Jump to content


Failed to add TPM protector to OS device exit code 1

Recommended Posts


hoping for some help from with a strange issue I have on a customer site

I am currently unable to build Dell Optiplex 5040 devices with Windows 10 1909 x64 Enterprise from an Endpoint manager 1910 MDT integrated task sequence. The task sequence fails when trying to execute the Invoke-MbamClientDeployment.ps1 script.

I have detailed the high level tasks below and attached the SMSTS.log.

  • BIOS upgraded to latest version
  • BIOS Reset to factory settings
  • BIOS Password Set
  • BIOS Standard config applied
  • UEFI Boot enabled
  • TPM Cleared & activated
  • TPM Converted from 1.2 to 2.0
  • TPM Cleared again and reactivated
  • OS Deployed
  • Drivers deployed
  • MBAM TPMPassTheHash step completed
  • DOTNET Enabled
  • C++ Redists applied
  • Security Patches Applied

The MBAM Group

MBAM_XTS_AES256 applied to reg

PreBoot Input Protectors for Tablets applied to reg

MDOP MBAM 2.5 SP1 Installed

MBAM Client Hot Fix KB4505175 Applied

Sleep 2 mins

DisableRootAutoUpdate (Certificate applied)


Set PowerShell Execution Policy Set to bypass

Set PowerShell Execution Policy

powershell.exe -command Initialize-TPM Is run


Invoke-MbamClientDeployment.ps1 with the below parameters

Parameters - -RecoveryServiceEndpoint "https://MBAM:443/MBAMRecoveryAndHardwareService/CoreService.svc" -StatusReportingServiceEndpoint "https://MBAM:443/MBAMComplianceStatusService/StatusReportingService.svc" –IgnoreEscrowOwnerAuthFailure -EncryptionMethod "XTSAES256"

**The Post Steps**

Reset TPM Policy


The TPM status is

Enabled, Activate & NOT owned

The above works on all other models tested but fails on the 5040

The actual error message received is contained in the smsts.log file attached and the extract is below.

The device is also in a staging OU that receives no Group Policy. The device does register in MBAM if continue on error is checked on the offending task and the computer object moved to the correct OU but will not encrypt. The same task sequence works on the other Dell models tested e.g. 5050

I have logged in after and BitLocker throws a internal error if you try to run it manually.


A single site deployment of Endpoint Manager 1910 with two distribution points deploying Windows 10 1909 x64 enterprise with a MDT Integrated task sequence.  The Dell command tool kit has been integrated into End Point Manager and drives the BIOS/TPM config steps in the task sequence. The Dell TPM conversion tool is used to convert the TPM to 2.0. The devices been build are production Windows 7 and are been repurposed as Windows 10 x64 Enterprise 1909


smsts extract.png

Share this post

Link to post
Share on other sites

the error translates to

An internal error was detected.

Source: Windows


which doesn't help much, what cumulative update level are you deploying with ?

Share this post

Link to post
Share on other sites

Thank you for the quick reply, yes its less than helpful and also exactly what you get if you try to turn BitLocker on manually if you allow the TS to complete

The WIM has been offline serviced to the April Cumulative update and then patched as part of the task sequence using the method attached.

I have also had to add the cumulative update to the Boot image as the Dell TPM Conversion tool breaks with out it post 1903



Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.