Hi all, In our Windows 7 task sequence, I go through the process of enabling the TPM chip on Dell and Lenovo machines which generally works fine, so long as they've not been previously owned. However, under some circumstances, the Enable Bitlocker step will fail because the TPM chip could not be correctly configured as part of the build. In this event we get an error 0x80004005. I've tried some scripts to check to see if TPM is enabled and TPM is activated which return TRUE for both, however, these don't cater for the ownership. How can I get the Enable Bitlocker task to continue on through failure and finish the task sequence without bombing out? If I can get that working, then I can check for success / failure and log accordingly. Cheers Simon

whats the exact failure you are getting ? are you doing it similar to the posts below ? Customising Windows 7 deployments - part 5. Enabling Bitlocker in WinPE on Dell computers How can I determine if there's a TPM chip on my Lenovo system for BitLocker ? Easy when you know how How can I determine if theres a TPM chip on my Dell system for BitLocker ? Using the following script My step by step SCCM Guides I'm on Twitter > ncbrady

Hi Niall, This part of smsts.log is typical of what we're seeing; ---start log--- <![LOG[Set command line: OSDBitLocker.exe /enable /wait:False /mode:TPM /pwd:AD]LOG]!><time="16:04:12.168+-60" date="09-20-2011" component="TSManager" context="" type="0" thread="2596" file="commandline.cpp:707"> <![LOG[Start executing the command line: OSDBitLocker.exe /enable /wait:False /mode:TPM /pwd:AD]LOG]!><time="16:04:12.168+-60" date="09-20-2011" component="TSManager" context="" type="1" thread="2596" file="instruction.cxx:2928"> <![LOG[!--------------------------------------------------------------------------------------------!]LOG]!><time="16:04:12.168+-60" date="09-20-2011" component="TSManager" context="" type="1" thread="2596" file="instruction.cxx:2957"> <![LOG[Expand a string: FullOS]LOG]!><time="16:04:12.168+-60" date="09-20-2011" component="TSManager" context="" type="0" thread="2596" file="executionenv.cxx:782"> <![LOG[Executing command line: OSDBitLocker.exe /enable /wait:False /mode:TPM /pwd:AD]LOG]!><time="16:04:12.168+-60" date="09-20-2011" component="TSManager" context="" type="1" thread="2596" file="commandline.cpp:805"> <![LOG[==============================[ OSDBitLocker.exe ]==============================]LOG]!><time="16:04:12.262+-60" date="09-20-2011" component="OSDBitLocker" context="" type="1" thread="3216" file="main.cpp:608"> <![LOG[Command line: "OSDBitLocker.exe" /enable /wait:False /mode:TPM /pwd:AD]LOG]!><time="16:04:12.262+-60" date="09-20-2011" component="OSDBitLocker" context="" type="1" thread="3216" file="main.cpp:609"> <![LOG[Initialized COM]LOG]!><time="16:04:12.262+-60" date="09-20-2011" component="OSDBitLocker" context="" type="0" thread="3216" file="main.cpp:632"> <![LOG[Command line for extension .exe is "%1" %*]LOG]!><time="16:04:12.262+-60" date="09-20-2011" component="OSDBitLocker" context="" type="0" thread="3216" file="commandline.cpp:229"> <![LOG[Set command line: "OSDBitLocker.exe" /enable /wait:False /mode:TPM /pwd:AD]LOG]!><time="16:04:12.262+-60" date="09-20-2011" component="OSDBitLocker" context="" type="0" thread="3216" file="commandline.cpp:707"> <![LOG[Target volume not specified, using current OS volume]LOG]!><time="16:04:12.262+-60" date="09-20-2011" component="OSDBitLocker" context="" type="0" thread="3216" file="main.cpp:522"> <![LOG[Current OS volume is 'C:']LOG]!><time="16:04:12.262+-60" date="09-20-2011" component="OSDBitLocker" context="" type="0" thread="3216" file="main.cpp:524"> <![LOG[Succeeded loading resource DLL 'C:\Windows\SysWOW64\CCM\1033\TSRES.DLL']LOG]!><time="16:04:12.511+-60" date="09-20-2011" component="OSDBitLocker" context="" type="1" thread="3216" file="util.cpp:869"> <![LOG[Protection is OFF]LOG]!><time="16:04:12.526+-60" date="09-20-2011" component="OSDBitLocker" context="" type="0" thread="3216" file="bitlocker.cpp:1385"> <![LOG[Volume is fully decrypted]LOG]!><time="16:04:12.526+-60" date="09-20-2011" component="OSDBitLocker" context="" type="0" thread="3216" file="bitlocker.cpp:1392"> <![LOG[Tpm is enabled]LOG]!><time="16:04:12.573+-60" date="09-20-2011" component="OSDBitLocker" context="" type="0" thread="3216" file="tpm.cpp:161"> <![LOG[Tpm is not activated]LOG]!><time="16:04:12.604+-60" date="09-20-2011" component="OSDBitLocker" context="" type="0" thread="3216" file="tpm.cpp:166"> <![LOG[Tpm is not owned]LOG]!><time="16:04:12.636+-60" date="09-20-2011" component="OSDBitLocker" context="" type="0" thread="3216" file="tpm.cpp:171"> <![LOG[Tpm ownership is allowed]LOG]!><time="16:04:12.667+-60" date="09-20-2011" component="OSDBitLocker" context="" type="0" thread="3216" file="tpm.cpp:176"> <![LOG[uStatus == 0, HRESULT=80280012 (e:\nts_sms_fre\sms\framework\tscore\tpm.cpp,503)]LOG]!><time="16:04:12.729+-60" date="09-20-2011" component="OSDBitLocker" context="" type="0" thread="3216" file="tpm.cpp:503"> <![LOG['IsSrkAuthCompatible' failed (2150105106)]LOG]!><time="16:04:12.729+-60" date="09-20-2011" component="OSDBitLocker" context="" type="3" thread="3216" file="tpm.cpp:503"> <![LOG[Tpm does not have compatible SRK]LOG]!><time="16:04:12.729+-60" date="09-20-2011" component="OSDBitLocker" context="" type="0" thread="3216" file="tpm.cpp:180"> <![LOG[uStatus == 0, HRESULT=80280006 (e:\nts_sms_fre\sms\framework\tscore\tpm.cpp,548)]LOG]!><time="16:04:12.791+-60" date="09-20-2011" component="OSDBitLocker" context="" type="0" thread="3216" file="tpm.cpp:548"> <![LOG['IsEndorsementKeyPairPresent' failed (2150105094)]LOG]!><time="16:04:12.791+-60" date="09-20-2011" component="OSDBitLocker" context="" type="3" thread="3216" file="tpm.cpp:548"> <![LOG[Tpm does not have EK pair]LOG]!><time="16:04:12.791+-60" date="09-20-2011" component="OSDBitLocker" context="" type="0" thread="3216" file="tpm.cpp:184"> <![LOG[Initial TPM state: 5]LOG]!><time="16:04:12.791+-60" date="09-20-2011" component="OSDBitLocker" context="" type="0" thread="3216" file="bitlocker.cpp:410"> <![LOG[(dwTpmState & Tpm::State_Activated) != 0, HRESULT=80004005 (e:\nts_sms_fre\sms\client\osdeployment\bitlocker\bitlocker.cpp,420)]LOG]!><time="16:04:12.791+-60" date="09-20-2011" component="OSDBitLocker" context="" type="0" thread="3216" file="bitlocker.cpp:420"> <![LOG[TPM cannot be activated without physical presence]LOG]!><time="16:04:12.791+-60" date="09-20-2011" component="OSDBitLocker" context="" type="3" thread="3216" file="bitlocker.cpp:420"> <![LOG[InitializeTpm(), HRESULT=80004005 (e:\nts_sms_fre\sms\client\osdeployment\bitlocker\bitlocker.cpp,1191)]LOG]!><time="16:04:12.791+-60" date="09-20-2011" component="OSDBitLocker" context="" type="0" thread="3216" file="bitlocker.cpp:1191"> <![LOG[ConfigureKeyProtection( keyMode, pwdMode, pszStartupKeyVolume ), HRESULT=80004005 (e:\nts_sms_fre\sms\client\osdeployment\bitlocker\bitlocker.cpp,1396)]LOG]!><time="16:04:12.791+-60" date="09-20-2011" component="OSDBitLocker" context="" type="0" thread="3216" file="bitlocker.cpp:1396"> <![LOG[pBitLocker->Enable( argInfo.keyMode, argInfo.passwordMode, argInfo.sStartupKeyVolume, argInfo.bWait ), HRESULT=80004005 (e:\nts_sms_fre\sms\client\osdeployment\bitlocker\main.cpp,650)]LOG]!><time="16:04:12.791+-60" date="09-20-2011" component="OSDBitLocker" context="" type="0" thread="3216" file="main.cpp:650"> <![LOG[Process completed with exit code 2147500037]LOG]!><time="16:04:12.791+-60" date="09-20-2011" component="TSManager" context="" type="1" thread="2596" file="commandline.cpp:1102"> <![LOG[!--------------------------------------------------------------------------------------------!]LOG]!><time="16:04:12.791+-60" date="09-20-2011" component="TSManager" context="" type="1" thread="2596" file="instruction.cxx:3010"> <![LOG[Failed to run the action: Enable BitLocker. Unspecified error (Error: 80004005; Source: Windows)]LOG]!><time="16:04:12.791+-60" date="09-20-2011" component="TSManager" context="" type="3" thread="2596" file="instruction.cxx:3101"> --- end log--- HOWEVER, it is also quite possible to have bitlocker fail with the following lines in smsts.log <![LOG[Tpm is enabled]LOG]!><time="17:07:58.725+-60" date="09-20-2011" component="OSDBitLocker" context="" type="0" thread="4884" file="tpm.cpp:161"> <![LOG[Tpm is activated]LOG]!><time="17:07:58.740+-60" date="09-20-2011" component="OSDBitLocker" context="" type="0" thread="4884" file="tpm.cpp:166"> <![LOG[Tpm is owned]LOG]!><time="17:07:58.756+-60" date="09-20-2011" component="OSDBitLocker" context="" type="0" thread="4884" file="tpm.cpp:171"> <![LOG[Tpm ownership is allowed]LOG]!><time="17:07:58.772+-60" date="09-20-2011" component="OSDBitLocker" context="" type="0" thread="4884" file="tpm.cpp:176"> This seems to happen if the tpm ownership fails for to be taken by the Enable Bitlocker task. Consequently, in either situation, I want to just finish the step and move on. I'm using the ZTICheckForTPM script from the deployment guys - http://blogs.technet.com/b/deploymentguys/archive/2010/12/22/check-to-see-if-the-tpm-is-enabled.aspx - but it pretty much always seems to enumerate to TRUE for enabled and activated.

Hi, Have you tried, in the "Enable Bitlocker" step -> "Options" -> Mark "Continue on error". Then the TS should continue even if the "Bitlocker" step fails. I'm dealing with the same problem on some Lenovo models. Have you tried to manually disable TPM in Bios - and then enable it again to see if it solves the problem. It works for me one one some models. Maybe it's possible to disable the TPM in the TS and then anable it again after a restart. I haven't tried that yet. Updating the Bios is also worth a try. Also take a look at this great article: http://blog.coretech.dk/mip/enable-lenovo-tpm-security-chip-and-other-stuff-from-a-ts/ Maybe it's possible to disable the TPM in the TS and then anable it again after a restart. I haven't tried that yet.

we are enabling and disabling the tpm in between restarts no problem (in WinPE) on both Dell/Lenovo, in conjuction with the above posts and this one Is the TPM Chip Enabled or Disabled in the Bios on my system ? Use this WMI query to find out you should be able to easily create a group to check if the chip is enabled, then disable it, reboot, and continue cheers niall My step by step SCCM Guides I'm on Twitter > ncbrady

It's a bit tricky if the TPM is Owned og activated by another system or an earlyer testrun. I've seen this from time to time. This varies from vendor to vendor. Dell, HP etc.. requires a BIOS password set to be able to set the TPM, then you can remove it afterwards. If the TPM owner step failes, you have to manually enter the BIOS and clear out the TPM. If the toolkit by vendor og BDE dosnt have a command for it. Then start the OSD Task Sequence again. Usually this shouldnt be a problem for the most part of the client machines. Regards, Nicolai Nicolai

For Lenovo it might be possible to use the SetConfig.vbs: cscript.exe SetConfig.vbs SecurityChip Disable (The same value as in BIOS, and it is case sensitive).

I've definitely tried the Continue on Error route and that didn't work. I've also tried disabling / re-enabling the TPM, but this doesn't clear the TPM owner. I've been using the Dell CCTK and Lenovo toolkits and neither have the option to clear the TPM owner. Sorting it out manually is fine in the test environment, but we're about to embark on user initiated migrations from XP to W7 including bitlocker. As Nicolai says, generally this shouldn't be a problem from client machines, but if we do hit a problem it becomes a lot more difficult because of the user state migration etc. If I create a group with Continue On Error and then put the enable bitlocker task within that group, I wonder if that might work...

I recall, that regarding Lenovo's "SetConfig.vbs SecurityChip Active" it actually requires 2 reboots to work. Not sure if it helps.

I my experience, enabling bitlocker within TS does not always work. It does not work across all Dell platforms. Mayur

Thanks for the input so far, however, we might be straying from the topic a bit here. Under most circumstances, I'm not having a problem configuring the TPM on either Dell's or Lenovo's using the CCTK for Dell's and the SetConfig.vbs script for Lenovo's. The issue only comes when those scripts have not managed to set the TPM chip correctly, usually due to it being previously owned. It's at that point that the Enable Bitlocker task can fail with "Process completed with exit code 2147500037" resulting in an unspecified error 80004005. I'd hoped there was a way to just continue on past this without bailing out the task sequence :-/

When I encouter problems clearing or resetting the TPM chip I use the following Powershell lines, this will enable the chip ready to be owned again. $oTPM = gwmi -Class Win32_TPM -Namespace root\CIMV2\Security\MicrosoftTpm $oTPM.SetPhysicalPresenceRequest(10) Reboot system: Script to get ownership #Create Endorsementkeypair if needed If (!(($oTPM.IsEndorsementKeyPairPresent()).IsEndorsementKeyPairPresent)) {$oTPM.CreateEndorsementKeyPair()} If (($oTPM.IsEndorsementKeyPairPresent()).IsEndorsementKeyPairPresent) { $OwnerAuth = $oTPM.ConvertToOwnerAuth("customrandompassword") $oTPM.Clear($OwnerAuth.OwnerAuth) $oTPM.TakeOwnership($OwnerAuth.OwnerAuth) } Daniel