Jump to content


Doug Blake

Enabling BitLocker

Recommended Posts

Hi,

 

I'm trying to enable BitLocker during OSD but haven't had any success.

 

I'm deploying Windows 7 x64 to an HP ProBook 6560B. I've enabled the TPM Chip within the BIOS and confirmed this is visible via the OS.

 

As far as i'm aware we have not extended the schema within AD to allow for storage of keys, this isn't something we'll be doing and we don't wish to store any keys.

 

I have selected the following options with the 'Enable BitLocker' TS:

 

Current Operating System Drive - TPM Only

Do Not Create A Recovery Key

 

The TS fails with the following errors -

 

Set command line: "OSDBitLocker.exe" /enable /wait:False /mode:TPM /pwd:None OSDBitLocker 11/01/2012 15:45:15 2712 (0x0A98)

Target volume not specified, using current OS volume OSDBitLocker 11/01/2012 15:45:15 2712 (0x0A98)

Current OS volume is 'C:' OSDBitLocker 11/01/2012 15:45:15 2712 (0x0A98)

Succeeded loading resource DLL 'C:\Windows\SysWOW64\CCM\1033\TSRES.DLL' OSDBitLocker 11/01/2012 15:45:15 2712 (0x0A98)

Protection is OFF OSDBitLocker 11/01/2012 15:45:15 2712 (0x0A98)

Volume is fully decrypted OSDBitLocker 11/01/2012 15:45:15 2712 (0x0A98)

Tpm is enabled OSDBitLocker 11/01/2012 15:45:16 2712 (0x0A98)

Tpm is activated OSDBitLocker 11/01/2012 15:45:16 2712 (0x0A98)

Tpm is not owned OSDBitLocker 11/01/2012 15:45:16 2712 (0x0A98)

Tpm ownership is allowed OSDBitLocker 11/01/2012 15:45:16 2712 (0x0A98)

uStatus == 0, HRESULT=80280012 (e:\nts_sms_fre\sms\framework\tscore\tpm.cpp,503) OSDBitLocker 11/01/2012 15:45:16 2712 (0x0A98)

'IsSrkAuthCompatible' failed (2150105106) OSDBitLocker 11/01/2012 15:45:16 2712 (0x0A98)

Tpm does not have compatible SRK OSDBitLocker 11/01/2012 15:45:16 2712 (0x0A98)

Tpm has EK pair OSDBitLocker 11/01/2012 15:45:16 2712 (0x0A98)

Initial TPM state: 39 OSDBitLocker 11/01/2012 15:45:16 2712 (0x0A98)

Creating TPM owner authorization value OSDBitLocker 11/01/2012 15:45:16 2712 (0x0A98)

Succeeded loading resource DLL 'C:\Windows\SysWOW64\CCM\1033\TSRES.DLL' OSDBitLocker 11/01/2012 15:45:16 2712 (0x0A98)

Taking ownership of TPM OSDBitLocker 11/01/2012 15:45:16 2712 (0x0A98)

uStatus == 0, HRESULT=80070005 (e:\nts_sms_fre\sms\framework\tscore\tpm.cpp,645) OSDBitLocker 11/01/2012 15:45:18 2712 (0x0A98)

'TakeOwnership' failed (2147942405) OSDBitLocker 11/01/2012 15:45:18 2712 (0x0A98)

pTpm->TakeOwnership( sOwnerAuth ), HRESULT=80070005 (e:\nts_sms_fre\sms\client\osdeployment\bitlocker\bitlocker.cpp,480) OSDBitLocker 11/01/2012 15:45:18 2712 (0x0A98)

Failed to take ownership of TPM. Ensure that Active Directory permissions are properly configured

Access is denied. (Error: 80070005; Source: Windows) OSDBitLocker 11/01/2012 15:45:18 2712 (0x0A98)

InitializeTpm(), HRESULT=80070005 (e:\nts_sms_fre\sms\client\osdeployment\bitlocker\bitlocker.cpp,1191) OSDBitLocker 11/01/2012 15:45:18 2712 (0x0A98)

ConfigureKeyProtection( keyMode, pwdMode, pszStartupKeyVolume ), HRESULT=80070005 (e:\nts_sms_fre\sms\client\osdeployment\bitlocker\bitlocker.cpp,1396) OSDBitLocker 11/01/2012 15:45:18 2712 (0x0A98)

pBitLocker->Enable( argInfo.keyMode, argInfo.passwordMode, argInfo.sStartupKeyVolume, argInfo.bWait ), HRESULT=80070005 (e:\nts_sms_fre\sms\client\osdeployment\bitlocker\main.cpp,650) OSDBitLocker 11/01/2012 15:45:18 2712 (0x0A98)

Process completed with exit code 2147942405 TSManager 11/01/2012 15:45:18 1800 (0x0708)

!--------------------------------------------------------------------------------------------! TSManager 11/01/2012 15:45:18 1800 (0x0708)

Failed to run the action: Enable BitLocker. Permissions on the requested may be configured incorrectly.

Access is denied. (Error: 80070005; Source: Windows) TSManager 11/01/2012 15:45:18 1800 (0x0708)

 

When i've tried to enable bitlocker from the command line (using manage-bde.exe -on C:) the output reports that BitLocker can't enable as TPM isn't the owner and that the OS needs to take ownership first. This can be achived by running manage-bde.exe -tpm -o selectapassword however i'm trying to avoid this method as would prefer to use the proper TS step (and have an auto generated password)

 

Can anyone help?

 

We're running SCCM 2007 R3.

Share this post


Link to post
Share on other sites

Hi Doug,

 

I had a similar issue within our setup here when I was deploying MBAM, I found out that it could not take full ownership of the TPM due to key issues. I found this VBS script I edited it to our requirements and created a package then ran this before the bit locker step in the task sequence.

 

The script basically enters a new/restores the endorsement key within the TPM chip, once this ran I was able to take ownership no problem and the task sequence completed successfully.

 

Since then I have kept the VBS script in the task sequence but disabled the bit locker stage and now let MBAM do this in an automated fashion.

 

Here is the script I have been using

 

'==========================================================================

'

' NAME: tpm_ek.vbs

'

' AUTHOR: Microsoft

' AMENDED: Matt Wall

' DATE : 18/11/2011

'

' COMMENT: Checks for TPM Endorsement Key Pair and creates it if missing.

' COMMENT: Fixes MBAM issue "Error taking ownership of the TPM"

'

'==========================================================================

Set objWMIService = GetObject("WinMgmts:{impersonationLevel=impersonate,AuthenticationLevel=pktprivacy}//" & "." & "\root\CIMV2\Security\MicrosoftTpm")

Set objItems = objWMIService.InstancesOf("Win32_Tpm")

 

For Each objItem In objItems

 

'rvaluea = objItem.IsEnabled(A)

'rvalueb = objItem.IsActivated(B)

'rvaluec = objItem.IsOwned©

rvalued = objItem.IsEndorsementKeyPairPresent(D)

 

'If A Then

'WScript.Echo "TPM Is Enabled: " & A

'Else

'WScript.Echo "TPM Is Enabled: " & A

'End If

 

'If B Then

'WScript.Echo "TPM Is Activated: " & B

'Else

'WScript.Echo "TPM Is Activated: " & B

'End If

 

'If C Then

'WScript.Echo "TPM Is Owned: " & C

'Else

'WScript.Echo "TPM Is Owned: " & C

'End If

 

'If D Then

'WScript.Echo "TPM Is EndorsementKeyPairPresent: " & D

'Else

If Not D Then

'WScript.Echo "TPM Is EndorsementKeyPairPresent: " & D

'WScript.Echo "CreateEndorsementKeyPair... Please Wait"

rvaluee = objItem.CreateEndorsementKeyPair(E)

'WScript.Echo "CreateEndorsementKeyPair... Returns:" & rvaluee & " and E=" & E

If (rvaluee <> 0) Then

WScript.Quit -1

End If

End If

Next

WScript.Quit (0)

==========================================

 

Hope this helps you out.

Matt

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...