This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Remove From My Forums

Windows 10 14393 (1607) Enterprise - Issues with TPM

Question
4

Sign in to vote
Hi @all,

I've installed Windows 10 1607 as an inplace upgrade to my three Windows 10 Enterprise installations.

I had Bitlocker enabled with TPM on all devices.

Running the update on the first device (DELL E7440) the update process completed successfully - everything seemed fine. On the next reboot my machine showed me that Bitlocker is missing a file (error code 0xc0210000). All automatic repairs failed.

So I've run the command line tool, used manage-bde to turn encryption off on the disk, disabled the key protectors (delete doesn't work btw) and got my windows 10 coming up again.

Following up I've tried to reset the TPM chip (clear TPM) which resulted in the mandatory UEFI Prompt to acknowledge that, but the operating system opened up tpm.msc, but did not show up the wizard completion (as I've got that under previous Windows 10 installations).

Finally I've tried to perform a bitlocker system test, which performed the reboot but showed up that the test did not succeeded.

Someone else with these issues? Is there already a fix in work?

Cheers,

Matthias
- Edited by Matthias R. Wiora Friday, August 19, 2016 9:58 PM typo
Thursday, August 4, 2016 7:24 PM

All replies

1

Sign in to vote

Hello,

i got the same the laptop and problem.

I suspect it is because the of TPM 1.2...

I also had to disable the bitlocker via cmd and manage-bde. I reverted to the previous build and now i can't enable bitlocker on my C: drive (Even with the clear TPM).

Got any luck solving your issue?

Cheers.

Friday, August 5, 2016 2:37 PM
1

Sign in to vote

Same here, on Dell Precision M4800 (A16 BIOS, Legacy boot). Clearing TPM did not help. Could remove the protectors fine, but removing and adding them back did not help.

Friday, August 5, 2016 8:40 PM
1

Sign in to vote

Another thread on the subject is https://social.technet.microsoft.com/Forums/en-US/7b754050-f8e5-4bc0-821a-fa8c5a0feaac/after-update-1607-no-tpm-function

Just a thought: could everybody post their TPM chip info? Run tpm.msc and look under TPM Manufacturer Information.

Mine is ATLM (= Atmel), Manufacturer v41.1, Spec v1.2

Friday, August 5, 2016 9:56 PM
1

Sign in to vote

HI Alex,

thanks for linking.

Dell E7440: ATML, Manufacturer v41.1, Spec v1.2

Lenovo Thinkpad T430S: ATML, Manufacturer v41.1, Spec v1.2

Surface Pro 1: IFX, Manufacturer v3.19, Spec v1.2

this is really annoying and should be fixed before of the global rollout....

Cheers,

Matthias

Monday, August 8, 2016 9:07 PM
2

Sign in to vote
Hello

Can I get the following information from the machines that are failing

MSINFO32 output from the machine. From the commandline run msinfo32 and save the output as a text file.
Registry key information under HKLM\System\CurrentControlSet\Control\DeviceGuard . Export the regkey and save as a text file.
Output of the command: “powershell $(Get-CimInstance -classname Win32_DeviceGuard -namespace root\Microsoft\Windows\DeviceGuard)”

From a CMD prompt run this : powershell $(Get-CimInstance -classname Win32_DeviceGuard -namespace root\Microsoft\Windows\DeviceGuard) >dguard.txt

Compress the files into a ZIP file and send to darrellg-removethis-@microsoft.com

Thanks, Darrell Gorter [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.
Monday, August 8, 2016 9:27 PM
1

Sign in to vote

Hello,

It seems there is Problem with 1607 build - uploading TPM Recovery Information to ActiveDirectory also.

After a fresh install Win10 build 1607 msTPM-InformationObject is not created, apr. GPO setting is ignored

With build 1511 no such Problems were registred

Regards

WL

Wednesday, August 10, 2016 9:05 AM
1

Sign in to vote

Count me in with a

Dell Precision M3800: ATML, Manufacturer: 37.19, Spec v1.2

Thanks for any help.

Regards

Norbert

Thursday, August 11, 2016 3:30 PM
2

Sign in to vote

Hello,

Thanks for the log files, we have identified the issues and are working on a solution.

We do not need any more logs, will update when I have more information.

Thanks, Darrell Gorter [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.

Thursday, August 11, 2016 10:50 PM
1

Sign in to vote

Same problem here with:

Dell Precision T1700: STM Manufacturer, Version 13.12, Specification Version 1.2

Darrell, please let us know when a fix is available.

Thanks.

Friday, August 12, 2016 10:41 PM
1

Sign in to vote

ThinkPad E540 here.

Would be nice for a KB of how to get around a PC that no longer just works. I.e. what to do to recover and boot a PC.

Thanks!

Saturday, August 13, 2016 2:51 AM
1

Sign in to vote

ThinkPad E540 here.

Would be nice for a KB of how to get around a PC that no longer just works. I.e. what to do to recover and boot a PC.

Thanks!

ok, so I did this:

- burnt a W10 Enterprise DVD.

- booted it and selected recovery, then advanced then command line

- entered Bitlocker recovery key when prompted

- from the command prompt used: "manage-bde -protectors -disable c:"

- exit to reboot into Windows

Hopefully a fix can come that restores normal TPM operation and then I can re-enable it.

Saturday, August 13, 2016 3:39 AM
1

Sign in to vote

Same issue with my Lenovo W530. Rolled back to 1511

Hopefully MS will provide a fix soon.

Regards

Ben

Sunday, August 14, 2016 8:35 AM
1

Sign in to vote

Looking for that. Some people around with Dell NTB are starting encountering this just they upgrade to Anniversary Update.

Sunday, August 14, 2016 11:44 PM
1

Sign in to vote

Hi all,

same problem with HP Elitebook 850 G2 with TPM 1.2 (IFX) and LS 4.40 as well as HP Probook 650 G1 with TPM 1.2 (IFX) and LS 4.32. Our whole company is involved. Hope Microsoft will provide a fix here soon.

My solution on my Elitebook: Firmware upgrade from 1.13 to 1.15 an clean reinstall with UEFI & SecureBoot form USB stick with Windows 10 1607. Did not clean the TPM. Everything works as expected including bitlocker.

Regards,
Bent

Monday, August 15, 2016 12:02 PM
1

Sign in to vote
Hello

Another update for this thread:

how to avoid getting into this bitlocker recovery situation

When does a user hit the bitlocker recovery issue?

User has upgraded from Th1 to Th2 and then now upgrading to RS1
User either has Hyper-V ON or want to turn it on in RS1 after OS upgrade
First reboot after Hyper-V is enabled in RS1 will hit bit locker recovery – this can be soon after OS upgrade if Hyper-V was already enabled downlevel
Due to separate Bitlocker issue even after entering the Bitlocker key we fail to recover. Still under investigation.

Workaround – here are the 4 workaround that customers can choose from to avoid getting into this situation:

Keep Hyper-V disabled during OS upgrade and keep it disabled till servicing update on 8/23 comes through
Reset the Device guard RegKeys (delete the DG regkey node) and then enabled Hyper-V in RS1
Reset the Device guard RegKeys (delete the DG regkey node) and then upgrade to RS1 while keeping Hyper-V however customers want (ON or OFF is both fine)
Disable Bitlocker till 8/23

Thanks, Darrell Gorter [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.
- Edited by Darrell Gorter Tuesday, August 16, 2016 11:01 PM
Monday, August 15, 2016 11:21 PM
1

Sign in to vote

I was able to recover after getting locked out by using manage-bde in a recovery command prompt:

https://www.janssenjones.com/windows-10-anniversary-update-bitlocker-and-hyper-v/

Hope that helps if anyone else finds themselves locked out.

Janssen
Janssen Jones - Virtual Machine MVP -http://www.janssenjones.com - Please remember to mark answers as answers. :)

Thursday, August 18, 2016 6:15 PM
1

Sign in to vote
I was able to recover after getting locked out by using manage-bde in a recovery command prompt:

https://www.janssenjones.com/windows-10-anniversary-update-bitlocker-and-hyper-v/

Hope that helps if anyone else finds themselves locked out.

Janssen

Janssen Jones - Virtual Machine MVP -http://www.janssenjones.com - Please remember to mark answers as answers. :)

Turning it off, as your guide shows, is not ideal as that will decrypt the whole drive which is a waste if you want to re-enable it when fixed.

Temporarily disabling it using this command is better:

manage-bde -protectors -disable c:"

You'll be able to enable again when fixed (at least you should be able to if fixed, worst case you go the decrypt path then!!)
- Edited by dp30 Thursday, August 18, 2016 6:27 PM
Thursday, August 18, 2016 6:25 PM
1

Sign in to vote

Turning it off, as your guide shows, is not ideal as that will decrypt the whole drive which is a waste if you want to re-enable it when fixed.

Temporarily disabling it using this command is better:

manage-bde -protectors -disable c:"

You'll be able to enable again when fixed (at least you should be able to if fixed, worst case you go the decrypt path then!!)

Thanks for that info. I'll update the post. I'm just happy to avoid a full rebuild and pulling everything back via Crashplan. :)
Janssen Jones - Virtual Machine MVP -http://www.janssenjones.com - Please remember to mark answers as answers. :)

Thursday, August 18, 2016 6:54 PM
1

Sign in to vote

Darrell,

Is this servicing update still going to be released today?

Chris

Tuesday, August 23, 2016 4:17 PM
2

Sign in to vote

Yes it's available now via update catalog and WSUS

https://support.microsoft.com/en-us/kb/3176936

Regards
Norbert

Tuesday, August 23, 2016 6:14 PM
1

Sign in to vote

This patch seems to fix my issue. I will need future testing but so far so good.

Tuesday, August 23, 2016 6:19 PM
1

Sign in to vote

Am 23.08.2016 schrieb Anthony Meluso:
Hi,

This patch seems to fix my issue. I will need future testing but so far so good.

Partly. I'm able to encrypt my drive again, but the TPM information isn't backed up to AD! As there's also the policy missing regarding this in the new 1607 build, it would be nice to know, if anyone has information on this issue.
See this thread: https://social.technet.microsoft.com/Forums/en-US/c8ad5825-ecc7-4873-a2c0-d6b51789e12e/turn-on-tpm-backup-to-active-directory-domain-services?forum=winserverGP#

Regards
Norbert

Dilbert's words of wisdom #34:
When you don't know what to do, walk fast and look worried.
nntp-bridge Zugriff auf die MS Foren wieder möglich: https://communitybridge.codeplex.com/

Wednesday, August 24, 2016 8:49 AM
1

Sign in to vote

I'm also experiencing this issue after upgrading to 1607.

I've installed KB3176936 but this doesnt fix the issue stopping the TPM from be backed up to AD.

After the TPM says its been provisioned and stored in AD I see the following in my system log:

The Trusted Platform Module (TPM) hardware failed to execute a TPM command. Event ID 1025.

In addition, I had this issue before updating my ADMX for Windows 10 here.

The issue still exists after updating my ADMX for Windows 10, but I am now missing the backup to active directory policy for the TPM.

Wednesday, August 24, 2016 3:36 PM
1

Sign in to vote

I have Toshiba Tecra w50 laptop. I upgraded Windows 10 upgrade to Windows 10 anniversary update. After the restart, it stopped working because of bitlocker issue. Then with the installation media, went to repair the computer, then with command prompt using manage-bde command, make the encryption off and once the disk decryption was over, I was able to login.

Then I tried to enable the bitlocker on the operating system drive. using TPM.msc, I was able to "Prepare TPM", and then I enabled the encryption on c drive. It successfully encrypted the drive and with the next restart, the same issue happend. With Manage-bde command I was able to decrypt the drive.

I am not able to enable bitlocker for my drives. Please help

Thursday, September 22, 2016 12:22 PM
1

Sign in to vote

Hello!

Thanks for your posting. Maybe you can help me with some clarifications.

Device: HP x2 210 detachable. Out of the box Windows installation (done by HP).

Diffrently tho what I understood, here I have NEVER ACTIVATED bitlocker on this device. Anyhow, after some update the Bitlocker Recovery Key is requried.

The Laptop was not delivered with an installation media (e.g. USB, DVD). Therefore I don't have the possibility to start with installation media. HP seems to think, that it is sufficient, if the installation files are just on the HDD itself. Bitlocker -> Advanced Options would offer me "Reset this PC". I'm not sure if this will offer an recovery mode. Because of the risk of dataloss I'm hesitating to try out this option. Any idea, where to get an installation media or another workaround?

Thank you,

Bernd

Sunday, October 2, 2016 11:04 AM
1

Sign in to vote

So, to make sure I understand correctly:

If I would have run Windows 10 on our Lenovo laptops with 1.2 TPM chip and encrypted all fixed drives with bitlocker (as we were planning to do with our Windows 10 rollout and I have set up with MBAM) and I would have rolled out the Anniversary edition through WSUS all our 100 laptops would have been rendered useless after the update???

Hmm...

I came across this issue because the script I made to enable the TPM and bitlocker suddenly failed to create a WMI "MicrosoftTPM" object on Windows 10 version1607.

I also understand that with W10 version 1607 a bitlocker implementation with "TPM only" is not possible or considered secure anymore using TPM 1.2 hardware?

Thursday, November 3, 2016 7:46 AM
2

Sign in to vote

@LoaWla This feature has been discontinued by Microsoft

"To back up TPM owner information from a computer running Windows 10, version 1507, Windows 10, version 1511, Windows 8.1, or Windows 8, you might need to first set up appropriate schema extensions and access control settings on the domain so that the AD DS backup can succeed. Windows Server 2012 R2 and Windows Server 2012 include the required schema extensions by default. For more information, see AD DS schema extensions to support TPM backup. This functionality is discontinued starting with Windows 10, version 1607."

https://technet.microsoft.com/en-us/itpro/windows/keep-secure/trusted-platform-module-services-group-policy-settings

Monday, November 7, 2016 11:55 AM