CalleW

I am Pre-provisioning BitLocker on win7 and it's working well. Only issue at the moment is backup of the TPM ownership password to AD and that on Lenovo Laptops the Bitlocker partition is visible after installation. Btw, I checked my biosconfigutility.exe command and I have NOT defined the full path, so that is not necessary. Carl

Ok, thanks for the update. I'm actually not using MDT integration at all, so I'm using SCCM:s own Pre-provision BitLocker step. I'll look into your findings next week. When you run the command to populate the msTPM-OwnerInformation do you define a password? I assumed the ownership was taken in WinPE phase and a random password generated.

BB24, have you found a solution to the TPM backup to AD issue when Pre-provisioning BitLocker?

I am flashing the BIOS on HP laptops and desktops if necessary as well as enabling and taking ownership of the TPM chips right after partitioning the drive, before OS is being applied. If you're installing a OS Image and not a OS Installer Package you could also try the 32-bit boot image and see if that works.

The package is just a normal legacy package including the BiosConfigUtility.exe and the TPMEnable.REPSET files and then distributed to a DP. Are you running the biosconfigutility twice? Once to set the password and once to enable the tpm. I'm just putting everything together, something like: BiosConfigUtility.exe /SetConfig:TPMEnable.REPSET /nspwd:"password" /cspwd:"password" The cspwd is necessary if the bios already has a password. I'm not sure if the format of the config-file makes a difference (.txt or .REPSET), but most guides mention the config-file as TPMEnable.REPSET so you could try that as well. It might also be that you have to enter the entire path to the TPMEnable.REPSET file, I'll check that tomorrow and get back to you.

Using the Install Package step won't work, so go with the run command line version. I have a package with the necessary files, but no programs are necessary. I have had several HP models where I had to upgrade the BIOS in order to get control over the TPM chip, so that could be one thing to check. On the other hand I don't think running the biosconfigutility would fail in this case. Are you using 64-bit boot image as well? If you have created a OS-image you can just as well use the 32-bit boot-image. The 32-bit is more versatile than the 64-bit and can deploy everything except for a 64-bit OS Installer Package. This is why I'm using the 32-bit boot image. I only use the 64-bit version when building a new 64-bit image.

I am running the biosconfigutility in WinPE4 (x86) without any issues. How are you running the biosconfigutility? I mean have you created a package with a program and using a "Install Package" step or are you running it as a commandline in the TS?

I am wondering the exact same thing as BB24. I have everything else working, but the backup of the TPM Ownership to AD is not working. It makes sense that it is unable to backup the key during Pre-Provisioning, but is there a way to force the backup to AD later? I read that Microsoft made some changes in Win8 related to the way the TPM Ownership information is backed up in AD and that if your domain controller is not Server 2012 you have to extend the schema. However, I'm deploying Win7 so I guess it should backup the info to the AD Attribute msTPM-OwnerInformation? Any help would be greatly appreciated.