locked
TPM fails to initialize RRS feed

  • Question

  • Hello,

    I have a few flavors of Dell Latitudes and have updated the BIOS on them. The TPM is set to ON and Activate in the BIOS. However, when running manage-bde.wsf -tpm -o mypassword I receive and error that says "An error occurred while taking ownership of the TPM (code 0x80280023)."

    However, initializing does work through the tpm.msc but this is useless in an enterprise environment.

    Thoughts?
    Monday, July 6, 2009 7:57 PM

Answers

  • Hi, thanks for the post. Regarding the error code 0x80280023, it refers to "No endorsement key can be found on the TPM".

     

    A TPM can be turned on (Active & Enabled state) without having an Endorsement Key (EK). The EK is the root key for everything the TPM does, and after it has been securely generated inside the TPM it will never change. If an OEM has not created an EK before shipping the system, Windows Vista still provides a few backup methods to accomplish the task. Unfortunately the manage-bde.wsf is not one of them.

    The Win32_TPM class (http://msdn2.microsoft.com/en-us/library/aa376484.aspx )describes all the TPM management functions exposed via WMI. One of them is called CreateEndorsementKeyPair (http://msdn2.microsoft.com/en-us/library/aa376422.aspx ) which can be used to make your TPM fully functional (Active, Enabled, and Owned).

     

    Alternatively, the TPM wizard (tpm.msc) will walk you through the process in a nice, friendly GUI kind of way, but I know that is not an option for you.

     

    You might want to get in touch with Dell, to see if they have any plans to add this in any newer BIOS versions.


    Sean Zhu - MSFT
    Wednesday, July 8, 2009 9:39 AM
    Moderator

All replies

  • Hi, thanks for the post. Regarding the error code 0x80280023, it refers to "No endorsement key can be found on the TPM".

     

    A TPM can be turned on (Active & Enabled state) without having an Endorsement Key (EK). The EK is the root key for everything the TPM does, and after it has been securely generated inside the TPM it will never change. If an OEM has not created an EK before shipping the system, Windows Vista still provides a few backup methods to accomplish the task. Unfortunately the manage-bde.wsf is not one of them.

    The Win32_TPM class (http://msdn2.microsoft.com/en-us/library/aa376484.aspx )describes all the TPM management functions exposed via WMI. One of them is called CreateEndorsementKeyPair (http://msdn2.microsoft.com/en-us/library/aa376422.aspx ) which can be used to make your TPM fully functional (Active, Enabled, and Owned).

     

    Alternatively, the TPM wizard (tpm.msc) will walk you through the process in a nice, friendly GUI kind of way, but I know that is not an option for you.

     

    You might want to get in touch with Dell, to see if they have any plans to add this in any newer BIOS versions.


    Sean Zhu - MSFT
    Wednesday, July 8, 2009 9:39 AM
    Moderator
  • Hello Sean Zhu

    I have exactly the problem with Dell Latitude E6500 and E4300. I'm not the WMI Guy! Can you please send me the WMI command to for "CreateEndorsmentKeyPair"?
    I like to run the command in a MS ConfigMgr Task Sequence.

    Thanks, Regards, Martin
    Martin Schneeberger
    Tuesday, December 1, 2009 1:08 PM
  • Hello

    We have used the "BitLocker Sample Deployment Script" from http://gallery.technet.microsoft.com/ScriptCenter/en-us/780d167f-2d57-4eb7-bd18-84c5293d93e3 to create our own simple Script to "CreateEndorsementKeyPair".

    Set objWMIService = GetObject("WinMgmts:{impersonationLevel=impersonate,AuthenticationLevel=pktprivacy}//" & "." & "\root\CIMV2\Security\MicrosoftTpm")
    Set objItems = objWMIService.InstancesOf("Win32_Tpm")
    
    For Each objItem In objItems
    
    	'rvaluea = objItem.IsEnabled(A)
    	'rvalueb = objItem.IsActivated(B)
    	'rvaluec = objItem.IsOwned(C)
    	rvalued = objItem.IsEndorsementKeyPairPresent(D)
    
    	'If A Then
    		'WScript.Echo "TPM Is Enabled: " & A
    	'Else
    		'WScript.Echo "TPM Is Enabled: " & A
    	'End If
    
    	'If B Then
    		'WScript.Echo "TPM Is Activated: " & B
    	'Else
    		'WScript.Echo "TPM Is Activated: " & B
    	'End If
    
    	'If C Then
    		'WScript.Echo "TPM Is Owned: " & C
    	'Else
    		'WScript.Echo "TPM Is Owned: " & C
    	'End If
    
    	'If D Then
    		'WScript.Echo "TPM Is EndorsementKeyPairPresent: " & D
    	'Else
    	If Not D Then
    		'WScript.Echo "TPM Is EndorsementKeyPairPresent: " & D
    		'WScript.Echo "CreateEndorsementKeyPair... Please Wait"
    		rvaluee = objItem.CreateEndorsementKeyPair(E)
    		'WScript.Echo "CreateEndorsementKeyPair... Returns:" & rvaluee & " and E=" & E
    		If (rvaluee <> 0) Then
    			WScript.Quit -1
    		End If
    	End If
    Next
    WScript.Quit 0

    Now we use our VBScript in a MS ConfigMgr Task Sequence to deploy Dell Latitude E-Series Machines with BitLocker.
    Thanks, Gaëtan and Dave for creating and testing the Script.

    Martin
    Martin Schneeberger
    Friday, December 4, 2009 7:19 AM