none
WADK 1709, MDT 8443, Win 10 X64 enterprise 1709 task sequence error: Failure -2144272377 Enable BDE Protectors RRS feed

  • Question

  • Doing some testing imaging up a Dell latitude and Im getting this error during imaging. 


    Failure -2144272377 Enable BDE Protectors 

    Here's the ZTIBED.log

    <![LOG[Microsoft Deployment Toolkit version: 6.3.8443.1000]LOG]!><time="10:26:38.000+000" date="10-19-2017" component="ZTIBDE" context="" type="1" thread="" file="ZTIBDE">
    <![LOG[The task sequencer log is located at X:\windows\TEMP\SMSTSLog\SMSTS.LOG.  For task sequence failures, please consult this log.]LOG]!><time="10:26:38.000+000" date="10-19-2017" component="ZTIBDE" context="" type="1" thread="" file="ZTIBDE">
    <![LOG[System drive is: X:]LOG]!><time="10:26:38.000+000" date="10-19-2017" component="ZTIBDE" context="" type="1" thread="" file="ZTIBDE">
    <![LOG[The deployment method is not using ConfigMgr.]LOG]!><time="10:26:38.000+000" date="10-19-2017" component="ZTIBDE" context="" type="1" thread="" file="ZTIBDE">
    <![LOG[BDE installation not selected]LOG]!><time="10:26:38.000+000" date="10-19-2017" component="ZTIBDE" context="" type="1" thread="" file="ZTIBDE">
    <![LOG[ZTIBDE processing completed successfully.]LOG]!><time="10:26:38.000+000" date="10-19-2017" component="ZTIBDE" context="" type="1" thread="" file="ZTIBDE">
    <![LOG[Event 41001 sent: ZTIBDE processing completed successfully.]LOG]!><time="10:26:38.000+000" date="10-19-2017" component="ZTIBDE" context="" type="1" thread="" file="ZTIBDE">
    <![LOG[Microsoft Deployment Toolkit version: 6.3.8443.1000]LOG]!><time="11:08:19.000+000" date="10-19-2017" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[The task sequencer log is located at C:\Users\ADMINI~1\AppData\Local\Temp\SMSTSLog\SMSTS.LOG.  For task sequence failures, please consult this log.]LOG]!><time="11:08:19.000+000" date="10-19-2017" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[System drive is: C:]LOG]!><time="11:08:19.000+000" date="10-19-2017" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[The deployment method is not using ConfigMgr.]LOG]!><time="11:08:19.000+000" date="10-19-2017" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[This script is not currently running in Windows PE]LOG]!><time="11:08:19.000+000" date="10-19-2017" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[We are running a OS that supports BitLocker]LOG]!><time="11:08:19.000+000" date="10-19-2017" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[OSDBitLockerTargetDrive= , OSDBdeTargetDriveLetter= , sOSDBitLockerTargetDrive= C:]LOG]!><time="11:08:19.000+000" date="10-19-2017" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[This is a Refresh Build where BDE protectors were disabled.]LOG]!><time="11:08:19.000+000" date="10-19-2017" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[OS Version is Windows 7 or higher.]LOG]!><time="11:08:19.000+000" date="10-19-2017" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[Encryptable Volume Count:2]LOG]!><time="11:08:19.000+000" date="10-19-2017" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[Attempting to bind to: C:]LOG]!><time="11:08:19.000+000" date="10-19-2017" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[Success setting oBdeVol ]LOG]!><time="11:08:19.000+000" date="10-19-2017" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[BDE Instance Bind Complete]LOG]!><time="11:08:19.000+000" date="10-19-2017" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[Attempting to enable BDE Protectors]LOG]!><time="11:08:19.000+000" date="10-19-2017" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[FAILURE ( 6767 ): -2144272377  0x80310007: Enable BDE Protectors]LOG]!><time="11:08:19.000+000" date="10-19-2017" component="ZTIBde" context="" type="3" thread="" file="ZTIBde">
    <![LOG[Event 41002 sent: FAILURE ( 6767 ): -2144272377  0x80310007: Enable BDE Protectors]LOG]!><time="11:08:19.000+000" date="10-19-2017" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">

    Thursday, October 19, 2017 4:25 PM

All replies

  • When does the error occur? During the pre-provisioning step or in the State Restore phase? Is the TPM chip enabled, activated and cleared?

    Cheers,
    Anton

    Vacuum Breather Blog | Wing Commander Saga | Twitter

    Note: Posts are provided "AS IS" without warranty of any kind. If posts are helpful please don't forget to rate them as "Helpful" or as "Answer".

    Thursday, October 19, 2017 4:38 PM
  • State Restore phase

    Not sure if its enabled. I've imaged this system 100's of times with 1607 and 1703 task sequences and never seen this error

    Thursday, October 19, 2017 4:40 PM
  • Run tpm.msc. the console displays current TPM status. You may need to clear your TPM chip.

    Cheers,
    Anton

    Vacuum Breather Blog | Wing Commander Saga | Twitter

    Note: Posts are provided "AS IS" without warranty of any kind. If posts are helpful please don't forget to rate them as "Helpful" or as "Answer".

    Thursday, October 19, 2017 4:48 PM
  • it says TPM is ready for use
    Thursday, October 19, 2017 4:49 PM
  • So I am noticing this ZTIBDD log with my 1709 task is different from my 1607 and 1703 tasks.

    This is a Refresh Build where BDE protectors were disabled.]
    Some how it thinks Im doing a refresh build (I'm not its a new install full wipe)
    • Edited by PeteBC Thursday, October 26, 2017 7:33 PM
    Thursday, October 26, 2017 7:31 PM
  • Have you figured out the error? I'm getting the same error codes. Also deploying a Dell machine.
    Tuesday, November 28, 2017 3:48 PM
  • Have you figured out the error? I'm getting the same error codes. Also deploying a HP Probook 450G4 machine.

    before it worked well in windows 1703 an other !!!

    Saturday, December 2, 2017 9:42 PM
  • Interesting. Based on the information above, this would mean you are not using BitLocker Pre-Provisioning. ZTIBDE script will process this script part only if Bitlocker should be turned on and you are not using pre-provisioning: 

    oEnvironment.Item("IsBDE")) = "TRUE" and UCase(oEnvironment.Item("IsBDEPreProvisioned")

    Can you confirm? Regardless, it looks like MDT is unable to enable the TPM protector.

    I don't have this particular model handy (the customer I am at right now is using HP Elitebooks, which work just fine), so I am going to take a few stabs in the dark.

    • Does enabling BitLocker manually (from the full OS) work? 
    • Have you applied the TPM firmware update available at https://support.hp.com/us-en/document/c05792935 ? Please note, that while I do not think this issue is related it is still adviseable to patch the known TPM vulnerability.
    • How are you setting up BDE in your CustomSettings.ini?

    Cheers,
    Anton

    Vacuum Breather Blog | Wing Commander Saga | Twitter

    Note: Posts are provided "AS IS" without warranty of any kind. If posts are helpful please don't forget to rate them as "Helpful" or as "Answer".

    Monday, December 4, 2017 6:21 AM
  • No i am not using bitlocker pre-provisioning. everything is Stock MDT. This error does not occur with 1607 or 1703 task sequence only 1709.

    This is happening on Dell's here

    Monday, December 4, 2017 2:25 PM
  • Did you specify BDE options in CustomSettings.ini or are you enabling BitLocker drive encryption in the MDT wizard. Here is an excerpt from my CS.ini - verified on multiple HP & Dell systems:

    IsBDE=TRUE
    BdeInstallSuppress=NO
    BDEDisablePreProvisioning=NO
    BDEInstall=TPM
    BDEWaitForEncryption=YES


    Cheers,
    Anton

    Vacuum Breather Blog | Wing Commander Saga | Twitter

    Note: Posts are provided "AS IS" without warranty of any kind. If posts are helpful please don't forget to rate them as "Helpful" or as "Answer".

    Monday, December 4, 2017 3:01 PM
  • no i have

    SkipBitlocker=yes

    Monday, December 4, 2017 3:05 PM
  • no i have

    SkipBitlocker=yes

    In this case try adding properties I specified above to your CustomSettings.ini

    Cheers,
    Anton

    Vacuum Breather Blog | Wing Commander Saga | Twitter

    Note: Posts are provided "AS IS" without warranty of any kind. If posts are helpful please don't forget to rate them as "Helpful" or as "Answer".

    Monday, December 4, 2017 3:12 PM
  • I do not want to enable encryption. It should be bypassing the enable bit locker task automatically unless you have 
    BdeInstallSuppress=NO
    Monday, December 4, 2017 4:04 PM
  • I do not want to enable encryption. It should be bypassing the enable bit locker task automatically unless you have 
    BdeInstallSuppress=NO
    Now I'm 100% confused.. all this time you were trying to avoid BitLocker? Clearly some settings are getting mixed up here. IF you hare still having problems please copy your bdd.log file to a public site like OneDrive and share the link.

    Keith Garner - Principal Consultant [owner] - http://DeploymentLive.com

    Wednesday, December 6, 2017 6:44 AM
    Moderator
  • I do not want to enable encryption. It should be bypassing the enable bit locker task automatically unless you have 

    BdeInstallSuppress=NO

    Now I'm 100% confused..

    Make that two of us.

    Cheers,
    Anton

    Vacuum Breather Blog | Wing Commander Saga | Twitter

    Note: Posts are provided "AS IS" without warranty of any kind. If posts are helpful please don't forget to rate them as "Helpful" or as "Answer".

    Wednesday, December 6, 2017 7:18 AM
  • Hi There,

    We have had a similar issue with HP EliteBook 840 G4 devices. Like you, or maybe not we do the Bitlocker provisioning in a post install script and up until now we have left the MDT Client task sequence as default as necessary. This excludes things like driver groups\ammending the install of packages etc. So far we have had enough success with the majority of Windows 10 flavours to allow the task sequence to complete without errors. This seemed to change using the 1709 build using the HP Elitebook 840 G4, where we now get a error exactly like the original posters. See below what I have done today to mitigate this error, and please test to suit your environment:

    1: Disabled the Enable Offline Bitlocker Task 

    2: Disabled the Enable Bitlocker task sequence at the end

    It may be that only one needs disabled and I am running a test just now with No 1 switched back on as it seems to be an error generated fairly late on in the task sequence. I will report once finished.

    The major difference in this model compared to other devices is the TPM version. This device is running TPM 2 whilst other devices are still on 1.2. As another poster has mentioned, the firmware that comes with the TPM needs to be updated. Another Story. Anyways it might be worth a go with the steps above and test, test, test.

    Ewen.

     Update: It seems that only disabling the last Enable Bitlocker task is enough to keep the error from appearing.


    • Edited by jewen Tuesday, December 12, 2017 8:57 PM
    Tuesday, December 12, 2017 8:10 PM