locked
Win7 OSD Failed to enable key protectors (0x80284001) on TPM 2.0 RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi, 

    Recently received two Dell 7270, one with TPM 1.2 and one with 2.0. Pre-configuring the UEFI, TPM and Legacy ROMs and I can successfully deploy to UEFI without issues to the TPM 1.2 laptop as I always have but not with the TPM 2.0. When the step to enable bitlocker runs I get the following error in the TS. I have installed the TPM 2.0 KB to add support during the TS. Once the TS bombs out from the Enable BL error and reboots into Windows I see the disk is Suspended. I can enable it as a manual step but I don't want to do that obviously. In TPM MMC I see ownership is On and OK. I'm not using MBAM btw. 

    I have read a fair amount of people have experienced issues with 2.0 and wondered am I missing something or is this a Skylake thing..?

    (WinPE is 1511)

    Thanks!

    Nick

    Error log:

    ==============================[ OSDBitLocker.exe ]==============================
    OSDBitLocker 11/05/2016 14:58:42 3980 (0x0F8C)
    Command line: "OSDBitLocker.exe" /enable /wait:False /mode:TPM /pwd:AD OSDBitLocker 11/05/2016 14:58:42 3980 (0x0F8C)
    Initialized COM OSDBitLocker 11/05/2016 14:58:42 3980 (0x0F8C)
    Command line for extension .exe is "%1" %* OSDBitLocker 11/05/2016 14:58:42 3980 (0x0F8C)
    Set command line: "OSDBitLocker.exe" /enable /wait:False /mode:TPM /pwd:AD OSDBitLocker 11/05/2016 14:58:42 3980 (0x0F8C)
    Target volume not specified, using current OS volume OSDBitLocker 11/05/2016 14:58:42 3980 (0x0F8C)
    Current OS volume is 'C:' OSDBitLocker 11/05/2016 14:58:42 3980 (0x0F8C)
    Succeeded loading resource DLL 'C:\WINDOWS\CCM\1033\TSRES.DLL' OSDBitLocker 11/05/2016 14:58:42 3980 (0x0F8C)
    Protection is OFF OSDBitLocker 11/05/2016 14:58:42 3980 (0x0F8C)
    Volume is fully encrypted OSDBitLocker 11/05/2016 14:58:42 3980 (0x0F8C)
    Creating key protectors OSDBitLocker 11/05/2016 14:58:42 3980 (0x0F8C)
    Tpm is enabled OSDBitLocker 11/05/2016 14:58:42 3980 (0x0F8C)
    Tpm is activated OSDBitLocker 11/05/2016 14:58:42 3980 (0x0F8C)
    Tpm is owned OSDBitLocker 11/05/2016 14:58:42 3980 (0x0F8C)
    Tpm ownership is allowed OSDBitLocker 11/05/2016 14:58:42 3980 (0x0F8C)
    Tpm has compatible SRK OSDBitLocker 11/05/2016 14:58:42 3980 (0x0F8C)
    Tpm has EK pair OSDBitLocker 11/05/2016 14:58:42 3980 (0x0F8C)
    Initial TPM state: 63 OSDBitLocker 11/05/2016 14:58:42 3980 (0x0F8C)
    TPM is already owned. OSDBitLocker 11/05/2016 14:58:42 3980 (0x0F8C)
    Creating recovery password and escrowing to Active Directory OSDBitLocker 11/05/2016 14:58:42 3980 (0x0F8C)
    Set FVE group policy registry keys to escrow recovery password OSDBitLocker 11/05/2016 14:58:42 3980 (0x0F8C)
    Set FVE group policy registry key in Windows 7 OSDBitLocker 11/05/2016 14:58:42 3980 (0x0F8C)
    Set FVE OSV group policy registry keys to escrow recovery password OSDBitLocker 11/05/2016 14:58:42 3980 (0x0F8C)
    Using random recovery password OSDBitLocker 11/05/2016 14:58:42 3980 (0x0F8C)
    Protecting key with TPM only OSDBitLocker 11/05/2016 14:58:43 3980 (0x0F8C)
    uStatus == 0, HRESULT=80284001 (e:\nts_sccm_release\sms\framework\tscore\encryptablevolume.cpp,1304) OSDBitLocker 11/05/2016 14:58:44 3980 (0x0F8C)
    'ProtectKeyWithTPM' failed (2150121473) OSDBitLocker 11/05/2016 14:58:44 3980 (0x0F8C)
    hrProtectors, HRESULT=80284001 (e:\nts_sccm_release\sms\client\osdeployment\bitlocker\bitlocker.cpp,1252) OSDBitLocker 11/05/2016 14:58:44 3980 (0x0F8C)
    Failed to enable key protectors (0x80284001) OSDBitLocker 11/05/2016 14:58:44 3980 (0x0F8C)
    CreateKeyProtectors( keyMode, pszStartupKeyVolume ), HRESULT=80284001 (e:\nts_sccm_release\sms\client\osdeployment\bitlocker\bitlocker.cpp,1322) OSDBitLocker 11/05/2016 14:58:44 3980 (0x0F8C)
    ConfigureKeyProtection( keyMode, pwdMode, pszStartupKeyVolume ), HRESULT=80284001 (e:\nts_sccm_release\sms\client\osdeployment\bitlocker\bitlocker.cpp,1552) OSDBitLocker 11/05/2016 14:58:44 3980 (0x0F8C)
    pBitLocker->Enable( argInfo.keyMode, argInfo.passwordMode, argInfo.sStartupKeyVolume, argInfo.bWait ), HRESULT=80284001 (e:\nts_sccm_release\sms\client\osdeployment\bitlocker\main.cpp,382) OSDBitLocker 11/05/2016 14:58:44 3980 (0x0F8C)
    Process completed with exit code 2150121473 TSManager 11/05/2016 14:58:44 2124 (0x084C)
    !--------------------------------------------------------------------------------------------! TSManager 11/05/2016 14:58:44 2124 (0x084C)
    Failed to run the action: Enable BitLocker (SCCM). 
    An internal software error has been detected. (Error: 80284001; Source: Windows) TSManager 11/05/2016 14:58:44 2124 (0x084C)


    with 


    • Edited by nick_cx Wednesday, May 11, 2016 3:49 PM edit
    Wednesday, May 11, 2016 2:38 PM

Answers

  • Question
    Sign in to vote
    1
    Sign in to vote

    After much testing and re-testing of BL TS steps the simple answer was: Drivers. The Win7 CAB for A00 on the Dell ConfigMgr CABs Site does not have all the drivers. A01 does. The main one I think being:

    Dell Data Protection | Hardware Crypto Accelerator (Network and Computing Encryption/Decryption Controller) Device Driver

    A very great pain [grumbles]

    Thursday, May 19, 2016 10:57 AM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    Dear Sir,

        Not sure if the issue has something to do with the skylake, but I found a similar thread as yours, please have a look if you haven't seen before:

        https://www.reddit.com/r/SCCM/comments/4eq76q/psa_dont_use_tpm_20_on_dell_skylake_generation/

        Besides, have you tried to update your BIOS on your device?

    Best regards,

    Jimmy 

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Friday, May 13, 2016 10:46 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi, 

    Yes, I'd seen this and a number of other posts. It does look like W7x64SP1, TPM 2.0 and the enable BL step (ConfigMgr not MDT) just won't play ball. Latest BIOS, yes.

    Anyone else had this?

    Thanks

    Monday, May 16, 2016 9:56 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Testing this further, using the MDT Enable BitLocker step (not the ConfigMgr one) works ok with BitLocker enabling and the TS continues, though the Recovery Password does not get written to AD. That's why I use the ConfigMgr one.

    Still not quite there though...



    • Edited by nick_cx Monday, May 16, 2016 2:52 PM edit
    Monday, May 16, 2016 2:51 PM
  • Question
    Sign in to vote
    1
    Sign in to vote

    After much testing and re-testing of BL TS steps the simple answer was: Drivers. The Win7 CAB for A00 on the Dell ConfigMgr CABs Site does not have all the drivers. A01 does. The main one I think being:

    Dell Data Protection | Hardware Crypto Accelerator (Network and Computing Encryption/Decryption Controller) Device Driver

    A very great pain [grumbles]

    Thursday, May 19, 2016 10:57 AM