none
Enable Bitlocker failure if TPM not correctly configured

    Question

  • Hi all,

    In our Windows 7 task sequence, I go through the process of enabling the TPM chip on Dell and Lenovo machines which generally works fine, so long as they've not been previously owned.

    However, under some circumstances, the Enable Bitlocker step will fail because the TPM chip could not be correctly configured as part of the build.  In this event we get an error 0x80004005.

    I've tried some scripts to check to see if TPM is enabled and TPM is activated which return TRUE for both, however, these don't cater for the ownership.

    How can I get the Enable Bitlocker task to continue on through failure and finish the task sequence without bombing out?  If I can get that working, then I can check for success / failure and log accordingly.

    Cheers

    Simon

    Tuesday, September 20, 2011 4:23 PM

Answers

  • When I encouter problems clearing or resetting the TPM chip I use the following Powershell lines, this will enable the chip ready to be owned again.

    $oTPM = gwmi -Class Win32_TPM -Namespace root\CIMV2\Security\MicrosoftTpm

    $oTPM.SetPhysicalPresenceRequest(10)

    Reboot system:

    Script to get ownership

    #Create Endorsementkeypair if needed
    If (!(($oTPM.IsEndorsementKeyPairPresent()).IsEndorsementKeyPairPresent)) {$oTPM.CreateEndorsementKeyPair()}

    If (($oTPM.IsEndorsementKeyPairPresent()).IsEndorsementKeyPairPresent)
    {
       $OwnerAuth = $oTPM.ConvertToOwnerAuth("customrandompassword")
       $oTPM.Clear($OwnerAuth.OwnerAuth)

    $oTPM.TakeOwnership($OwnerAuth.OwnerAuth)
    }

     

    Daniel


    • Edited by Daniel Last Wednesday, September 21, 2011 10:44 PM
    • Marked as answer by Robinson Zhang Thursday, October 6, 2011 5:07 PM
    Wednesday, September 21, 2011 10:42 PM

All replies

  • whats the exact failure you are getting ? are you doing it similar to the posts below ?

    Customising Windows 7 deployments - part 5.
    Enabling Bitlocker in WinPE on Dell computers

    How can I determine if there's a TPM chip on my Lenovo system for BitLocker ?
    Easy when you know how

    How can I determine if theres a TPM chip on my Dell system for BitLocker ?
    Using the following script



    My step by step SCCM Guides
    I'm on Twitter > ncbrady
    Tuesday, September 20, 2011 4:32 PM
    Moderator
  • Hi Niall,

    This part of smsts.log is typical of what we're seeing;

    ---start log---

    <![LOG[Set command line: OSDBitLocker.exe /enable  /wait:False /mode:TPM /pwd:AD]LOG]!><time="16:04:12.168+-60" date="09-20-2011" component="TSManager" context="" type="0" thread="2596" file="commandline.cpp:707">
    <![LOG[Start executing the command line: OSDBitLocker.exe /enable  /wait:False /mode:TPM /pwd:AD]LOG]!><time="16:04:12.168+-60" date="09-20-2011" component="TSManager" context="" type="1" thread="2596" file="instruction.cxx:2928">
    <![LOG[!--------------------------------------------------------------------------------------------!]LOG]!><time="16:04:12.168+-60" date="09-20-2011" component="TSManager" context="" type="1" thread="2596" file="instruction.cxx:2957">
    <![LOG[Expand a string: FullOS]LOG]!><time="16:04:12.168+-60" date="09-20-2011" component="TSManager" context="" type="0" thread="2596" file="executionenv.cxx:782">
    <![LOG[Executing command line: OSDBitLocker.exe /enable  /wait:False /mode:TPM /pwd:AD]LOG]!><time="16:04:12.168+-60" date="09-20-2011" component="TSManager" context="" type="1" thread="2596" file="commandline.cpp:805">
    <![LOG[==============================[ OSDBitLocker.exe ]==============================]LOG]!><time="16:04:12.262+-60" date="09-20-2011" component="OSDBitLocker" context="" type="1" thread="3216" file="main.cpp:608">
    <![LOG[Command line: "OSDBitLocker.exe" /enable /wait:False /mode:TPM /pwd:AD]LOG]!><time="16:04:12.262+-60" date="09-20-2011" component="OSDBitLocker" context="" type="1" thread="3216" file="main.cpp:609">
    <![LOG[Initialized COM]LOG]!><time="16:04:12.262+-60" date="09-20-2011" component="OSDBitLocker" context="" type="0" thread="3216" file="main.cpp:632">
    <![LOG[Command line for extension .exe is "%1" %*]LOG]!><time="16:04:12.262+-60" date="09-20-2011" component="OSDBitLocker" context="" type="0" thread="3216" file="commandline.cpp:229">
    <![LOG[Set command line: "OSDBitLocker.exe" /enable /wait:False /mode:TPM /pwd:AD]LOG]!><time="16:04:12.262+-60" date="09-20-2011" component="OSDBitLocker" context="" type="0" thread="3216" file="commandline.cpp:707">
    <![LOG[Target volume not specified, using current OS volume]LOG]!><time="16:04:12.262+-60" date="09-20-2011" component="OSDBitLocker" context="" type="0" thread="3216" file="main.cpp:522">
    <![LOG[Current OS volume is 'C:']LOG]!><time="16:04:12.262+-60" date="09-20-2011" component="OSDBitLocker" context="" type="0" thread="3216" file="main.cpp:524">
    <![LOG[Succeeded loading resource DLL 'C:\Windows\SysWOW64\CCM\1033\TSRES.DLL']LOG]!><time="16:04:12.511+-60" date="09-20-2011" component="OSDBitLocker" context="" type="1" thread="3216" file="util.cpp:869">
    <![LOG[Protection is OFF]LOG]!><time="16:04:12.526+-60" date="09-20-2011" component="OSDBitLocker" context="" type="0" thread="3216" file="bitlocker.cpp:1385">
    <![LOG[Volume is fully decrypted]LOG]!><time="16:04:12.526+-60" date="09-20-2011" component="OSDBitLocker" context="" type="0" thread="3216" file="bitlocker.cpp:1392">
    <![LOG[Tpm is enabled]LOG]!><time="16:04:12.573+-60" date="09-20-2011" component="OSDBitLocker" context="" type="0" thread="3216" file="tpm.cpp:161">
    <![LOG[Tpm is not activated]LOG]!><time="16:04:12.604+-60" date="09-20-2011" component="OSDBitLocker" context="" type="0" thread="3216" file="tpm.cpp:166">
    <![LOG[Tpm is not owned]LOG]!><time="16:04:12.636+-60" date="09-20-2011" component="OSDBitLocker" context="" type="0" thread="3216" file="tpm.cpp:171">
    <![LOG[Tpm ownership is allowed]LOG]!><time="16:04:12.667+-60" date="09-20-2011" component="OSDBitLocker" context="" type="0" thread="3216" file="tpm.cpp:176">
    <![LOG[uStatus == 0, HRESULT=80280012 (e:\nts_sms_fre\sms\framework\tscore\tpm.cpp,503)]LOG]!><time="16:04:12.729+-60" date="09-20-2011" component="OSDBitLocker" context="" type="0" thread="3216" file="tpm.cpp:503">
    <![LOG['IsSrkAuthCompatible' failed (2150105106)]LOG]!><time="16:04:12.729+-60" date="09-20-2011" component="OSDBitLocker" context="" type="3" thread="3216" file="tpm.cpp:503">
    <![LOG[Tpm does not have compatible SRK]LOG]!><time="16:04:12.729+-60" date="09-20-2011" component="OSDBitLocker" context="" type="0" thread="3216" file="tpm.cpp:180">
    <![LOG[uStatus == 0, HRESULT=80280006 (e:\nts_sms_fre\sms\framework\tscore\tpm.cpp,548)]LOG]!><time="16:04:12.791+-60" date="09-20-2011" component="OSDBitLocker" context="" type="0" thread="3216" file="tpm.cpp:548">
    <![LOG['IsEndorsementKeyPairPresent' failed (2150105094)]LOG]!><time="16:04:12.791+-60" date="09-20-2011" component="OSDBitLocker" context="" type="3" thread="3216" file="tpm.cpp:548">
    <![LOG[Tpm does not have EK pair]LOG]!><time="16:04:12.791+-60" date="09-20-2011" component="OSDBitLocker" context="" type="0" thread="3216" file="tpm.cpp:184">
    <![LOG[Initial TPM state: 5]LOG]!><time="16:04:12.791+-60" date="09-20-2011" component="OSDBitLocker" context="" type="0" thread="3216" file="bitlocker.cpp:410">
    <![LOG[(dwTpmState & Tpm::State_Activated) != 0, HRESULT=80004005 (e:\nts_sms_fre\sms\client\osdeployment\bitlocker\bitlocker.cpp,420)]LOG]!><time="16:04:12.791+-60" date="09-20-2011" component="OSDBitLocker" context="" type="0" thread="3216" file="bitlocker.cpp:420">
    <![LOG[TPM cannot be activated without physical presence]LOG]!><time="16:04:12.791+-60" date="09-20-2011" component="OSDBitLocker" context="" type="3" thread="3216" file="bitlocker.cpp:420">
    <![LOG[InitializeTpm(), HRESULT=80004005 (e:\nts_sms_fre\sms\client\osdeployment\bitlocker\bitlocker.cpp,1191)]LOG]!><time="16:04:12.791+-60" date="09-20-2011" component="OSDBitLocker" context="" type="0" thread="3216" file="bitlocker.cpp:1191">
    <![LOG[ConfigureKeyProtection( keyMode, pwdMode, pszStartupKeyVolume ), HRESULT=80004005 (e:\nts_sms_fre\sms\client\osdeployment\bitlocker\bitlocker.cpp,1396)]LOG]!><time="16:04:12.791+-60" date="09-20-2011" component="OSDBitLocker" context="" type="0" thread="3216" file="bitlocker.cpp:1396">
    <![LOG[pBitLocker->Enable( argInfo.keyMode, argInfo.passwordMode, argInfo.sStartupKeyVolume, argInfo.bWait ), HRESULT=80004005 (e:\nts_sms_fre\sms\client\osdeployment\bitlocker\main.cpp,650)]LOG]!><time="16:04:12.791+-60" date="09-20-2011" component="OSDBitLocker" context="" type="0" thread="3216" file="main.cpp:650">
    <![LOG[Process completed with exit code 2147500037]LOG]!><time="16:04:12.791+-60" date="09-20-2011" component="TSManager" context="" type="1" thread="2596" file="commandline.cpp:1102">
    <![LOG[!--------------------------------------------------------------------------------------------!]LOG]!><time="16:04:12.791+-60" date="09-20-2011" component="TSManager" context="" type="1" thread="2596" file="instruction.cxx:3010">
    <![LOG[Failed to run the action: Enable BitLocker.
    Unspecified error (Error: 80004005; Source: Windows)]LOG]!><time="16:04:12.791+-60" date="09-20-2011" component="TSManager" context="" type="3" thread="2596" file="instruction.cxx:3101">

    --- end log---

    HOWEVER, it is also quite possible to have bitlocker fail with the following lines in smsts.log

    <![LOG[Tpm is enabled]LOG]!><time="17:07:58.725+-60" date="09-20-2011" component="OSDBitLocker" context="" type="0" thread="4884" file="tpm.cpp:161">
    <![LOG[Tpm is activated]LOG]!><time="17:07:58.740+-60" date="09-20-2011" component="OSDBitLocker" context="" type="0" thread="4884" file="tpm.cpp:166">
    <![LOG[Tpm is owned]LOG]!><time="17:07:58.756+-60" date="09-20-2011" component="OSDBitLocker" context="" type="0" thread="4884" file="tpm.cpp:171">
    <![LOG[Tpm ownership is allowed]LOG]!><time="17:07:58.772+-60" date="09-20-2011" component="OSDBitLocker" context="" type="0" thread="4884" file="tpm.cpp:176">

    This seems to happen if the tpm ownership fails for to be taken by the Enable Bitlocker task.

    Consequently, in either situation, I want to just finish the step and move on.

    I'm using the ZTICheckForTPM script from the deployment guys - http://blogs.technet.com/b/deploymentguys/archive/2010/12/22/check-to-see-if-the-tpm-is-enabled.aspx - but it pretty much always seems to enumerate to TRUE for enabled and activated.

    Tuesday, September 20, 2011 6:20 PM
  • Hi,

    Have you tried, in the "Enable Bitlocker" step -> "Options" -> Mark "Continue on error".

    Then the TS should continue even if the "Bitlocker" step fails.

    I'm dealing with the same problem on some Lenovo models.

    Have you tried to manually disable TPM in Bios - and then enable it again to see if it solves the problem. It works for me one one some models.

    Maybe it's possible to disable the TPM in the TS and then anable it again after a restart.

    I haven't tried that yet.

    Updating the Bios is also worth a try.

    Also take a look at this great article: http://blog.coretech.dk/mip/enable-lenovo-tpm-security-chip-and-other-stuff-from-a-ts/

    Maybe it's possible to disable the TPM in the TS and then anable it again after a restart.

    I haven't tried that yet.

     

    Tuesday, September 20, 2011 6:25 PM
  • we are enabling and disabling the tpm in between restarts no problem (in WinPE) on both Dell/Lenovo,

    in conjuction with the above posts and this one

    Is the TPM Chip Enabled or Disabled in the Bios on my system ?
    Use this WMI query to find out

    you should be able to easily create a group to check if the chip is enabled, then disable it, reboot, and continue

    cheers

    niall



    My step by step SCCM Guides
    I'm on Twitter > ncbrady
    Tuesday, September 20, 2011 6:57 PM
    Moderator
  • It's a bit tricky if the TPM is Owned og activated by another system or an earlyer testrun. I've seen this from time to time. This varies from vendor to vendor. Dell, HP etc.. requires a BIOS password set to be able to set the TPM, then you can remove it afterwards.

    If the TPM owner step failes, you have to manually enter the BIOS and clear out the TPM. If the toolkit by vendor og BDE dosnt have a command for it.

    Then start the OSD Task Sequence again.

    Usually this shouldnt be a problem for the most part of the client machines.

     

    Regards,

    Nicolai

     


    Nicolai
    Tuesday, September 20, 2011 8:36 PM
  • For Lenovo it might be possible to use the SetConfig.vbs:

    cscript.exe SetConfig.vbs SecurityChip Disable (The same value as in BIOS, and it is case sensitive).

    Tuesday, September 20, 2011 9:09 PM
  • I've definitely tried the Continue on Error route and that didn't work.  I've also tried disabling / re-enabling the TPM, but this doesn't clear the TPM owner.

    I've been using the Dell CCTK and Lenovo toolkits and neither have the option to clear the TPM owner.

    Sorting it out manually is fine in the test environment, but we're about to embark on user initiated migrations from XP to W7 including bitlocker.  As Nicolai says, generally this shouldn't be a problem from client machines, but if we do hit a problem it becomes a lot more difficult because of the user state migration etc.

    If I create a group with Continue On Error and then put the enable bitlocker task within that group, I wonder if that might work...

    Tuesday, September 20, 2011 9:15 PM
  • I recall, that regarding Lenovo's "SetConfig.vbs SecurityChip Active" it actually requires 2 reboots to work.

    Not sure if it helps.

    Tuesday, September 20, 2011 9:37 PM
  • I my experience, enabling bitlocker within TS does not always work. It does not work across all Dell platforms.
    Mayur
    • Edited by Mayurkirti Tuesday, September 20, 2011 10:38 PM
    Tuesday, September 20, 2011 10:38 PM
  • Thanks for the input so far, however, we might be straying from the topic a bit here.

    Under most circumstances, I'm not having a problem configuring the TPM on either Dell's or Lenovo's using the CCTK for Dell's and the SetConfig.vbs script for Lenovo's.  The issue only comes when those scripts have not managed to set the TPM chip correctly, usually due to it being previously owned.

    It's at that point that the Enable Bitlocker task can fail with "Process completed with exit code 2147500037" resulting in an unspecified error 80004005.

    I'd hoped there was a way to just continue on past this without bailing out the task sequence :-/

    Wednesday, September 21, 2011 2:48 PM
  • When I encouter problems clearing or resetting the TPM chip I use the following Powershell lines, this will enable the chip ready to be owned again.

    $oTPM = gwmi -Class Win32_TPM -Namespace root\CIMV2\Security\MicrosoftTpm

    $oTPM.SetPhysicalPresenceRequest(10)

    Reboot system:

    Script to get ownership

    #Create Endorsementkeypair if needed
    If (!(($oTPM.IsEndorsementKeyPairPresent()).IsEndorsementKeyPairPresent)) {$oTPM.CreateEndorsementKeyPair()}

    If (($oTPM.IsEndorsementKeyPairPresent()).IsEndorsementKeyPairPresent)
    {
       $OwnerAuth = $oTPM.ConvertToOwnerAuth("customrandompassword")
       $oTPM.Clear($OwnerAuth.OwnerAuth)

    $oTPM.TakeOwnership($OwnerAuth.OwnerAuth)
    }

     

    Daniel


    • Edited by Daniel Last Wednesday, September 21, 2011 10:44 PM
    • Marked as answer by Robinson Zhang Thursday, October 6, 2011 5:07 PM
    Wednesday, September 21, 2011 10:42 PM
  • Hi Daniel

    just came across post this today

    when we rebuild laptops i need to run your script to clear tpm chip . also can i add your script to a sccm task sequence

    can you please tell me how to run the above script . i tried running it but it error out on line 1

    Sundeep

    Thursday, August 9, 2012 11:46 PM
  • Sundeep,

    The script should be working, I've also used it in my tasksequence. For more information you could check out my blogpost @ Userworkspace.com .

    Kind regards,

    Maurice

    Friday, March 14, 2014 9:57 AM
  • When I encouter problems clearing or resetting the TPM chip I use the following Powershell lines, this will enable the chip ready to be owned again.

    $oTPM = gwmi -Class Win32_TPM -Namespace root\CIMV2\Security\MicrosoftTpm

    $oTPM.SetPhysicalPresenceRequest(10)

    Reboot system:

    Script to get ownership

    #Create Endorsementkeypair if needed
    If (!(($oTPM.IsEndorsementKeyPairPresent()).IsEndorsementKeyPairPresent)) {$oTPM.CreateEndorsementKeyPair()}

    If (($oTPM.IsEndorsementKeyPairPresent()).IsEndorsementKeyPairPresent)
    {
       $OwnerAuth = $oTPM.ConvertToOwnerAuth("customrandompassword")
       $oTPM.Clear($OwnerAuth.OwnerAuth)

    $oTPM.TakeOwnership($OwnerAuth.OwnerAuth)
    }

     

    Daniel



    Thanks, this script helped us to get TPM ready in desired state before Enabling Bitlocker. I added 2 restarts, between script parts and encryption. We had somekind of Endorsement Key fail situation going on there...

    Please remember to mark my post as an answer, if I really helped you out, or vote if usefull. Thank you!

    Tuesday, August 1, 2017 1:08 PM