none
Windows 10 14393 (1607) Enterprise - Issues with TPM

    Question

  • Hi @all,

    I've installed Windows 10 1607 as an inplace upgrade to my three Windows 10 Enterprise installations.

    I had Bitlocker enabled with TPM on all devices.

    Running the update on the first device (DELL E7440) the update process completed successfully - everything seemed fine. On the next reboot my machine showed me that Bitlocker is missing a file (error code 0xc0210000). All automatic repairs failed.

    So I've run the command line tool, used manage-bde to turn encryption off on the disk, disabled the key protectors (delete doesn't work btw) and got my windows 10 coming up again.

    Following up I've tried to reset the TPM chip (clear TPM) which resulted in the mandatory UEFI Prompt to acknowledge that, but the operating system opened up tpm.msc, but did not show up the wizard completion (as I've got that under previous Windows 10 installations).

    Finally I've tried to perform a bitlocker system test, which performed the reboot but showed up that the test did not succeeded.

    Someone else with these issues? Is there already a fix in work?

    Cheers,

    Matthias



    Thursday, August 04, 2016 7:24 PM

All replies

  • Hello,

    i got the same the laptop and problem.

    I suspect it is because the of TPM 1.2...

    I also had to disable the bitlocker via cmd and manage-bde. I reverted to the previous build and now i can't enable bitlocker on my C: drive (Even with the clear TPM).

    Got any luck solving your issue?

    Cheers.

    Friday, August 05, 2016 2:37 PM
  • Same here, on Dell Precision M4800 (A16 BIOS, Legacy boot). Clearing TPM did not help. Could remove the protectors fine, but removing and adding them back did not help.
    Friday, August 05, 2016 8:40 PM
  • Another thread on the subject is https://social.technet.microsoft.com/Forums/en-US/7b754050-f8e5-4bc0-821a-fa8c5a0feaac/after-update-1607-no-tpm-function

    Just a thought: could everybody post their TPM chip info? Run tpm.msc and look under TPM Manufacturer Information.

    Mine is ATLM (= Atmel), Manufacturer v41.1, Spec v1.2

    Friday, August 05, 2016 9:56 PM
  • HI Alex,

    thanks for linking.

    Dell E7440: ATML, Manufacturer v41.1, Spec v1.2

    Lenovo Thinkpad T430S: ATML, Manufacturer v41.1, Spec v1.2

    Surface Pro 1: IFX, Manufacturer v3.19, Spec v1.2

    this is really annoying and should be fixed before of the global rollout....

    Cheers,

    Matthias

    Monday, August 08, 2016 9:07 PM
  • Hello

    Can I get the following information from the machines that are failing

    1. MSINFO32 output from the machine.  From the commandline run msinfo32 and save the output as a text file.
    2. Registry key information under HKLM\System\CurrentControlSet\Control\DeviceGuard .  Export the regkey  and save as a text file.
    3. Output of  the command: “powershell $(Get-CimInstance -classname Win32_DeviceGuard -namespace root\Microsoft\Windows\DeviceGuard)

    From a CMD prompt run this : powershell $(Get-CimInstance -classname Win32_DeviceGuard -namespace root\Microsoft\Windows\DeviceGuard) >dguard.txt

    Compress the files into a ZIP file and send to darrellg-removethis-@microsoft.com


    Thanks, Darrell Gorter [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.

    Monday, August 08, 2016 9:27 PM
  • Hello,

    It seems there is Problem with 1607 build - uploading TPM Recovery Information to ActiveDirectory also.

    After a fresh install Win10 build  1607  msTPM-InformationObject is not created, apr. GPO setting is ignored

    With build 1511  no such Problems were  registred

    Regards

    WL 

    Wednesday, August 10, 2016 9:05 AM
  • Count me in with a

    Dell Precision M3800: ATML, Manufacturer: 37.19, Spec v1.2

    Thanks for any help.

    Regards

    Norbert

    Thursday, August 11, 2016 3:30 PM
  • Hello,

    Thanks for the log files, we have identified the issues and are working on a solution.

    We do not need any more logs, will update when I have more information.


    Thanks, Darrell Gorter [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.

    Thursday, August 11, 2016 10:50 PM
  • Same problem here with:

    Dell Precision T1700: STM Manufacturer, Version 13.12, Specification Version 1.2

    Darrell, please let us know when a fix is available.

    Thanks.

    Friday, August 12, 2016 10:41 PM
  • ThinkPad E540 here.

    Would be nice for a KB of how to get around a PC that no longer just works.  I.e. what to do to recover and boot a PC.

    Thanks!

    Saturday, August 13, 2016 2:51 AM
  • ThinkPad E540 here.

    Would be nice for a KB of how to get around a PC that no longer just works.  I.e. what to do to recover and boot a PC.

    Thanks!

    ok, so I did this:

    - burnt a W10 Enterprise DVD.

    - booted it and selected recovery, then advanced then command line

    - entered Bitlocker recovery key when prompted

    - from the command prompt used:  "manage-bde -protectors -disable c:"

    - exit to reboot into Windows

    Hopefully a fix can come that restores normal TPM operation and then I can re-enable it.

    Saturday, August 13, 2016 3:39 AM
  • Same issue with my Lenovo W530. Rolled back to 1511

    Hopefully MS will provide a fix soon.

    Regards

    Ben

    Sunday, August 14, 2016 8:35 AM
  • Looking for that. Some people around with Dell NTB are starting encountering this just they upgrade to Anniversary Update.
    Sunday, August 14, 2016 11:44 PM
  • Hi all,

    same problem with HP Elitebook 850 G2 with TPM 1.2 (IFX) and LS 4.40 as well as HP Probook 650 G1 with TPM 1.2 (IFX) and LS 4.32.  Our whole company is involved. Hope Microsoft will provide a fix here soon.

    My solution on my Elitebook: Firmware upgrade from 1.13 to 1.15 an clean reinstall with UEFI & SecureBoot form USB stick with Windows 10 1607. Did not clean the TPM. Everything works as expected including bitlocker.

    Regards,
    Bent

    Monday, August 15, 2016 12:02 PM
  • Hello

    Another update for this thread:

     how to avoid getting into this bitlocker recovery situation

    When does a user hit the bitlocker recovery issue?

    1. User has upgraded from Th1 to Th2 and then now upgrading to RS1
    2. User either has Hyper-V ON or want to turn it on in RS1 after OS upgrade
    3. First reboot after Hyper-V is enabled in RS1 will hit bit locker recovery – this can be soon after OS upgrade if Hyper-V was already enabled downlevel
    4. Due to separate Bitlocker issue even after entering the Bitlocker key we fail to recover.  Still under investigation.

    Workaround – here are the 4 workaround that customers can choose from to avoid getting into this situation:

    1. Keep Hyper-V disabled during OS upgrade and keep it disabled till servicing update on 8/23 comes through
    2. Reset the Device guard RegKeys (delete the DG regkey node) and then enabled Hyper-V in RS1
    3. Reset the Device guard RegKeys (delete the DG regkey node) and then upgrade to RS1 while keeping Hyper-V however customers want (ON or OFF is both fine)
    4. Disable Bitlocker till 8/23


    Thanks, Darrell Gorter [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.


    Monday, August 15, 2016 11:21 PM
  • I was able to recover after getting locked out by using manage-bde in a recovery command prompt:

    https://www.janssenjones.com/windows-10-anniversary-update-bitlocker-and-hyper-v/

    Hope that helps if anyone else finds themselves locked out.

    Janssen


    Janssen Jones - Virtual Machine MVP -http://www.janssenjones.com - Please remember to mark answers as answers. :)

    Thursday, August 18, 2016 6:15 PM
  • I was able to recover after getting locked out by using manage-bde in a recovery command prompt:

    https://www.janssenjones.com/windows-10-anniversary-update-bitlocker-and-hyper-v/

    Hope that helps if anyone else finds themselves locked out.

    Janssen


    Janssen Jones - Virtual Machine MVP -http://www.janssenjones.com - Please remember to mark answers as answers. :)

    Turning it off, as your guide shows, is not ideal as that will decrypt the whole drive which is a waste if you want to re-enable it when fixed.

    Temporarily disabling it using this command is better:

    manage-bde -protectors -disable c:"

    You'll be able to enable again when fixed (at least you should be able to if fixed, worst case you go the decrypt path then!!)


    • Edited by dp30 Thursday, August 18, 2016 6:27 PM
    Thursday, August 18, 2016 6:25 PM
  • Turning it off, as your guide shows, is not ideal as that will decrypt the whole drive which is a waste if you want to re-enable it when fixed.

    Temporarily disabling it using this command is better:

    manage-bde -protectors -disable c:"

    You'll be able to enable again when fixed (at least you should be able to if fixed, worst case you go the decrypt path then!!)


    Thanks for that info.  I'll update the post.  I'm just happy to avoid a full rebuild and pulling everything back via Crashplan.  :)

    Janssen Jones - Virtual Machine MVP -http://www.janssenjones.com - Please remember to mark answers as answers. :)

    Thursday, August 18, 2016 6:54 PM
  • Darrell,

    Is this servicing update still going to be released today?

    Chris

    Tuesday, August 23, 2016 4:17 PM
  • Yes it's available now via update catalog and WSUS

    https://support.microsoft.com/en-us/kb/3176936

    Regards
    Norbert

    Tuesday, August 23, 2016 6:14 PM
  • This patch seems to fix my issue.  I will need future testing but so far so good.
    Tuesday, August 23, 2016 6:19 PM
  • Am 23.08.2016 schrieb Anthony Meluso:
    Hi,

    This patch seems to fix my issue.  I will need future testing but so far so good.

    Partly. I'm able to encrypt my drive again, but the TPM information isn't backed up to AD! As there's also the policy missing regarding this in the new 1607 build, it would be nice to know, if anyone has information on this issue.
    See this thread: https://social.technet.microsoft.com/Forums/en-US/c8ad5825-ecc7-4873-a2c0-d6b51789e12e/turn-on-tpm-backup-to-active-directory-domain-services?forum=winserverGP#

    Regards
    Norbert


    Dilbert's words of wisdom #34:
    When you don't know what to do, walk fast and look worried.
    nntp-bridge Zugriff auf die MS Foren wieder möglich: https://communitybridge.codeplex.com/

    Wednesday, August 24, 2016 8:49 AM
  • I'm also experiencing this issue after upgrading to 1607.

    I've installed KB3176936 but this doesnt fix the issue stopping the TPM from be backed up to AD.

    After the TPM says its been provisioned and stored in AD I see the following in my system log:

    The Trusted Platform Module (TPM) hardware failed to execute a TPM command.  Event ID  1025.

    In addition, I had this issue before updating my ADMX for Windows 10 here.

    The issue still exists after updating my ADMX for Windows 10, but I am now missing the backup to active directory policy for the TPM.

    Wednesday, August 24, 2016 3:36 PM
  • I have Toshiba Tecra w50 laptop. I upgraded Windows 10 upgrade to Windows 10 anniversary update. After the restart, it stopped working because of bitlocker issue. Then with the installation media, went to repair the computer, then with command prompt using manage-bde command, make the encryption off and once the disk decryption was over, I was able to login.

    Then I tried to enable the bitlocker on the operating system drive. using TPM.msc, I was able to "Prepare TPM", and then I enabled the encryption on c drive. It successfully encrypted the drive and with the next restart, the same issue happend. With Manage-bde command I was able to decrypt the drive.

    I am not able to enable bitlocker for my drives. Please help

    Thursday, September 22, 2016 12:22 PM
  • Hello!

    Thanks for your posting. Maybe you can help me with some clarifications.

    Device: HP x2 210 detachable. Out of the box Windows installation (done by HP).

    Diffrently tho what I understood, here I have NEVER ACTIVATED bitlocker on this device. Anyhow, after some update the Bitlocker Recovery Key is requried.

    The Laptop was not delivered with an installation media (e.g. USB, DVD). Therefore I don't have the possibility to start with installation media. HP seems to think, that it is sufficient, if the installation files are just on the HDD itself. Bitlocker -> Advanced Options would offer me "Reset this PC". I'm not sure if this will offer an recovery mode. Because of the risk of dataloss I'm hesitating to try out this option. Any idea, where to get an installation media or another workaround?

    Thank you,

      Bernd

    Sunday, October 02, 2016 11:04 AM
  • So, to make sure I understand correctly:

    If I would have run Windows 10 on our Lenovo laptops with 1.2 TPM chip and encrypted all fixed drives with bitlocker (as we were planning to do with our Windows 10 rollout and I have set up with MBAM) and I would have rolled out the Anniversary edition through WSUS all our 100 laptops would have been rendered useless after the update???

    Hmm...

    I came across this issue because the script I made to enable the TPM and bitlocker suddenly failed to create a WMI "MicrosoftTPM" object on Windows 10 version1607.

    I also understand that with W10 version 1607 a bitlocker implementation with "TPM only" is not possible or considered secure anymore using TPM 1.2 hardware?

    Thursday, November 03, 2016 7:46 AM
  • @LoaWla This feature has been discontinued by Microsoft

    "To back up TPM owner information from a computer running Windows 10, version 1507, Windows 10, version 1511, Windows 8.1, or Windows 8, you might need to first set up appropriate schema extensions and access control settings on the domain so that the AD DS backup can succeed. Windows Server 2012 R2 and Windows Server 2012 include the required schema extensions by default. For more information, see AD DS schema extensions to support TPM backup. This functionality is discontinued starting with Windows 10, version 1607."

    https://technet.microsoft.com/en-us/itpro/windows/keep-secure/trusted-platform-module-services-group-policy-settings

    Monday, November 07, 2016 11:55 AM