Managing Trusted Platform Module (TPM) PINs
You need to know how to configure a TPM to require a PIN for successful boot and how to set, back up, and recover those PINs.
TPM Pin must be entered for the computer to successfully boot. TPM PINs can be a standard numerical password or can be alphanumeric with symbols. If a user forgets the TPM PIN, the computer won't boot into Microsoft Windows 7. It is important to ensure that the TPM PINs or passwords are backed up and are recoverable, and Active Directory, properly configured, provides a method through which this goal can be accomplished. You can ensure that TPM recovery information is backed up to Active Directory by enabling the Turn On TPM Backup To Active Directory Domain Services policy and selecting the Require TPM Backup to AD DS check box. This policy can be found in the Computer Configuration\Administrative Templates\System\Trusted Platform Module Services node.
With the TPM Management console, you can back up TPM recovery information in Active Directory Domain Services (AD DS), clear the TPM, reset TPM lockout, and enable or disable the TPM. You can also use the console to change the TPM owner password and reset the TPM to factory default settings. The TPM Management console is accessible through the BitLocker Drive Encryption Control Panel.
To learn more about TPM management, consult the following webpage:
http://technet.microsoft.com/en-us/library/cc755108(WS.10).aspx.
If your organization's domain controllers are running Microsoft Windows Server 2003 Service Pack 1 or Service Pack 2, you must update the Active Directory schema to support backing up of TPM module recovery information. If your organization's domain controllers are running Windows Server 2008 or Windows Server 2008 R2, it is not necessary to update the schema to support this functionality.
Remember that it is possible to force the backup of TPM recovery information to Active Directory.
Configuring startup key storage
You need to know how to manage and recover BitLocker startup keys.
BitLocker startup keys are special cryptographically generated files that are stored on USB flash drives. A computer running Windows 7 can be configured to require that a startup key be present when the computer boots or resumes from hibernation. When you use a startup key in combination with a TPM, part of the encryption key that unlocks BitLocker-protected volumes is stored by the TPM, and part is stored on a USB flash drive. BitLocker can also be configured on computers that do not have TPMs if a startup key is used. The startup key can be stored on a USB flash drive formatted using the FAT, FAT32, or NTFS file system. If the startup key is lost, you can recover by entering the recovery password or recovery key. Individual startup keys are not backed up to Active Directory.
