I am getting our company ready for deploying BitLocker with Windows 7 and am having an issue with backing up TPM information to AD. Problem is that I am getting a message during TPM initialization stating "Cannot take ownership of the TPM", "Trusted Platform Module (TPM) Initialization failed", "Access is denied", "Error code: 0x80070005".Here is our setup:- Server 2003 Functional Level - Server 2003 with SP2 DCs and Server 2008 DCs. - Group policy applied to OU that was set from a Server 2008 DC. Policy mandates TPM backup. Here are the steps we've taken thus far:- Verified that the attributes MSTPmsTPM-OwnerInformation, ms-FVE-RecoveryInformation, ms-FVE-RecoveryPassword, ms-FVE-RecoveryGuid, ms-FVE-VolumeGuid, and ms-FVE-KeyPackage exist in the Schema container using ADSIEdit.msc.- Ran the Add-TPMSelfWriteACE.vbs script for allowing TPM recovery information to be backed up to AD. Used the List-ACEs.vbs script to verify results of Add-TPMSelfWriteACE.vbs command I have not run any schema extensions yet. Anyone have an idea as to what I can try next? Update: My presumption is that that the computer account object does not have permission to backup information to AD. During the TPM initialization process we recieved an access denied message. So we then gave the computer account full control on itself so that it can write every attribute to AD. Once we did this, the TPM initialization routine passed. However, whenwe tried to manually update the BitLocker recovery information to AD using the command manage-bde -protectors -adbackup C: -id <Recovery ID> we received a message stating that "Group policy does not permit the storage of recovery information to Active Directory. The operating was not attempted."This sounds like a group policy issue. And to be clear here, we do not have a Server 2008 R2 DC yet. So our only TPM and BitLocker group policy objects are created from a Server 2008 environment, which does not contain the new BitLocker settings for the Windows 7 platform. However, the group policy settings do state that they apply to any Vista or Server 2008 OS level and later. So this makes me think that these settings also apply to Windows 7 and Server 2008 R2. Clear as mud? MCITP, MCTS Vista

Ive done a little more testing and think I may have discovered what the issue is. I am able to reproduce two error messages with regard to initializing the TPM chip for BitLocker. One message states that the computer can't talk to Active Directory (TPM Initialization failed: directory services unavailable) and another where the computer doesn't have the correct permissions to back up to Active Directory (TPM Initialization Failed: access is denied). I received the access is denied message when I attempted to initialize the TPM from the RTM media image. The issue here was that the computers in this OU did not inherit (for unknown reason) the permission to write to the msTPMOwnerInformation attribute, even though the Add-TPMSelfWriteACE.vbs script completed successfully. Solution for this case was to create a new OU, verify inheritance of the write to msTPMOwnerInformation attribute, and then initialize the TPM. In the case of our corporate image, I received the directory services unavailable message. My coworker recommended that I uninstall all programs and test. Would you believe this worked! In backtracking the applications, I figured out that the Windows Live ID Sign In Assistant actually prohibited TPM Initialization. When I uninstalled that application (actually, it's a Microsoft Update), the TPM Initialization process fell in, and I was able to verify that the hash of the TPM owner password was saved to AD.Now it's time to dish out someBitLocker :-)Update: The Office Live Add-In version 1.4 contains an application called the Windows Live ID Sign In Assistant (6.500.3146.0). When you have this application installed and make an attempt to initialize the TPM (so that the password hash backs up to Active Directory) you will receive a message stating "Cannot take ownership of the TPM. Trusted Platform Module (TPM) Initialization failed. The directory service is unavailable. Error code: 0x8007200f." The fix is to uninstall this application, reboot, initialize the TPM, and verify that TPM password hash now belongs in the msTPMOwnerInformation attribute of the computer account in Active Directory. MCITP, MCTS Vista