken." The machine is checking into MBAM just fine as I have a script written to do a check-in manually and I can see it checked in on the SQL server and in the MBAM console. @manojsehgal: I also tried the vbs you referred me to, and that hasn't helped either. Do you think part of the reason it doesn't work is the fact that Bitlocker is suspended and in order to resume, the TPM must be initialized and in order for the TPM to be initialized by MBAM it needs to be resumed? Am I stuck in a loop? At this point I am not sure what to do so any help would be great. Thanks guys, I appreciate your help.
Free Windows Admin Tool Kit Click here and download it now
March 16th, 2012 3:44pm

I think we should turn on the TPM first.Thanks Zero Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
March 17th, 2012 4:24am

if you want MBAM to prompt to start encryption again, for drives which are already encrypted, you need to decrypt them. At this time, this is the only way, MBAM will prompt to start encryption and it will first initialize TPM and then start encryption. I hope this helps.Manoj Sehgal
Free Windows Admin Tool Kit Click here and download it now
March 18th, 2012 9:20am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics