none
ZTIBde Fails (FAILURE 6751) RRS feed

  • Question

  • Here's one I just don't understand. I was really struggling with getting BitLocker to configure as part of Deployment, but then I had an epiphany that maybe the GPO for saving recovery keys to AD needed to be applied to the DCs as well. After linking the GPO at the root level of the domain, I was able to deploy with BitLocker successfully on Friday!

    I decided to test again on Monday, so on the same machine I cleared the TPM (Dell Latitude E7440) and made sure it was enabled and activated in the BIOs before continuing.  Then I started a deployment, but it fails with a "Change owner authorization" error.  Everything is the same as it was on Friday, except for clearing the TPM.  ZTIBde.log is pasted below.  Any help is greatly appreciated!

    EDIT: I should mention, I'm using UEFI for this, and the next step is getting it to work on Surface Pro 3.

    <![LOG[Microsoft Deployment Toolkit version: 6.2.5019.0]LOG]!><time="17:19:08.000+000" date="10-20-2014" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[The task sequencer log is located at C:\Users\ADMINI~1\AppData\Local\Temp\SMSTSLog\SMSTS.LOG.  For task sequence failures, please consult this log.]LOG]!><time="17:19:08.000+000" date="10-20-2014" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[System drive is: C:]LOG]!><time="17:19:08.000+000" date="10-20-2014" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[The deployment method is not using ConfigMgr.]LOG]!><time="17:19:08.000+000" date="10-20-2014" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[This script is not currently running in Windows PE]LOG]!><time="17:19:08.000+000" date="10-20-2014" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[We are running a OS that supports BitLocker]LOG]!><time="17:19:08.000+000" date="10-20-2014" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[OSDBitLockerTargetDrive= , OSDBdeTargetDriveLetter= , sOSDBitLockerTargetDrive= C:]LOG]!><time="17:19:08.000+000" date="10-20-2014" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[About to perform variable rationalization.]LOG]!><time="17:19:08.000+000" date="10-20-2014" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[BitLocker Mode set to: TPM]LOG]!><time="17:19:08.000+000" date="10-20-2014" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[BitLocker Startup Key Drive Value set to: C:\Windows\BitLocker]LOG]!><time="17:19:08.000+000" date="10-20-2014" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[BitLocker Create Recovery P@ssword Status: AD]LOG]!><time="17:19:08.000+000" date="10-20-2014" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[BitLocker Wait For Encryption Status set to: FALSE]LOG]!><time="17:19:08.000+000" date="10-20-2014" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[BitLocker Recovery P@ssword set.]LOG]!><time="17:19:08.000+000" date="10-20-2014" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[The current autorun setting is - 145]LOG]!><time="17:19:08.000+000" date="10-20-2014" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[Disabling Autorun]LOG]!><time="17:19:08.000+000" date="10-20-2014" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[Find the boot drive (if any) [False] [0.0.0.0] [False]]LOG]!><time="17:19:08.000+000" date="10-20-2014" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[New ZTIDisk : \\ITFLLT1\root\cimv2:Win32_DiskDrive.DeviceID="\\\\.\\PHYSICALDRIVE0"]LOG]!><time="17:19:08.000+000" date="10-20-2014" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[No boot drives found. None.]LOG]!><time="17:19:08.000+000" date="10-20-2014" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[Reverting autorun setting to - 145]LOG]!><time="17:19:08.000+000" date="10-20-2014" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[Setting BDE Drive letter to nothing as we are unable to get the boot drive.]LOG]!><time="17:19:08.000+000" date="10-20-2014" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[Property BdeDriveLetter is now = ]LOG]!><time="17:19:08.000+000" date="10-20-2014" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[Running first pass..]LOG]!><time="17:19:08.000+000" date="10-20-2014" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[New ZTIDisk : \\ITFLLT1\root\cimv2:Win32_DiskDrive.DeviceID="\\\\.\\PHYSICALDRIVE0"]LOG]!><time="17:19:08.000+000" date="10-20-2014" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[	    Partition Count: 3]LOG]!><time="17:19:08.000+000" date="10-20-2014" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[ZTIDiskUtility!GetDiskFreeSpace should be deprecated, does not handle avaible space for a new partition]LOG]!><time="17:19:08.000+000" date="10-20-2014" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[New ZTIDisk : \\ITFLLT1\root\cimv2:Win32_DiskDrive.DeviceID="\\\\.\\PHYSICALDRIVE0"]LOG]!><time="17:19:08.000+000" date="10-20-2014" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[GetPartitions: 3]LOG]!><time="17:19:08.000+000" date="10-20-2014" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[New ZTIDiskPartition : \\ITFLLT1\root\cimv2:Win32_DiskPartition.DeviceID="Disk #0, Partition #2"    \\ITFLLT1\root\cimv2:Win32_LogicalDisk.DeviceID="C:"]LOG]!><time="17:19:08.000+000" date="10-20-2014" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[	    Free Disk Space: 122]LOG]!><time="17:19:08.000+000" date="10-20-2014" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[	 Existing Bitlocker: ]LOG]!><time="17:19:08.000+000" date="10-20-2014" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[The current autorun setting is - 145]LOG]!><time="17:19:08.000+000" date="10-20-2014" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[Disabling Autorun]LOG]!><time="17:19:08.000+000" date="10-20-2014" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[Find the boot drive (if any) [False] [0.0.0.0] [False]]LOG]!><time="17:19:08.000+000" date="10-20-2014" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[New ZTIDisk : \\ITFLLT1\root\cimv2:Win32_DiskDrive.DeviceID="\\\\.\\PHYSICALDRIVE0"]LOG]!><time="17:19:08.000+000" date="10-20-2014" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[No boot drives found. None.]LOG]!><time="17:19:08.000+000" date="10-20-2014" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[Reverting autorun setting to - 145]LOG]!><time="17:19:08.000+000" date="10-20-2014" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[	Existing Boot Drive: 1]LOG]!><time="17:19:08.000+000" date="10-20-2014" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[The current autorun setting is - 145]LOG]!><time="17:19:08.000+000" date="10-20-2014" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[Disabling Autorun]LOG]!><time="17:19:08.000+000" date="10-20-2014" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[Find the boot drive (if any) [False] [0.0.0.0] [False]]LOG]!><time="17:19:08.000+000" date="10-20-2014" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[New ZTIDisk : \\ITFLLT1\root\cimv2:Win32_DiskDrive.DeviceID="\\\\.\\PHYSICALDRIVE0"]LOG]!><time="17:19:08.000+000" date="10-20-2014" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[No boot drives found. None.]LOG]!><time="17:19:08.000+000" date="10-20-2014" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[Reverting autorun setting to - 145]LOG]!><time="17:19:08.000+000" date="10-20-2014" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[Windows has a hidden system partition, no disk actions are necessary]LOG]!><time="17:19:08.000+000" date="10-20-2014" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[Configuring protectors.]LOG]!><time="17:19:08.000+000" date="10-20-2014" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[Success TPM Enabled]LOG]!><time="17:19:08.000+000" date="10-20-2014" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[Success TPM Is Activated]LOG]!><time="17:19:08.000+000" date="10-20-2014" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[Success TPM Is Owned]LOG]!><time="17:19:08.000+000" date="10-20-2014" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[Success TPM Ownership Allowed]LOG]!><time="17:19:08.000+000" date="10-20-2014" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[Check for Ensorsement Key Pair Present = 0]LOG]!><time="17:19:08.000+000" date="10-20-2014" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[TpmEnabled: True]LOG]!><time="17:19:08.000+000" date="10-20-2014" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[TpmActivated: True]LOG]!><time="17:19:08.000+000" date="10-20-2014" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[TpmOwned: False]LOG]!><time="17:19:08.000+000" date="10-20-2014" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[TpmOwnershipAllowed: True]LOG]!><time="17:19:08.000+000" date="10-20-2014" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[EndorsementKeyPairPresent: True]LOG]!><time="17:19:08.000+000" date="10-20-2014" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[TPM Ownership being intiated with Default p@ssword (not TPMOwnerP@ssword).]LOG]!><time="17:19:08.000+000" date="10-20-2014" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[Starting owner authorization process on the TPM]LOG]!><time="17:19:08.000+000" date="10-20-2014" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[FAILURE ( 6751 ): -2147024891  0x80070005: Change owner authorization]LOG]!><time="17:19:08.000+000" date="10-20-2014" component="ZTIBde" context="" type="3" thread="" file="ZTIBde">
    <![LOG[Event 41002 sent: FAILURE ( 6751 ): -2147024891  0x80070005: Change owner authorization]LOG]!><time="17:19:09.000+000" date="10-20-2014" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">



    • Edited by Jay Lay Tuesday, October 21, 2014 7:19 PM
    Tuesday, October 21, 2014 5:02 PM

Answers

  • 0x80070005 means E_ACCESSDENIED.

    Some more debugging may be required. Check the event logs to see if the TPM provider wrote any more information.

    Additionally, did you set the TPMOwnerPassword? I can't recall ever doing this myself. Did you lock yourself out?


    Keith Garner - Principal Consultant [owner] - http://DeploymentLive.com

    Wednesday, October 22, 2014 7:21 AM
    Moderator

All replies

  • 0x80070005 means E_ACCESSDENIED.

    Some more debugging may be required. Check the event logs to see if the TPM provider wrote any more information.

    Additionally, did you set the TPMOwnerPassword? I can't recall ever doing this myself. Did you lock yourself out?


    Keith Garner - Principal Consultant [owner] - http://DeploymentLive.com

    Wednesday, October 22, 2014 7:21 AM
    Moderator
  • Okay, so I've been working on this some more, and turns out the actual error logged in event viewer is "Failed to backup TPM Owner Authorization information to Active Directory Domain Services."

    I verified that SELF has write msTPM-OwnerInformation and write msTPM-TpmInformationForComputer permissions.  We have a mixed environment of DCs (lowest version is Server 2008), but I also verified all DCs have Schema Version 69 (Server 2012 R2).

    I am going to try deleting the computer object and running deployment again.  I have been rejoining to the same computer object, so maybe that's the problem.  But shouldn't the new machine be able to overwrite the TPM Owner Information for the existing computer object?  I'm not sure what I'm missing...

    EDIT: Deleting the computer object didn't make a difference.  Still can't backup TPM Owner Authorization Information to AD DS.  It randomly worked once on Friday, and twice yesterday afternoon.  Not sure what the difference is when it works.

    • Edited by Jay Lay Wednesday, October 22, 2014 4:48 PM
    Wednesday, October 22, 2014 4:18 PM
  • Maybe this belongs in an Active Directory forum since it's not actually MDT with the issue?
    Wednesday, October 22, 2014 6:42 PM
  • Did you ever find out what the problem was?

    Laurence Leiter

    Tuesday, May 17, 2016 2:47 AM
  • I'm having this issue with new Dell kit 64-bit Win7. Uefi boot SSD disks. Any help?
    Wednesday, May 18, 2016 7:37 PM
  • Is TPMOwnerPassword set? What version of MDT and do you have all the pre-reqs in AD done?

    Many questions such as where do I find logs and what logs are interesting are found in: MDT TechNet Forum - FAQ & Getting Started Guide Please take the time to read it. Also if you don't post logs your problem won't be easily solved.

    Wednesday, May 18, 2016 7:45 PM
    Moderator
  • Try disabling TPM provisioning with powershell. Clear the TPM. Log back in renable TPM provisioning.  Try to reimage the PC. Also does your MDT service account have the rights needed to what it needs to with the TPM?

    Laurence Leiter


    • Edited by Leiter1212 Saturday, July 13, 2019 2:53 PM
    Saturday, July 13, 2019 2:50 PM