Otura

MBAM versions on the client and server are 2.5.1100.0.

Yes. I think I don't explain myself. This table summarizes all the cases: Case 1 2 3 4 5 6 7 8 9 BIOS type BIOS UEFI UEFI UEFI UEFI UEFI UEFI UEFI UEFI Secure Boot N/A Enabled Disabled Disabled Enabled Disabled Disabled Disabled Disabled CSM N/A N/A (Disabled) Disabled Enabled N/A (Disabled) Disabled Enabled Enabled Enabled TPM 1.x 1.x 1.x 1.x 2 2 2 2 2 Win7x64SP1 Works No boot No boot Works No boot No boot Works Works Works KB2920188 Not needed Not needed Not needed Not needed N/A N/A N/A Not Installed Installed BitLocker Functional Functional Functional Functional N/A N/A N/A Non functional ?? In case 1 you have an old computer with BIOS and TPM 1.x, so everything works fine. As expected. Cases from 2 to 9 are UEFI cases. In UEFI, if you have CSM disabled you can enable or not Secure Boot (cases 2,3,5,6), but Windows 7 x64 SP1 won't boot, as it is not compatible with UEFI "native mode" and needs the CSM for backwards compatibility. In UEFI, you can only activate CSM if you disable Secure Boot, as Secure Boot is not compatible with the legacy/backwards compatibility mode that CSM provides. That is cases 4, 7, 8 and 9. Without Secure Boot and with CSM Windows 7 works. It boots and works normally. Then, if you have a TPM 1.X (probably 1.4), you won't need KB2920188, as TPM 1.x can work without Secure Boot. (case 4). But if you have a TPM 2.0 (case 7, 8 and 9) you will need KB2920188 so Windows can communicate with TPM 2.0 with CSM and without Secure Boot. The case you talk about (Windows 7, UEFI, TPM, CSM and no-Secure Boot) works. Perfectly. That is cases 4, 7, 8 and 9 in the table. In those cases, with TPM 1.4, you will not have any problem (as TPM 1.4 does not require Secure Boot) (case 4) and you will be able to use BitLocker without issues. In cases with TPM 2.0 you would need to install KB2920188 in order to allow Windows to communicate with TPM 2.0 and use BitLocker. UPDATE AS I WRITE: Even with KB2920188 I get the same error... When the BitLocker wizard kicks-in it asks for the PIN, I provide it, it takes ownership of the TPM chip and then it fails. Message in Event Viewer is:

Yes, in order to enable the CSM I need to disable the Secure Boot first, so that's the combo: CSM / IN-secure boot. That sets the BIOS in legacy mode (BIOS, not UEFI) behavior/mode/whatever. With that setup the Task Sequence works without any issue. Once the image is deployed, the MBAM client triggers the wizard: - Verify if TPM is enabled and active: check - Take ownership of the TPM and store the password in the MBAM database: check - Encrypt the hard disk: fails miserably complaining that the OS cannot communicate with the TPM That's seems to be because it's TPM 2.0, and it seems to require the Secure Boot enabled. That's why I tried UEFI (which does not work). It seems that the hotfix allows the OS to communicate with a non-secure boot TPM 2.0.. that's my understanding... or, even more accurate, my hope.

Thanks! I've gone to the KB2920188 (https://support.microsoft.com/en-us/help/2920188/update-to-add-support-for-tpm-2.0-in-windows-7-and-windows-server-2008) that keilamym mentioned above and have seen that it mentions explicitly: So, I've downloaded the hotfix, injected it in the WIM file using DISM, reverted back the BIOS to CSM/In-SecureBoot, reverted back the DHCP configuration to provide the non-UEFI wdsnbp.com and relaunched the image of a test laptop.... Fingers crossed... I will let you know in a couple of hours if it works. If it doesn't most probably you will find a cheap lot of Fujitsus Lifebook E736 on eBay in the coming days....

UEFI compatibility mode does leave the TPM 2.0 chip in "Reduced functionality mode" so you cannot use BitLocker with it... Thanks for the answer anyway.

Hello. I've read million of posts saying so, but I would like to ask you for a confirmation. Please. I have a SCCM 2012 MDT 2013 setup deploying Windows 7 x64 Enterprise SP1 (this is the current corporate image, so no way to go to Win10 yet). The image deploys MBAM and then the laptop is "BitLockered" when the user logs in. For that, TPM 1.4 chip in the current hardware (Fujitsu Lifebook E734) is used with a PIN. That setup was working fine, with legacy BIOS (no Secure Boot, no UEFI, MBR...) Now, we have received a new batch of laptops (Fujitsu Lifebook E736). Those implement TPM 2.0. It seem that Bitlocker does not work with TPM 2.0 if UEFI/SecureBoot is not enabled. I have modified the PXE settings in the DHCP to deliver the UEFI WDS package. I have configured the TS to boot with a x64 boot image and everything works. The PXE triggers the WinPE, it offers a couple of Task Sequences advertised to the computer, I choose the right one, the TS installs the OS, the TS installs the SCCM client and the Task Sequence TRIES to reboot to the OS. Yes, only tries. After that the laptop complains that it cannot find a bootable device. Can you please confirm my guess (after reading like 1 million web pages) that nobody has found a workaround for this? In short: Is there a way to install Windows 7 x64 on a UEFI/SecureBoot/GPT laptop? Is there anything I should do to make it boot? Thanks in advance...