| Event Information | According to Microsoft :
Cause :
The computer was not connected to organization's network
Resolution :
Connect to organization's network and recreate the TPM owner password
Connect the computer to a domain network
Connect to organization's network using one of the following methods:- Establish a wired connection at a physical site operated by organization
- Connect using a wireless network provided by organization that connects to internal network.
- If available connect remotely to organization's network by using a VPN
Then in order to force Windows to back up the TPM owner password to AD DS, recreate the TPM owner password using one of the following procedures.
Recreate the TPM owner password
To perform these procedures,must have membership in Administrators or must have been delegated the appropriate authority.
To recreate the TPM owner password, when know or have access to the existing owner password:- Click Start, type tpm.msc in the Start Search box, and then press ENTER.
- If the User Account Control dialog box appears, verify the proposed action is correct, and then click Continue.
- Under Actions, click Change Owner Password.
- If you have a USB flash drive with the owner password:
- Click I have a backup file with the TPM owner password.
- Click Browse, locate the file, and then click Open.
- Click Create new password.
- If you wish to type the owner password:
- Click I want to type the TPM owner password.
- Type the TPM owner password.
- Click Create new password.
- Click Automatically create the password.
- Click Save the password.
- Provide a file name or location, and then click Save.
- Click Change Password.
- Close the TPM Management console.
To recreate the TPM owner password, when do not know or have access to the existing owner password:- Click Start, and then click Control Panel.
- Click Security.
- Click BitLocker Drive Encryption.
- If the User Account Control dialog box appears, verify the proposed action is correct, and then click Continue.
- If BitLocker is turned on, click Turn off BitLocker, and then click Disable BitLocker.
- Close the BitLocker Drive Encryption window.
- Click Start, type tpm.msc in the Start Search box, and then press ENTER.
- If the User Account Control dialog box appears, verify the proposed action is correct, and then click Continue.
- Under Actions, click Clear TPM.
- Click I do not have the TPM owner password.
- Click Restart.
- Follow the prompts presented in the pre-boot (BIOS) environment.These prompts vary by computer manufacturer.
- After the computer has restarted, log on as an administrator.
- Click Start, and then click Control Panel.
- Click Security.
- Click BitLocker Drive Encryption.
- If the User Account Control dialog box appears, verify the proposed action is correct, and then click Continue.
- In the BitLocker Drive Encryption window, click Turn On BitLocker.
- Click Restart.
- Follow the prompts presented in the pre-boot (BIOS) environment.These prompts vary by computer manufacturer.
- After the computer has restarted, log on as an administrator.
- The BitLocker Setup Wizard should resume.If it does not, repeat steps 14 to 18.
- Depending on the configuration of network and policies required by domain,may be presented with different options.Complete the wizard to enable BitLocker Encryption.
Cause :
The computer cannot reach a writable domain controller due to connectivity issues
Resolution :
Establish connectivity and recreate the TPM owner password
The following procedures describe the steps to troubleshoot a network connection and then create a new TPM owner password for backup to AD DS after connectivity has been restored.
Restore connectivity between the computer and the domain controllers
Note: The following procedures include steps for using the ping command to perform troubleshooting.Before performing these steps, check whether the firewall or IPsec settings on network allow ICMP traffic.ICMP is the TCP/IP protocol that is used by the ping command.
To perform this procedure,must have membership in Users or must have been delegated the appropriate authority.
To restore connectivity between the computer and the domain controllers:- Determine at what point connectivity is failing, using network troubleshooting steps.
- Resolve any networking issues.If unable to discover or resolve the networking issue, contact a networking specialist or designated support contact.
- Recreate the TPM owner password
- Recreate the TPM owner password, when do not know or have access to the existing owner password (see the above steps)
Cause :
The computer is not a member of an AD DS domain
Resolution :
Join the computer to a domain and recreate the TPM owner password
The following procedures describe the steps required to join the computer to a domain and then to recreate the TPM owner password to cause it to be backed up to AD DS.
Join a domain
To perform this procedure,must have membership in Administrators or must have been delegated the appropriate authority.
To join a domain:- Click Start, right-click Computer, and then click Properties.
- Under the heading Computer name, domain and workgroup settings click Change settings.
- If the User Account Control dialog box appears, verify the proposed action is correct, and then click Continue.
- Click Change.
- Select the Domain option.
- Type the name of the domain want to join in the text box.
- Click OK.
- In the Windows Security dialog box, type the name and password of a domain account that has permissions to join a computer to the domain, and then click OK.
- In the Computer Name/Domain Changes dialog box and then click OK.
- In the next Computer Name/Domain Changes dialog box and then click OK.
- In the System Properties dialog box, click Close.
- In the Microsoft Windows dialog box, click Restart Now.
- Recreate the TPM owner password
- Recreate the TPM owner password, when do not know or have access to the existing owner password (see the above steps)
Cause :
The AD DS domain has not been properly configured to store TPM passwords
Resolution :
Reconfigure AD DS and recreate the TPM owner password
Configuring domain involves verifying or extending your AD DS schema, correctly configuring permissions on directory objects and configuring clients with Group Policy or local policies to back up the recovery information.
Configure AD DS to back up BitLocker recovery information
These procedures describes the resources to help configure a domain to back up TPM owner passwords and the steps to re-create the TPM owner password for backup to AD DS after the domain has been configured.
To perform this procedure,must have membership in Domain Admins or must have been delegated the appropriate authority.
To configure AD DS to back up BitLocker recovery information:- Review the information provided in "Configuring Active Directory to Back up Windows BitLocker Drive Encryption and Trusted Platform Module Recovery Information".
- Use the scripts provided to configure domain correctly.
Note: We recommend that first test the new configuration in a test environment.- Recreate the TPM owner password
- Recreate the TPM owner password, when do not know or have access to the existing owner password (see the above steps)
|