none
Problem imaging Lenovo X270 RRS feed

  • Question

  • Actually, I am trying imaging Lenovo X270. They are all new! Anybody have a solution?

    Mbam 2.5 SP1

    Windows 8.1

    SCCM 1806+Latest ADK

    1.       Open Laptop
    2.       Going to BIOS, to enable UEFI+TPM 2.0+SecureBoot
    3.       Start OSD
    4.       At initialize-tpm I get  tpm is lock.
    Initialize-Tpm : Le module de plateforme s‚curis‚e (TPM) est actuellement        InstallSoftware 2019-06-20 14:47:30                3408 (0x0D50)
    verrouill‚.            InstallSoftware 2019-06-20 14:47:30       3408 (0x0D50)
    Au caractŠre Ligne:1 : 1 InstallSoftware 2019-06-20 14:47:30       3408 (0x0D50)
    + Initialize-Tpm InstallSoftware 2019-06-20 14:47:30       3408 (0x0D50)
    + ~~~~~~~~~~~~~~      InstallSoftware 2019-06-20 14:47:30       3408 (0x0D50)
        + CategoryInfo          : ResourceUnavailable: (Microsoft.Tpm.C...alizeTpm       InstallSoftware 2019-06-20 14:47:30                3408 (0x0D50)
       Command:InitializeTpmCommand) [Initialize-Tpm], TpmWmiException           InstallSoftware 2019-06-20 14:47:30                3408 (0x0D50)
        + FullyQualifiedErrorId : TpmLockedOut,Microsoft.Tpm.Commands.InitializeTp          InstallSoftware 2019-06-20 14:47:30               3408 (0x0D50)
       mCommand   InstallSoftware 2019-06-20 14:47:30       3408 (0x0D50)
                   InstallSoftware 2019-06-20 14:47:30       3408 (0x0D50)
    Process completed with exit code 1       InstallSoftware 2019-06-20 14:47:31       3408 (0x0D50)
    Command line C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -command "Initialize-Tpm" returned 1   InstallSoftware 2019-06-20 14:47:31       3408 (0x0D50)
    Process completed with exit code 1       TSManager        2019-06-20 14:47:31       2344 (0x0928) 
    Process completed with exit code 1
    Command line C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -command "Initialize-Tpm" returned 1
    Initialize-Tpm : Le module de plateforme s
    5.       Start Windows
    6.       From Powershell:
    a.       Get-TPM--> OwnerCleardisabled = False
    b.      OwnerAuth--> blank
    7.       From BIOS -->Clear-TPM
    8.       Reboot
    9.       In Windows, from Powershell
    a.       Initialize-TPM--> TPM is no more locked
    b.      Get-TPM--> OwnerclearDisabled=True
    c.       OwnerAuth--> now contains auth contains now many characters
    d.    Start again OSD and now initialize-TPM is working but failed during encryption.


    • Edited by FRacine Thursday, June 20, 2019 11:02 PM
    Thursday, June 20, 2019 11:00 PM

All replies

  • Hi,
     
    As with all task sequence issues and troubleshooting, it's recommended to examine the smsts.log on the target system. If possible, please share the smsts.log and the task sequence screenshot. 

    Please refer to the following article to export the smsts.log to troubleshoot the task sequence error.
    SCCM: How to copy SMSTS.log when a Task Sequence fails

    As shown below in my environment (please customize the command and path accordingly):



    Thanks for your time. Have a nice day!
     
    Best regards,
    Simon Ren

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, June 21, 2019 3:19 AM
  • Hi,

    You have the related SMSTS.log part at the top.

    Like I said we have many latops. Our last ones are Lenovo X270. What I do is just set TPM 2.0+UEFI+Secureboot+clear TPM and start ODS. At first, the TS will fail saying TPM is lockout.

    If I go to Windows and run Initialize-TPM to confirm the situation, I get the TPM is lock. So I reboot, clear TPM come back to Windows and then initialize-TPM to confirm the situation. The TPM is no more lock. So I start again the TS and this time BitLocker is unable to encrypt and I get a second Failure.

    Once I manually force OSD to succeed then the laptops may get reimage with no issue. So it is taking me a lot of time and laptops to diagnose the issue.

    Why this TPM would lock during OSD and only for first time OSD? We are Imaging with Windows 8.1.

    • Edited by FRacine Friday, June 21, 2019 11:30 AM
    Friday, June 21, 2019 11:19 AM
  • Friday, June 21, 2019 11:27 AM
  • Hi,

    The second test end with a failure. From SMSTS:

    Preparing TPM and escrowing owner-auth to https://serveur.domain/MBAMRecoveryAndHardwareService/CoreService.svc ...	RunPowerShellScript	2019-06-20 16:08:01	2912 (0x0B60)
    Failed to escrow TPM owner-auth to https://serveur.domain/MBAMRecoveryAndHardwareService/CoreService.svc. HRESULT: 0x80040203 - MBAM cannot read the TPM owner authorization value. The value may have been removed after a successful escrow. On Windows 7, MBAM cannot read the value if the TPM is owned by others.	RunPowerShellScript	2019-06-20 16:08:02	2912 (0x0B60)
    Retry after 30 seconds...	RunPowerShellScript	2019-06-20 16:08:02	2912 (0x0B60)
    Failed to escrow TPM owner-auth to https://serveur.domain/MBAMRecoveryAndHardwareService/CoreService.svc. HRESULT: 0x80040203 - MBAM cannot read the TPM owner authorization value. The value may have been removed after a successful escrow. On Windows 7, MBAM cannot read the value if the TPM is owned by others.	RunPowerShellScript	2019-06-20 16:08:32	2912 (0x0B60)
    Retry after 30 seconds...	RunPowerShellScript	2019-06-20 16:08:32	2912 (0x0B60)
    Failed to escrow TPM owner-auth to https://serveur.domain/MBAMRecoveryAndHardwareService/CoreService.svc after 3 tries. Last error -  HRESULT: 0x80040203 - MBAM cannot read the TPM owner authorization value. The value may have been removed after a successful escrow. On Windows 7, MBAM cannot read the value if the TPM is owned by others.	RunPowerShellScript	2019-06-20 16:09:03	2912 (0x0B60)
    The TPM owner-auth escrow failures are configured to be ignored.	RunPowerShellScript	2019-06-20 16:09:03	2912 (0x0B60)
    Adding TPM protector to OS volume ...	RunPowerShellScript	2019-06-20 16:09:03	2912 (0x0B60)
    Escrowing OS volume recovery key to https://serveur.domain/MBAMRecoveryAndHardwareService/CoreService.svc and starting encryption ...	RunPowerShellScript	2019-06-20 16:09:04	2912 (0x0B60)
    Failed to escrow the recovery information of volume C: (Device ID: \\?\Volume{f6e9746c-d106-4bcc-b529-fba9ce2b663b}\) to https://serveur.domain/MBAMRecoveryAndHardwareService/CoreService.svc. HRESULT: 0x800b0109	RunPowerShellScript	2019-06-20 16:09:07	2912 (0x0B60)
    Retry after 30 seconds...	RunPowerShellScript	2019-06-20 16:09:07	2912 (0x0B60)
    Failed to escrow the recovery information of volume C: (Device ID: \\?\Volume{f6e9746c-d106-4bcc-b529-fba9ce2b663b}\) to https://serveur.domain/MBAMRecoveryAndHardwareService/CoreService.svc. HRESULT: 0x800b0109	RunPowerShellScript	2019-06-20 16:09:39	2912 (0x0B60)
    Retry after 30 seconds...	RunPowerShellScript	2019-06-20 16:09:39	2912 (0x0B60)
    Failed to escrow the recovery information of volume  (Device ID: 	RunPowerShellScript	2019-06-20 16:10:10	2912 (0x0B60)
    \\?\Volume{f6e9746c-d106-4bcc-b529-fba9ce2b663b}\) to 	RunPowerShellScript	2019-06-20 16:10:10	2912 (0x0B60)
    https://serveur.domain/MBAMRecoveryAndHardwareService/CoreService.svc after 	RunPowerShellScript	2019-06-20 16:10:10	2912 (0x0B60)
    3 tries. Last error -  HRESULT: 0x800b0109	RunPowerShellScript	2019-06-20 16:10:10	2912 (0x0B60)
    Au caractŠre 	RunPowerShellScript	2019-06-20 16:10:10	2912 (0x0B60)
    C:\_SMSTaskSequence\Packages\XXX006AE\Invoke-MbamClientDeployment.ps1:487 : 13	RunPowerShellScript	2019-06-20 16:10:10	2912 (0x0B60)
    +             throw $message	RunPowerShellScript	2019-06-20 16:10:10	2912 (0x0B60)
    +             ~~~~~~~~~~~~~~	RunPowerShellScript	2019-06-20 16:10:10	2912 (0x0B60)
        + CategoryInfo          : OperationStopped: (Failed to escro...ULT: 0x800b 	RunPowerShellScript	2019-06-20 16:10:10	2912 (0x0B60)
       0109:String) [], RuntimeException	RunPowerShellScript	2019-06-20 16:10:10	2912 (0x0B60)
        + FullyQualifiedErrorId : Failed to escrow the recovery information of vol 	RunPowerShellScript	2019-06-20 16:10:10	2912 (0x0B60)
       ume  (Device ID: \\?\Volume{f6e9746c-d106-4bcc-b529-fba9ce2b663b}\) to htt  	RunPowerShellScript	2019-06-20 16:10:10	2912 (0x0B60)
      ps://serveur.domain/MBAMRecoveryAndHardwareService/CoreService.svc afte   	RunPowerShellScript	2019-06-20 16:10:10	2912 (0x0B60)
     r 3 tries. Last error -  HRESULT: 0x800b0109	RunPowerShellScript	2019-06-20 16:10:10	2912 (0x0B60)
     	RunPowerShellScript	2019-06-20 16:10:10	2912 (0x0B60)
    Process completed with exit code 1	RunPowerShellScript	2019-06-20 16:10:11	2912 (0x0B60)
    Command line returned 1	RunPowerShellScript	2019-06-20 16:10:11	2912 (0x0B60)
    ReleaseSource() for C:\_SMSTaskSequence\Packages\XXX006AE.	RunPowerShellScript	2019-06-20 16:10:11	2912 (0x0B60)
    reference count 1 for the source C:\_SMSTaskSequence\Packages\XXX006AE before releasing	RunPowerShellScript	2019-06-20 16:10:11	2912 (0x0B60)
    Released the resolved source C:\_SMSTaskSequence\Packages\XXX006AE	RunPowerShellScript	2019-06-20 16:10:11	2912 (0x0B60)
    Process completed with exit code 1	TSManager	2019-06-20 16:10:11	2664 (0x0A68)
    

    Tuesday, June 25, 2019 11:54 AM
  • The adress you set: "https://serveur.domain/MBAMRecoveryAndHardwareService/CoreService.svc"

    .. should be "https://server.domain.dom" .. I guess your FQDN is not correct here.. it is not entire.

    Also, when using https, it is good idea to pre-prevision certificate into the system, so use certutil -pulse before doing this.


    MCSE Mobility 2018. Expert on SCCM, Windows 10, ALOVPN, MBAM.

    Tuesday, June 25, 2019 2:43 PM
  • Hi,

    The URL is correct. I just typed it in a web browser and the server answered.

    The certificate is already preprovision.

    Tuesday, June 25, 2019 6:12 PM
  • This adress is just wrong: "https://serveur.domain" .. it cannot be like that.

    MCSE Mobility 2018. Expert on SCCM, Windows 10, ALOVPN, MBAM.

    Tuesday, June 25, 2019 6:34 PM
  • Hi,

    Take a look:

    https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/validating-the-mbam-25-server-feature-configuration

    http(s)://MBAMAdministrationServerName>:<port>/MBAMRecoveryAndHardwareService/CoreService.svc

    So my URL is correct.

    Wednesday, June 26, 2019 2:27 AM
  • No it is not. Lets get back to basics :D

    You have 2 choices, using hostname(ex. SERVER) or FQDN (fqdn is most preferred). Options;

    1. Using hostname: http://SERVER/MBAMRecoveryAndHardwareService/CoreService.svc

    2. Using FQDN: http://SERVER.domain.dom/MBAMRecoveryAndHardwareService/CoreService.svc


    MCSE Mobility 2018. Expert on SCCM, Windows 10, ALOVPN, MBAM.

    Wednesday, June 26, 2019 7:44 AM
  • Hi,

    We are using the hostname. The second part is only a DNS suffix.

    Thanks,

    Wednesday, June 26, 2019 11:33 AM
  • Specially because of https and certificates, I HIGHLY recommend to use fqdn :)

    MCSE Mobility 2018. Expert on SCCM, Windows 10, ALOVPN, MBAM.

    Wednesday, June 26, 2019 12:29 PM
  • Hi,

    I did a try by disabling bitlocker preprovisionning and then restart OSD on that laptop. This time encryption started. It is incredibly slow but actually it is at 9%...

    Encryption end correctly.

    Second test: Same computer and enable bitlocker preprovisionning. No issue, encryption end correctly, and fast.

    What is happening?


    • Edited by FRacine Wednesday, June 26, 2019 3:28 PM
    Wednesday, June 26, 2019 1:07 PM
  • Do you use ignore switches with the script? Be aware, that this script is quite unreliable. I have worked with troubleshoting the script, and published my own version, which skips some checks and features, just to complete the encryption.

    If you want, you can test it, if it works better: https://1drv.ms/u/s!Ak7cWcimOhmHm7ctO-fZGp6YFhCwLA?e=QFREFz


    MCSE Mobility 2018. Expert on SCCM, Windows 10, ALOVPN, MBAM.


    • Edited by yannara Wednesday, June 26, 2019 4:27 PM
    Wednesday, June 26, 2019 4:26 PM
  • Hi,

    -RecoveryServiceEndpoint "https://vnambam1.intrameq/MBAMRecoveryAndHardwareService/CoreService.svc" -WaitForEncryptionToComplete -IgnoreEscrowOwnerAuthFailure

    I what way your script is better?

    Thanks,

    Wednesday, June 26, 2019 4:40 PM
  • Original script fails if any GPO is applied, it also might fail in some TPM scenarios. I have over-commented some checking sections to make the script more stable and complete the encryption.

    MCSE Mobility 2018. Expert on SCCM, Windows 10, ALOVPN, MBAM.

    Wednesday, June 26, 2019 4:41 PM
  • Hi,

    From my test, with an clear-tpm from BIOS, the TPM will be lockout before your script.

    Do you have some documentations about your script and what commandline is suggest?

    In OSd there are no GPO applied.

    Thanks,

    Wednesday, June 26, 2019 4:44 PM
  • Hi,

    From my test, with an clear-tpm from BIOS, the TPM will be lockout before your script.

    Do you have some documentations about your script and what commandline is suggest?

    In OSd there are no GPO applied.

    Thanks,

    Documentation of changes is inside the ps1 intro text. Theoretically you are correct, GPO shouldn't be applied, but believe me, there is a lot of cases where this script fails because of the GPO are already applied. If you search for this script inside MBAM forums and OSD, you will see folks had lot of troubles with it :)

    MCSE Mobility 2018. Expert on SCCM, Windows 10, ALOVPN, MBAM.

    Wednesday, June 26, 2019 4:52 PM
  • Hi,

    I am believing you but I can't see how during an OSD, the GPO may be applied.

    Is your script stable? How old is this revision?

    Do you know if many peoples are using it?

    Even using your script, will not prevent the need to disable Bitlocker Preprovisionning.

    Thanks,

    Wednesday, June 26, 2019 5:10 PM
  • I am using Pre-provisioning, MBAM client and this script to make things work. I sometimes even get the TPM password into the database, but that is not needed anymore. Just look the versions.

    Additionally, I very highly recommend to go with FQDN adress, because the main error in your script return answer is, that the endpoint cannot be contacted.


    MCSE Mobility 2018. Expert on SCCM, Windows 10, ALOVPN, MBAM.

    Wednesday, June 26, 2019 5:14 PM
  • Hi,

    I don't know what to do to go FQDN... :(

    I received those answers from Lenovo: https://forums.lenovo.com/t5/Enterprise-Client-Management/Unable-OSD-X270-at-MBAM-Step-with-only-new-laptops/td-p/4458216

    Wednesday, June 26, 2019 6:17 PM
  • Hi,

    I don't know what to do to go FQDN... :(


    You have it already, just use it. You need to change GPO to server.domain.dom adress and MBAM script parametters to the same (instead of server). That's it.

    MCSE Mobility 2018. Expert on SCCM, Windows 10, ALOVPN, MBAM.

    Wednesday, June 26, 2019 7:39 PM
  • Hi,

    At the end TPM end with reduce functionality. Even if Secureboot is enable, boot is fully UEFI, HDD is UEFI, CSM is disable.

    Thanks,

    Thursday, June 27, 2019 1:00 PM
  • Hi,

    I will give a try to your script tomorrow. I am using -IgnoreEscrowOwnerAuthFailure in my commandline parameter but the MS script is failing. Which parameter should I use to correct this? 

    Executing command line: Run Powershell script	RunPowerShellScript	2019-06-27 15:36:20	2496 (0x09C0)
    Checking prerequisites ...	RunPowerShellScript	2019-06-27 15:36:33	2496 (0x09C0)
    Preparing TPM and escrowing owner-auth to https://server.intraDNSSuffix/MBAMRecoveryAndHardwareService/CoreService.svc ...	RunPowerShellScript	2019-06-27 15:36:40	2496 (0x09C0)
    Failed to escrow TPM owner-auth to https://server.intraDNSSuffix/MBAMRecoveryAndHardwareService/CoreService.svc. HRESULT: 0x80040203 - MBAM cannot read the TPM owner authorization value. The value may have been removed after a successful escrow. On Windows 7, MBAM cannot read the value if the TPM is owned by others.	RunPowerShellScript	2019-06-27 15:36:41	2496 (0x09C0)
    Retry after 30 seconds...	RunPowerShellScript	2019-06-27 15:36:41	2496 (0x09C0)
    Failed to escrow TPM owner-auth to https://server.intraDNSSuffix/MBAMRecoveryAndHardwareService/CoreService.svc. HRESULT: 0x80040203 - MBAM cannot read the TPM owner authorization value. The value may have been removed after a successful escrow. On Windows 7, MBAM cannot read the value if the TPM is owned by others.	RunPowerShellScript	2019-06-27 15:37:12	2496 (0x09C0)
    Retry after 30 seconds...	RunPowerShellScript	2019-06-27 15:37:12	2496 (0x09C0)
    Failed to escrow TPM owner-auth to https://server.intraDNSSuffix/MBAMRecoveryAndHardwareService/CoreService.svc after 3 tries. Last error -  HRESULT: 0x80040203 - MBAM cannot read the TPM owner authorization value. The value may have been removed after a successful escrow. On Windows 7, MBAM cannot read the value if the TPM is owned by others.	RunPowerShellScript	2019-06-27 15:37:42	2496 (0x09C0)
    The TPM owner-auth escrow failures are configured to be ignored.	RunPowerShellScript	2019-06-27 15:37:42	2496 (0x09C0)
    Adding TPM protector to OS volume ...	RunPowerShellScript	2019-06-27 15:37:42	2496 (0x09C0)
    Escrowing OS volume recovery key to https://server.intraDNSSuffix/MBAMRecoveryAndHardwareService/CoreService.svc and starting encryption ...	RunPowerShellScript	2019-06-27 15:37:44	2496 (0x09C0)
    Failed to escrow the recovery information of volume C: (Device ID: \\?\Volume{04d4d409-ffeb-4e8e-8246-1f16313823ce}\) to https://server.intraDNSSuffix/MBAMRecoveryAndHardwareService/CoreService.svc. HRESULT: 0x800b0109	RunPowerShellScript	2019-06-27 15:37:48	2496 (0x09C0)
    Retry after 30 seconds...	RunPowerShellScript	2019-06-27 15:37:48	2496 (0x09C0)
    Failed to escrow the recovery information of volume C: (Device ID: \\?\Volume{04d4d409-ffeb-4e8e-8246-1f16313823ce}\) to https://server.intraDNSSuffix/MBAMRecoveryAndHardwareService/CoreService.svc. HRESULT: 0x800b0109	RunPowerShellScript	2019-06-27 15:38:19	2496 (0x09C0)
    Retry after 30 seconds...	RunPowerShellScript	2019-06-27 15:38:19	2496 (0x09C0)
    Failed to escrow the recovery information of volume  (Device ID: 	RunPowerShellScript	2019-06-27 15:38:51	2496 (0x09C0)
    \\?\Volume{04d4d409-ffeb-4e8e-8246-1f16313823ce}\) to 	RunPowerShellScript	2019-06-27 15:38:51	2496 (0x09C0)
    https://server.intraDNSSuffix/MBAMRecoveryAndHardwareService/CoreService.svc after 	RunPowerShellScript	2019-06-27 15:38:51	2496 (0x09C0)
    3 tries. Last error -  HRESULT: 0x800b0109	RunPowerShellScript	2019-06-27 15:38:51	2496 (0x09C0)
    Au caractŠre 	RunPowerShellScript	2019-06-27 15:38:51	2496 (0x09C0)
    C:\_SMSTaskSequence\Packages\DNSSuffix006AE\Invoke-MbamClientDeployment.ps1:487 : 13	RunPowerShellScript	2019-06-27 15:38:51	2496 (0x09C0)
    +             throw $message	RunPowerShellScript	2019-06-27 15:38:51	2496 (0x09C0)
    +             ~~~~~~~~~~~~~~	RunPowerShellScript	2019-06-27 15:38:51	2496 (0x09C0)
        + CategoryInfo          : OperationStopped: (Failed to escro...ULT: 0x800b 	RunPowerShellScript	2019-06-27 15:38:51	2496 (0x09C0)
       0109:String) [], RuntimeException	RunPowerShellScript	2019-06-27 15:38:51	2496 (0x09C0)
        + FullyQualifiedErrorId : Failed to escrow the recovery information of vol 	RunPowerShellScript	2019-06-27 15:38:51	2496 (0x09C0)
       ume  (Device ID: \\?\Volume{04d4d409-ffeb-4e8e-8246-1f16313823ce}\) to htt  	RunPowerShellScript	2019-06-27 15:38:51	2496 (0x09C0)
      ps://server.intraDNSSuffix/MBAMRecoveryAndHardwareService/CoreService.svc afte   	RunPowerShellScript	2019-06-27 15:38:51	2496 (0x09C0)
     r 3 tries. Last error -  HRESULT: 0x800b0109	RunPowerShellScript	2019-06-27 15:38:51	2496 (0x09C0)
    


    Failed to escrow the recovery information of volume  (Device ID: 	RunPowerShellScript	2019-06-27 15:38:51	2496 (0x09C0)
    \\?\Volume{04d4d409-ffeb-4e8e-8246-1f16313823ce}\) to 	RunPowerShellScript	2019-06-27 15:38:51	2496 (0x09C0)
    https://vnambam1.intrameq/MBAMRecoveryAndHardwareService/CoreService.svc after 	RunPowerShellScript	2019-06-27 15:38:51	2496 (0x09C0)
    3 tries. Last error -  HRESULT: 0x800b0109	RunPowerShellScript	2019-06-27 15:38:51	2496 (0x09C0)
    Au caractŠre 	RunPowerShellScript	2019-06-27 15:38:51	2496 (0x09C0)
    C:\_SMSTaskSequence\Packages\MEQ006AE\Invoke-MbamClientDeployment.ps1:487 : 13	RunPowerShellScript	2019-06-27 15:38:51	2496 (0x09C0)
    +             throw $message	RunPowerShellScript	2019-06-27 15:38:51	2496 (0x09C0)
    +             ~~~~~~~~~~~~~~	RunPowerShellScript	2019-06-27 15:38:51	2496 (0x09C0)
        + CategoryInfo          : OperationStopped: (Failed to escro...ULT: 0x800b 	RunPowerShellScript	2019-06-27 15:38:51	2496 (0x09C0)
       0109:String) [], RuntimeException	RunPowerShellScript	2019-06-27 15:38:51	2496 (0x09C0)
        + FullyQualifiedErrorId : Failed to escrow the recovery information of vol 	RunPowerShellScript	2019-06-27 15:38:51	2496 (0x09C0)
       ume  (Device ID: \\?\Volume{04d4d409-ffeb-4e8e-8246-1f16313823ce}\) to htt  	RunPowerShellScript	2019-06-27 15:38:51	2496 (0x09C0)
      ps://vnambam1.intrameq/MBAMRecoveryAndHardwareService/CoreService.svc afte   	RunPowerShellScript	2019-06-27 15:38:51	2496 (0x09C0)
     r 3 tries. Last error -  HRESULT: 0x800b0109	RunPowerShellScript	2019-06-27 15:38:51	2496 (0x09C0)
    

    This one?

    -IgnoreEscrowRecoveryKeyFailure

    Thursday, June 27, 2019 11:49 PM
  • Here are all ignore options;

    #              [-IgnoreEscrowOwnerAuthFailure]
    #              [-IgnoreEscrowRecoveryKeyFailure]
    #              [-IgnoreReportStatusFailure]

    You can use them all, at the end MBAM client will later escrow the key, if your MBAM infra is working shape, but ofcourse I would recommend not to use -IgnoreEscrowRecoveryKeyFailure - switch because it is most important.


    MCSE Mobility 2018. Expert on SCCM, Windows 10, ALOVPN, MBAM.

    Friday, June 28, 2019 1:31 PM
  • Hi,

    I did try to your script with all ignore swtich and got 3/4 models failure.

    Failed to escrow the recovery information of volume  (Device ID: RunPowerShellScript 2019-06-28 08:35:39 2744 (0x0AB8)
    \\?\Volume{5f5f5b04-52dd-439f-9e34-7836b2e3b279}\) to RunPowerShellScript 2019-06-28 08:35:39 2744 (0x0AB8)
    https://server/MBAMRecoveryAndHardwareService/CoreService.svc after RunPowerShellScript 2019-06-28 08:35:39 2744 (0x0AB8)
    3 tries. Last error -  HRESULT: 0x800b0109 RunPowerShellScript 2019-06-28 08:35:39 2744 (0x0AB8)
    Au caractŠre RunPowerShellScript 2019-06-28 08:35:39 2744 (0x0AB8)
    C:\_SMSTaskSequence\Packages\xxx006AE\Invoke-MbamClientDeployment.ps1:487 : 13 RunPowerShellScript 2019-06-28 08:35:39 2744 (0x0AB8)
    +             throw $message RunPowerShellScript 2019-06-28 08:35:39 2744 (0x0AB8)
    +             ~~~~~~~~~~~~~~ RunPowerShellScript 2019-06-28 08:35:39 2744 (0x0AB8)
        + CategoryInfo          : OperationStopped: (Failed to escro...ULT: 0x800b RunPowerShellScript 2019-06-28 08:35:39 2744 (0x0AB8)
       0109:String) [], RuntimeException RunPowerShellScript 2019-06-28 08:35:39 2744 (0x0AB8)
        + FullyQualifiedErrorId : Failed to escrow the recovery information of vol RunPowerShellScript 2019-06-28 08:35:39 2744 (0x0AB8)
       ume  (Device ID: \\?\Volume{5f5f5b04-52dd-439f-9e34-7836b2e3b279}\) to htt  RunPowerShellScript 2019-06-28 08:35:39 2744 (0x0AB8)
      ps://server/MBAMRecoveryAndHardwareService/CoreService.svc afte    RunPowerShellScript 2019-06-28 08:35:39 2744 (0x0AB8)
     r 3 tries. Last error -  HRESULT: 0x800b0109 RunPowerShellScript 2019-06-28 08:35:39 2744 (0x0AB8)

    Friday, June 28, 2019 2:16 PM
  • I think this cannot work: https://server/MBAMRecoveryAndHardwareService/CoreService.svc because you can use http://server/ or https://server.domain.dom/ but not https://hostname.

    The thing is, that https requires certs, and cert relies on fqdn. I claim your MBAM infra is not set correct, it is not the script's fault.

    Also, If you can't make the script work, just use enable bitlocker step, and check MBAM client actions after. 

    Using the script has 2 benefits over Enable Bitlocker Step;
    - Recovery key is generated and escrowed right away during OS deployment
    - You have a chance to generate and escrow TPM ownership password as well

    Anyway, like said before, I really encourage you to start using FQDN adress.


    MCSE Mobility 2018. Expert on SCCM, Windows 10, ALOVPN, MBAM.

    • Proposed as answer by yannara Friday, June 28, 2019 6:27 PM
    Friday, June 28, 2019 6:27 PM
  • Hi,

    Since many years, we were using that with 2.5 Sp0. And it is still working on our current TS.

    We just upgraded the server to 2.5 SP1 but Lenovo X270 was not working properly. So by disabling BitLocker Preprovisionning on my new TS, started working on X270.

    Then I began test on all others laptops models Dell/Toshiba/Lenovo. I got a random failures. Sometimes it is working and sometimes not. When failing, after a few hours the HDD got encrypt. May be the GPO is doing its job after.

    So what you are suggesting is, if the script fail, continue on error and enable-BitLocker?

    Saturday, June 29, 2019 10:24 AM
  • Hi,

    Since many years, we were using that with 2.5 Sp0. And it is still working on our current TS.

    We just upgraded the server to 2.5 SP1 but Lenovo X270 was not working properly. So by disabling BitLocker Preprovisionning on my new TS, started working on X270.

    Then I began test on all others laptops models Dell/Toshiba/Lenovo. I got a random failures. Sometimes it is working and sometimes not. When failing, after a few hours the HDD got encrypt. May be the GPO is doing its job after.

    So what you are suggesting is, if the script fail, continue on error and enable-BitLocker?


    If script fails, change the script to Enable Bitlocker Step in OSD. 

    MCSE Mobility 2018. Expert on SCCM, Windows 10, ALOVPN, MBAM.

    Saturday, June 29, 2019 11:27 AM
  • Hi,

    Sound interesting.

    So just put enable-BitLocker in the TS? Then the client will escrow the key later?

    What is the difference between just enabling BitLocker and running invoke-mbam?

    Thanks,

    Saturday, June 29, 2019 5:31 PM
  • Hi,

    Sound interesting.

    So just put enable-BitLocker in the TS? Then the client will escrow the key later?

    What is the difference between just enabling BitLocker and running invoke-mbam?

    Thanks,


    I already explained ;)

    Using the script has 2 benefits over Enable Bitlocker Step;
    - Recovery key is generated and escrowed right away during OS deployment
    - You have a chance to generate and escrow TPM ownership password as well

    MCSE Mobility 2018. Expert on SCCM, Windows 10, ALOVPN, MBAM.

    Monday, July 1, 2019 12:38 PM
  • Hi,

    But after OSD end the MBAM GPO will be taking effect and then will escrow recovery key and TPM ownership password too?!

    If so then it might just delay a little what I was expecting to be done during OSD?!.

    Thanks,

    Monday, July 1, 2019 4:28 PM
  • Hi,

    But after OSD end the MBAM GPO will be taking effect and then will escrow recovery key and TPM ownership password too?!

    If so then it might just delay a little what I was expecting to be done during OSD?!.

    Thanks,


    Exactly!

    MCSE Mobility 2018. Expert on SCCM, Windows 10, ALOVPN, MBAM.

    Monday, July 1, 2019 8:13 PM
  • Hi,

    If I enable BitLocker making the HDD encrypting then is it possible later to force MBAM client escrowing recevery key and TPM ownership password?

    Thanks,

    Monday, July 1, 2019 11:16 PM
  • Hi,

    If I enable BitLocker making the HDD encrypting then is it possible later to force MBAM client escrowing recevery key and TPM ownership password?

    Thanks,


    MBAM will escrow the recovery key, but not TPM password. TPM password is depricated in latest Windows 10 builds.

    MCSE Mobility 2018. Expert on SCCM, Windows 10, ALOVPN, MBAM.

    • Proposed as answer by yannara Wednesday, July 3, 2019 8:45 AM
    Wednesday, July 3, 2019 8:45 AM
  • Hi,

    Yesterday, I did another test, another one.. one more. I enabled BitLocker preprovisionning except for Lenovo X270. All laptops start working with MBAM encryption. Not sure understanding.

    I will need doing more tests.

    Thanks,

    Wednesday, July 3, 2019 10:09 AM