none
TPM and Bitlocker problems RRS feed

  • Question

  • Sometimes with certain laptop models we have problems with automatic MDT Bitlocker provisioning during OSD. I'm not sure what causes this. When you manually enable Bitlocker from OS afterwards it works fine.

    FAILURE ( 6739 ): False: Check to see if TPM is enabled

    Monday, September 26, 2016 10:46 AM

All replies

  • MDT only queries WMI to see if the TPM is setup properly. You should look at verifying the TPM setup with the tools from the manufacturer beforehand. E.g cctk.exe for Dell

    Many questions such as where do I find logs and what logs are interesting are found in: MDT TechNet Forum - FAQ & Getting Started Guide Please take the time to read it. Also if you don't post logs your problem won't be easily solved.

    Monday, September 26, 2016 6:48 PM
    Moderator
  • Which models fail and how do you handle enabling TPM? Do you enable it manually or using the CCTK tools from Dell?

    If you're relying on the CCTK tools then understand that you should expect pre-provisioning to fail because even though you've enabled and activated TPM the machine needs to reboot before it can use it, but that's something you can't do in an automated fashion before pre-provisioning runs. My suggestion is if you're going to always use cctk to enable and activate TPM then just disable the step for BitLocker (Offline) otherwise it will always throw an error but later in the sequence it will successfully enable BitLocker.


    If this post is helpful please vote it as Helpful or click Mark for answer.

    Thursday, September 29, 2016 3:29 PM
  • I have been having a similar issue but not with certain laptop models but rather laptops being imaged to Windows 7 since i updated to MDT 2013 Update 2 in combination with ADK 1607.

    Everything worked fine when imaged with Windows 10, which means the TPM was enabled correctly.

    You don't mention which OS it is you are imaging.

    The ADK 1511 release introduced new encryption algorithms, which look like they are also used in ADK 1607, which don't work with older OS's.

    The workaround i used was to create 3 reg entries before the drive is partitioned and formatted at the start of the Preinstall stage.

    reg add HKLM\SOFTWARE\Policies\Microsoft\FVE /t REG_DWORD /v EncryptionMethodWithXtsFdv /d 3 /f

    reg add HKLM\SOFTWARE\Policies\Microsoft\FVE /t REG_DWORD /v EncryptionMethodWithXtsOs /d 3 /f

    reg add HKLM\SOFTWARE\Policies\Microsoft\FVE /t REG_DWORD /v EncryptionMethodWithXtsRdv /d 3 /f

    More info can be found below.

    https://social.technet.microsoft.com/Forums/en-US/07c809fc-486b-49aa-8df8-70e374d90402/sccm-2012-r2-sp1-preprovision-bitlocker-windows-7-cannot-read-drive-after-reboot?forum=configmanagerosd

    Wednesday, November 30, 2016 9:16 AM