Event ID 514 — TPM Owner Password Backup

  • Article

Applies To: Windows Server 2008

Owner password information for the Trusted Platform Module (TPM) can be automatically backed up to Active Directory Domain Services (AD DS). This password allows an administrator to remotely manage the TPM. For more information, see "Configuring Active Directory to Back up Windows BitLocker Drive Encryption and Trusted Platform Module Recovery Information" (https://go.microsoft.com/fwlink/?LinkID=67438).

Event Details

Product: Windows Operating System
ID: 514
Source: Microsoft-Windows-TPM-WMI
Version: 6.0
Symbolic Name: WIN32TPMEVENT_OWNER_AUTH_BACKUP_FAILED
Message: Failed to backup TPM Owner Authorization information to Active Directory Domain Services.
Errorcode: %1

Diagnose

The computer has been configured by local policy or Group Policy to back up TPM owner passwords to AD DS, and one of the following conditions might also exist:

  • The computer was not connected to your organization's network
  • The computer cannot reach a writable domain controller due to connectivity issues.
  • The computer is not a member of an AD DS domain
  • The AD DS domain has not been properly configured to store TPM passwords

The computer was not connected to your organization's network

To back up TPM owner information to AD DS, your computer must be connected to your organization's network (that is, the domain network) when taking ownership of the TPM. If you took ownership of the TPM while disconnected from the network, or while accessing a network outside of your domain, such as a home network, hotel network, or "hotspot," Windows will not be able to back up your recovery password.

If the computer was not connected to your organization's network, see the section titled "Connect to your organization's network and recreate the TPM owner password."

The computer cannot reach a writable domain controller due to connectivity issues

To perform this procedure, you must have membership in Users, or you must have been delegated the appropriate authority.

To determine whether the computer can reach a domain controller:

  1. Open a Command Prompt window.
  2. Type ping domain_controller where domain_controller is the IP address for the domain controller. If there is more than one domain controller on your network, you should ping each one. If you cannot ping the domain controllers, this indicates a potential problem with the domain controller, or with the network between the computer and the domain controller.
  3. You may also use a tool such as PortQry or NetDiag to test connectivity between the computer and the domain. Alternatively, try accessing other resources hosted on a known domain controller, such as the Netlogon share. For more information about using PortQry, see https://go.microsoft.com/fwlink/?LinkId=99545. For more information about NetDiag, see https://go.microsoft.com/fwlink/?LinkId=99547.

If the computer cannot reach a writable domain controller due to connectivity issues, see the section titled "Establish connectivity and recreate the TPM owner password"

The computer is not a member of an AD DS domain

To backup the TPM owner password to AD DS, the computer must be a member of an AD DS domain (or a Windows Server 2003 SP1 Active Directory domain).

To perform this procedure, you must have membership in Users, or you must have been delegated the appropriate authority.

To determine whether the computer is a member of a domain:

  1. Click Start, right-click Computer, and then click Properties.
  2. In the section titled Computer name, domain, and workgroup settings, the last entry will contain the name of the computer's workgroup or domain.
  3. If the page indicates the computer is a member of a Workgroup, it is not a member of a domain. If the computer is not a member of an AD DS domain, see the section titled "Join the computer to a domain and recreate the TPM owner password."

The AD DS domain has not been properly configured to store TPM owner passwords

To perform these procedures, you must have membership in Domain Admins, or you must have been delegated the appropriate authority.

To determine the configuration of AD DS:

  1. Review the information provided in "Configuring Active Directory to Back up Windows BitLocker Drive Encryption and Trusted Platform Module Recovery Information" (https://go.microsoft.com/fwlink/?LinkId=67438)."
  2. Use the testing procedures and sample scripts provided to test the configuration of AD DS.
  3. If the AD DS or Active Directory domain has not been properly configured to store recovery information, see the section titled "Reconfigure AD DS and recreate the TPM owner password."

Configuring your domain involves verifying or extending your AD DS schema, correctly configuring permissions on directory objects, and configuring clients with Group Policy or local policies to back up the recovery information.

Resolve

To resolve this issue, use the resolution that corresponds to the cause you identified in the Diagnose section. After performing the resolution, see the Verify section to confirm that the feature is operating properly

Cause

Resolution

The computer was not connected to your organization's network

Connect to your organization's network and recreate the TPM owner password

The computer cannot reach a writable domain controller due to connectivity issues

Establish connectivity and recreate the TPM owner password

The computer is not a member of an AD DS domain

Join the computer to a domain and recreate the TPM owner password

The AD DS domain has not been properly configured to store TPM passwords

Reconfigure AD DS and recreate the TPM owner password

Connect to your organization's network and recreate the TPM owner password

Connect the computer to a domain network

First, connect to your organization's network, using one of the following methods:

  • Establish a wired connection at a physical site operated by your organization
  • Connect using a wireless network provided by your organization that connects to your internal network.
  • If available, connect remotely to your organization's network by using a virtual private network (VPN)

Then, in order to force Windows to back up the TPM owner password to AD DS, recreate the TPM owner password using one of the following procedures.

Recreate the TPM owner password

To perform these procedures, you must have membership in Administrators, or you must have been delegated the appropriate authority.

To recreate the TPM owner password, when you know or have access to the existing owner password:

  1. Click Start, type tpm.msc in the Start Search box, and then press ENTER.
  2. If the User Account Control dialog box appears, verify the proposed action is correct, and then click Continue.
  3. Under Actions, click Change Owner Password.
  4. If you have a USB flash drive with the owner password:
    • Click I have a backup file with the TPM owner password.
    • Click Browse, locate the file, and then click Open.
    • Click Create new password.
  5. If you wish to type the owner password:
    • Click I want to type the TPM owner password.
    • Type the TPM owner password.
    • Click Create new password.
    • Click Automatically create the password (recommended).
  6. Click Save the password.
  7. Provide a file name or location, and then click Save.
  8. Click Change Password.
  9. Close the Trusted Platform Module (TPM) Management console.

To recreate the TPM owner password, when you do not know or have access to the existing owner password:

  1. Click Start, and then click Control Panel.
  2. Click Security.
  3. Click BitLocker Drive Encryption.
  4. If the User Account Control dialog box appears, verify the proposed action is correct, and then click Continue.
  5. If BitLocker is turned on, click Turn off BitLocker, and then click Disable BitLocker.
  6. Close the BitLocker Drive Encryption window.
  7. Click Start, type tpm.msc in the Start Search box, and then press ENTER.
  8. If the User Account Control dialog box appears, verify the proposed action is correct, and then click Continue.
  9. Under Actions, click Clear TPM.
  10. Click I do not have the TPM owner password.
  11. Click Restart.
  12. Follow the prompts presented in the pre-boot (BIOS) environment. These prompts vary by computer manufacturer.
  13. After the computer has restarted, log on as an administrator.
  14. Click Start, and then click Control Panel.
  15. Click Security.
  16. Click BitLocker Drive Encryption.
  17. If the User Account Control dialog box appears, verify the proposed action is correct, and then click Continue.
  18. In the BitLocker Drive Encryption window, click Turn On BitLocker.
  19. Click Restart.
  20. Follow the prompts presented in the pre-boot (BIOS) environment. These prompts vary by computer manufacturer.
  21. After the computer has restarted, log on as an administrator.
  22. The BitLocker Setup Wizard should resume. If it does not, repeat steps 14 to 18.
  23. Depending on the configuration of your network and policies required by your domain, you may be presented with different options. Complete the wizard to enable BitLocker Encryption.

Establish connectivity and recreate the TPM owner password

The following procedures describe the steps to troubleshoot a network connection and then create a new TPM owner password for backup to AD DS after connectivity has been restored.

Restore connectivity between the computer and the domain controllers

Note: The following procedures include steps for using the ping command to perform troubleshooting. Therefore, before performing these steps, check whether the firewall or Internet Protocol security (IPsec) settings on your network allow Internet Control Message Protocol (ICMP) traffic. ICMP is the TCP/IP protocol that is used by the ping command.

To perform this procedure, you must have membership in Users, or you must have been delegated the appropriate authority.

To restore connectivity between the computer and the domain controllers:

  1. Determine at what point connectivity is failing, using network troubleshooting steps such as the following:
    • Open a Command Prompt window.
    • Type ipconfig /all at the command prompt. Make sure that the computer has an IP address in the correct IP address range, and does not have an Automatic Private IP Addressing (APIPA) address (an IP address in the 169.254.x.x range).
    • Type ping localhost to verify that TCP/IP is installed and correctly configured on the local computer. If the ping is unsuccessful, this may indicate a corrupt TCP/IP stack or a problem with the network adapter.
    • Type ping ip_address, where ip_address is the IP address assigned to the computer. If you can ping the localhost address but not the local IP address, there may be an issue with the routing table or with the network adapter driver.
    • Type ping dns_server, where dns_server is the IP address for the DNS server. If there is more than one DNS server on your network, you should ping each one. If you cannot ping the DNS servers, this indicates a potential problem with the DNS servers, or with the network between the computer and the DNS servers. DNS servers are used to locate domain controllers.
    • If your domain controllers are separate from your DNS servers, type ping domain_controller where domain_controller is the IP address for the domain controller. If there is more than one domain controller on your network, you should ping each one. If you cannot ping the domain controllers, this indicates a potential problem with the domain controller, or with the network between the computer and the domain controller.
    • Type nslookup domain_controller, where domain_controller is the name of the domain controller, and then press ENTER. If the nslookup does not return an associated IP address for the domain controller, this may indicate that there is an issue with the DNS cache. To flush the DNS cache, type ipconfig /flushdns at a command prompt.
  2. Resolve any networking issues. If you are unable to discover or resolve the networking issue, contact a networking specialist or your designated support contact.

Recreate the TPM owner password

To perform these procedures, you must have membership in Administrators, or you must have been delegated the appropriate authority.

To recreate the TPM owner password, when you know or have access to the existing owner password:

  1. Click Start, type tpm.msc in the Start Search box, and then press ENTER.
  2. If the User Account Control dialog box appears, verify the proposed action is correct, and then click Continue.
  3. Under Actions, click Change Owner Password.
  4. If you have a USB flash drive with the owner password:
    • Click I have a backup file with the TPM owner password.
    • Click Browse, locate the file, and then click Open.
    • Click Create new password.
  5. If you wish to type the owner password:
    • Click I want to type the TPM owner password.
    • Type the TPM owner password.
    • Click Create new password.
    • Click Automatically create the password (recommended).
  6. Click Save the password.
  7. Provide a file name or location and then click Save.
  8. Click Change Password.
  9. Close the Trusted Platform Module (TPM) Management console.

To recreate the TPM owner password, when you do not know or have access to the existing owner password:

  1. Click Start, and then click Control Panel.
  2. Click Security.
  3. Click BitLocker Drive Encryption.
  4. If the User Account Control dialog box appears, verify the proposed action is correct, and then click Continue.
  5. If BitLocker is turned on, click Turn off BitLocker, and then click Disable BitLocker.
  6. Close the BitLocker Drive Encryption window.
  7. Click Start, type tpm.msc in the Start Search box, and then press ENTER.
  8. If the User Account Control dialog box appears, verify the proposed action is correct, and then click Continue.
  9. Under Actions, click Clear TPM.
  10. Click I do not have the TPM owner password.
  11. Click Restart.
  12. Follow the prompts presented in the pre-boot (BIOS) environment. These prompts vary by computer manufacturer.
  13. After the computer has restarted, log on as an administrator.
  14. Click Start, and then click Control Panel.
  15. Click Security.
  16. Click BitLocker Drive Encryption.
  17. If the User Account Control dialog box appears, verify the proposed action is correct, and then click Continue.
  18. In the BitLocker Drive Encryption window, click Turn On BitLocker.
  19. Click Restart.
  20. Follow the prompts presented in the pre-boot (BIOS) environment. These prompts vary by computer manufacturer.
  21. After the computer has restarted, log on as an administrator.
  22. The BitLocker Setup Wizard should resume. If it does not, repeat steps 14 to 18.
  23. Depending on the configuration of your network and policies required by your domain, you may be presented with different options. Complete the wizard to enable BitLocker Encryption.

Join the computer to a domain and recreate the TPM owner password

The following procedures describe the steps required to join the computer to a domain and then to recreate the TPM owner password to cause it to be backed up to AD DS.

Join a domain

To perform this procedure, you must have membership in Administrators, or you must have been delegated the appropriate authority.

To join a domain:

  1. Click Start, right-click Computer, and then click Properties.
  2. Under the heading Computer name, domain and workgroup settings, click Change settings.
  3. If the User Account Control dialog box appears, verify the proposed action is correct, and then click Continue.
  4. Click Change.
  5. Select the Domain option.
  6. Type the name of the domain you want to join in the text box.
  7. Click OK.
  8. In the Windows Security dialog box, type the name and password of a domain account that has permissions to join a computer to the domain, and then click OK.
  9. In the Computer Name/Domain Changes dialog box, and then click OK.
  10. In the next Computer Name/Domain Changes dialog box, and then click OK.
  11. In the System Properties dialog box, click Close.
  12. In the Microsoft Windows dialog box, click Restart Now.

Recreate the TPM owner password

To perform these procedures, you must have membership in Administrators, or you must have been delegated the appropriate authority.

To recreate the TPM owner password, when you know or have access to the existing owner password:

  1. Click Start, type tpm.msc in the Start Search box, and then press ENTER.
  2. If the User Account Control dialog box appears, verify the proposed action is correct, and then click Continue.
  3. Under Actions, click Change Owner Password.
  4. If you have a USB flash drive with the owner password:
    • Click I have a backup file with the TPM owner password.
    • Click Browse, locate the file, and then click Open.
    • Click Create new password.
  5. If you wish to type the owner password:
    • Click I want to type the TPM owner password.
    • Type the TPM owner password.
    • Click Create new password.
    • Click Automatically create the password (recommended).
  6. Click Save the password.
  7. Provide a file name or location, and then click Save.
  8. Click Change Password.
  9. Close the Trusted Platform Module (TPM) Management console.

To recreate the TPM owner password, when you do not know or have access to the existing owner password:

  1. Click Start, and then click Control Panel.
  2. Click Security.
  3. Click BitLocker Drive Encryption.
  4. If the User Account Control dialog box appears, verify the proposed action is correct, and then click Continue.
  5. If BitLocker is turned on, click Turn off BitLocker, and then click Disable BitLocker.
  6. Close the BitLocker Drive Encryption window.
  7. Click Start, type tpm.msc in the Start Search box, and then press ENTER.
  8. If the User Account Control dialog box appears, verify the proposed action is correct, and then click Continue.
  9. Under Actions, click Clear TPM.
  10. Click I do not have the TPM owner password..
  11. Click Restart.
  12. Follow the prompts presented in the pre-boot (BIOS) environment. These prompts vary by computer manufacturer.
  13. After the computer has restarted, log on as an administrator.
  14. Click Start, and then click Control Panel.
  15. Click Security.
  16. Click BitLocker Drive Encryption.
  17. If the User Account Control dialog box appears, verify the proposed action is correct, and then click Continue.
  18. In the BitLocker Drive Encryption window, click Turn On BitLocker.
  19. Click Restart.
  20. Follow the prompts presented in the pre-boot (BIOS) environment. These prompts vary by computer manufacturer.
  21. After the computer has restarted, log on as an administrator.
  22. The BitLocker Setup Wizard should resume. If it does not, repeat steps 14 to 18.
  23. Depending on the configuration of your network and policies required by your domain, you may be presented with different options. Complete the wizard to enable BitLocker Encryption.

Reconfigure AD DS and recreate the TPM owner password

Configuring your domain involves verifying or extending your AD DS schema, correctly configuring permissions on directory objects, and configuring clients with Group Policy or local policies to back up the recovery information.

Configure AD DS to back up BitLocker recovery information

These procedures describes the resources to help you configure a domain to back up TPM owner passwords, and the steps to re-create the TPM owner password for backup to AD DS after the domain has been configured.

To perform this procedure, you must have membership in Domain Admins, or you must have been delegated the appropriate authority.

To configure AD DS to back up BitLocker recovery information:

  1. Review the information provided in "Configuring Active Directory to Back up Windows BitLocker Drive Encryption and Trusted Platform Module Recovery Information" (https://go.microsoft.com/fwlink/?LinkID=67438).
  2. Use the scripts provided to configure your domain correctly.

Note: We recommend that you first test the new configuration in a test environment.

Recreate the TPM owner password

To perform these procedures, you must have membership in Administrators, or you must have been delegated the appropriate authority.

To recreate the TPM owner password, when you know or have access to the existing owner password:

  1. Click Start, type tpm.msc in the Start Search box, and then press ENTER.
  2. If the User Account Control dialog box appears, verify the proposed action is correct, and then click Continue.
  3. Under Actions, click Change Owner Password.
  4. If you have a USB flash drive with the owner password:
    • Click I have a backup file with the TPM owner password.
    • Click Browse, locate the file, and then click Open.
    • Click Create new password.
  5. If you wish to type the owner password:
    • Click I want to type the TPM owner password.
    • Type the TPM owner password.
    • Click Create new password.
    • Click Automatically create the password (recommended).
  6. Click Save the password.
  7. Provide a file name or location, and then click Save.
  8. Click Change Password.
  9. Close the Trusted Platform Module (TPM) Management console.

To recreate the TPM owner password, when you do not know or have access to the existing owner password:

  1. Click Start, and then click Control Panel.
  2. Click Security.
  3. Click BitLocker Drive Encryption.
  4. If the User Account Control dialog box appears, verify the proposed action is correct, and then click Continue.
  5. Click Turn off BitLocker.
  6. Click Disable BitLocker.
  7. Close the BitLocker Drive Encryption window.
  8. Click Start, type tpm.msc in the Start Search box, and then press ENTER.
  9. If the User Account Control dialog box appears, verify the proposed action is correct, and then click Continue.
  10. Under Actions, click Clear TPM, and then follow the steps presented in the wizard.
  11. After the computer has restarted, click Start, and then click Control Panel.
  12. Click Security.
  13. Click BitLocker Drive Encryption.
  14. If the User Account Control dialog box appears, verify the proposed action is correct, and then click Continue.
  15. In the BitLocker Drive Encryption window, click Turn On BitLocker, and then follow the steps presented in the BitLocker setup wizard.

Verify

To perform this procedure, you must have membership in Administrators, or you must have been delegated the appropriate authority.

To verify that new TPM owner passwords are being backed up to AD DS:

  1. Click Start, and then click All Programs.
  2. Click Administrative Tools, and then click Event Viewer.
  3. Expand Windows Logs.
  4. Click System.
  5. Review the System log for Event 513 from the Microsoft-Windows-TPM-WMI source, which indicates that the recovery password has been backed up.

Note: The TPM owner password is backed up automatically only when ownership of the TPM is taken.

TPM Owner Password Backup

Core Security