locked
MBAM 2.0 with TPM 2.0 - Encryption failure RRS feed

  • Question

  • We have a new Dell XPS 13 - 9343 laptop, the BIOS (A03) is up to date and is in legacy mode etc, Windows 8.1 installed, there are no options for TPM in the laptop BIOS, however in Device Manager we can quite clearly see a TPM 2.0 chip.

    running TPM.msc shows the TPM is on and available with reduced functionality.

    We have installed MBAM 2.0 client and applied all the relevant policies via GPO (the same polices used by 400+ laptops) but when we enter a PIN and click 'Create PIN' an error is returned saying cannot be encrypted.

    Looking in the MBAM Event Log I'm seeing the following error code and error.

    0x80310002
    The BIOS did not correctly communicate with the Trusted Platform Module (TPM). Contact the computer manufacturer for BIOS upgrade instructions.

    Does anyone have any ideas?

    thanks

    Friday, May 15, 2015 12:15 PM

Answers

  • Hi Gaurav

    The TPM chip is v2.0, however I've actually figured this one out, its not obvious but well worth noting for others who may run into the same issue.

    The problem stems from the fact we had the BIOS in legacy mode. The new machines use Intel Platform Trust Technology (PTT) - basically the TPM chip. which is on my default whether in legacy BIOS or UEFI. Windows will see the chip and it will show in device manager. when MBAM comes to take ownership it cannot ineract with the chip and throws the error in the first post.

    To make use of the TPM you MUST use BIOS in UEFI mode with Secure Boot enabled, we re-installed windows and ran through the instructions in this Tech Net Article to disable auto-provisioning and clear the TPM. applied the GPO's, installed MBAM and started the encryption process without any issues. :)

    It took a several days to figure this one out!

    thanks

    Mark

    Wednesday, May 20, 2015 1:10 PM

All replies

  • Can you go to Tpm.msc and clear the TPM.

    Reboot the machine.

    And then try encrypting the machine.

    Friday, May 15, 2015 7:40 PM
  • Tried that initially didn't do anything.

    I must add we build the machine using SCCM (installing MBAM manually afterwards) during the build I set the reg rey to turn off TPM auto provisioning

    thanks

    Monday, May 18, 2015 7:18 AM
  • Can you check the version of TPM. MBAM supports version 1.2 or higher. Also try with deleting the reg key which you have created during deployment.

    Cheers,
    Gaurav Ranjan / Sr. Analyst-Professional Services
    MICROLAND Limited -India's leading Infrastructure Management Services Company

    NOTE:Mark as Answer and Vote as Helpful if it helps

    Wednesday, May 20, 2015 12:52 PM
  • Hi Gaurav

    The TPM chip is v2.0, however I've actually figured this one out, its not obvious but well worth noting for others who may run into the same issue.

    The problem stems from the fact we had the BIOS in legacy mode. The new machines use Intel Platform Trust Technology (PTT) - basically the TPM chip. which is on my default whether in legacy BIOS or UEFI. Windows will see the chip and it will show in device manager. when MBAM comes to take ownership it cannot ineract with the chip and throws the error in the first post.

    To make use of the TPM you MUST use BIOS in UEFI mode with Secure Boot enabled, we re-installed windows and ran through the instructions in this Tech Net Article to disable auto-provisioning and clear the TPM. applied the GPO's, installed MBAM and started the encryption process without any issues. :)

    It took a several days to figure this one out!

    thanks

    Mark

    Wednesday, May 20, 2015 1:10 PM
  • Hi Mark

    I have a deployment of +/-34'000 Windows 7 Enterprise Bitlocker Encrypted  Dell machines on MBAM 2.5 using v1.2 TPM chips. we have recently received stock of Dell Pro Venue 11 series 7xxx which come with v2.0 TPM chips which require BIOS to be in UEFI mode with Secure Boot.

    Is there a workaround to encrypt(using Bitlocker) all machines (Desktop, Laptop & Tablet) using a TPM Chip v2.0 with BIOS in Legacy Mode ?

    OB

    Thursday, July 30, 2015 9:39 AM
  • Hi OB

    From the testing I did on the XPS 13 there is no way to use the TPM v2.0 with BIOS in legacy mode with MBAM. MBAM needs to take ownership of the TPM which it couldn't do while BIOS was in legacy mode, you had to use UEFI.

    I'm guessing if you wanted to use AD to store the recovery keys it would work as Windows takes ownership of the Key and passes into AD, but then you would lose the MBAM functionality.

    With TPM v2.0 it seems UEFI is the only way to go.

    Mark

    Thursday, July 30, 2015 9:48 AM
  • Thanks Mark

    Much Appriciated

    • Proposed as answer by Reclad Friday, March 10, 2017 10:33 AM
    Thursday, July 30, 2015 10:33 AM
  • TPM 2.0 was designed solely for use in UEFI mode - you cannot get full functionality of TPM 2.0 in legacy bios mode. The message - "TPM is on and available with reduced functionality" is normal and expected (Working As Designed) with the bios set to legacy BIOS mode.  To fully utilize TPM 2.0, you must be in UEFI mode - this is per TCG specification.
    Tuesday, December 1, 2015 7:49 PM