1) View >> "Advanced Featires" 2) Active Directory Users & Computers >> Properties of Computer >> Attribute Editor >> "msTPM-OwnerInformation" Guide - Backing Up BitLocker and TPM Recovery Information to AD DS -------- If I decript the whole drive, deactivate the TPM Chip, then I activate it again, encrypt the drive -> I see both information - RecoveryKey and TPMOwnerInfo in AD. But this is only the test machine with 30 GB. I don't want to decrypt and enrypt the rest productive machines with 300+ GB onboard. I just want to backup the TPMOnwerInfo into AD, when the drive is beeing already encripted. Any ideas?

Where in GP is that? I have not found that option..?? Edit: I found it under System.. so enabled it but the machines are not pulling it down. I noticed you said you created another GPO, so does that mean that setting needs to be in its own object?

My notebook is beeing encrypted. The Recovery Key and TPM Owner Info were in AD. I changed the TPM Password and I have the new hash (tpm file). I can store the Recovery Key in the AD with the command manage-bde -protectors c: -adbackup -id '{xxxxx}'I can not backup the TPM Owner Infomation ito AD. I receive only the error code 0x8031003a. How can I do this?

Where in AD DS did you see TPM owner info? I have about 100 machines Bitlocker'ed and only see drive recovery keys in AD DS. In all that I have read and researched, I don't believe TPM info gets imported into AD DS. Please enlighten me if I am wrong :)

1) View >> "Advanced Featires" 2) Active Directory Users & Computers >> Properties of Computer >> Attribute Editor >> "msTPM-OwnerInformation" Guide - Backing Up BitLocker and TPM Recovery Information to AD DS -------- If I decript the whole drive, deactivate the TPM Chip, then I activate it again, encrypt the drive -> I see both information - RecoveryKey and TPMOwnerInfo in AD. But this is only the test machine with 30 GB. I don't want to decrypt and enrypt the rest productive machines with 300+ GB onboard. I just want to backup the TPMOnwerInfo into AD, when the drive is beeing already encripted. Any ideas?

I'm noob. I created the 2nd GPO for MBAM and forgot to enbale the setting Turn on TPM backup to Active Directory Domain Services. When I change the TPM Password in tpm.msc now, then I can see the right value for TPMOwnerInfo in AD. I tested the decription and encription process (which I described above) with the 1st correct GPO. My mistake, sorry.

Let's look at this. I tried 2 diffrent solutions: 1) Backup the RecoveryKey and TPM OwnerInfomation in AD I created the 1st GPO for it. Guide - Backing Up BitLocker and TPM Recovery Information to AD DS I linked the GPO to the OU with my Clients' PCs. After that, when I encrypted the HDD and created the TPM Password with the PIN, I noticed, that AD backed up both informations. 2) Backup the RecoveryKey and TPM OwnerInfomation in MBAM Database. I created the 2nd diffrent GPO. Guide - MBAM Step by Step ( BitLocker Administration and Monitoring ) I linked the GPO to the OU with my Clients' PCs. Of course I deactivated the previous GPO. After that, when I encrypted the HDD and created the TPM Password with the PIN, I noticed, that MBAM backed up both informations.