Hi, I'm trying to enable BitLocker during OSD but haven't had any success. I'm deploying Windows 7 x64 to an HP ProBook 6560B. I've enabled the TPM Chip within the BIOS and confirmed this is visible via the OS. As far as i'm aware we have not extended the schema within AD to allow for storage of keys, this isn't something we'll be doing and we don't wish to store any keys. I have selected the following options with the 'Enable BitLocker' TS: Current Operating System Drive - TPM Only Do Not Create A Recovery Key The TS fails with the following errors - Set command line: "OSDBitLocker.exe" /enable /wait:False /mode:TPM /pwd:None OSDBitLocker 11/01/2012 15:45:15 2712 (0x0A98) Target volume not specified, using current OS volume OSDBitLocker 11/01/2012 15:45:15 2712 (0x0A98) Current OS volume is 'C:' OSDBitLocker 11/01/2012 15:45:15 2712 (0x0A98) Succeeded loading resource DLL 'C:\Windows\SysWOW64\CCM\1033\TSRES.DLL' OSDBitLocker 11/01/2012 15:45:15 2712 (0x0A98) Protection is OFF OSDBitLocker 11/01/2012 15:45:15 2712 (0x0A98) Volume is fully decrypted OSDBitLocker 11/01/2012 15:45:15 2712 (0x0A98) Tpm is enabled OSDBitLocker 11/01/2012 15:45:16 2712 (0x0A98) Tpm is activated OSDBitLocker 11/01/2012 15:45:16 2712 (0x0A98) Tpm is not owned OSDBitLocker 11/01/2012 15:45:16 2712 (0x0A98) Tpm ownership is allowed OSDBitLocker 11/01/2012 15:45:16 2712 (0x0A98) uStatus == 0, HRESULT=80280012 (e:\nts_sms_fre\sms\framework\tscore\tpm.cpp,503) OSDBitLocker 11/01/2012 15:45:16 2712 (0x0A98) 'IsSrkAuthCompatible' failed (2150105106) OSDBitLocker 11/01/2012 15:45:16 2712 (0x0A98) Tpm does not have compatible SRK OSDBitLocker 11/01/2012 15:45:16 2712 (0x0A98) Tpm has EK pair OSDBitLocker 11/01/2012 15:45:16 2712 (0x0A98) Initial TPM state: 39 OSDBitLocker 11/01/2012 15:45:16 2712 (0x0A98) Creating TPM owner authorization value OSDBitLocker 11/01/2012 15:45:16 2712 (0x0A98) Succeeded loading resource DLL 'C:\Windows\SysWOW64\CCM\1033\TSRES.DLL' OSDBitLocker 11/01/2012 15:45:16 2712 (0x0A98) Taking ownership of TPM OSDBitLocker 11/01/2012 15:45:16 2712 (0x0A98) uStatus == 0, HRESULT=80070005 (e:\nts_sms_fre\sms\framework\tscore\tpm.cpp,645) OSDBitLocker 11/01/2012 15:45:18 2712 (0x0A98) 'TakeOwnership' failed (2147942405) OSDBitLocker 11/01/2012 15:45:18 2712 (0x0A98) pTpm->TakeOwnership( sOwnerAuth ), HRESULT=80070005 (e:\nts_sms_fre\sms\client\osdeployment\bitlocker\bitlocker.cpp,480) OSDBitLocker 11/01/2012 15:45:18 2712 (0x0A98) Failed to take ownership of TPM. Ensure that Active Directory permissions are properly configured Access is denied. (Error: 80070005; Source: Windows) OSDBitLocker 11/01/2012 15:45:18 2712 (0x0A98) InitializeTpm(), HRESULT=80070005 (e:\nts_sms_fre\sms\client\osdeployment\bitlocker\bitlocker.cpp,1191) OSDBitLocker 11/01/2012 15:45:18 2712 (0x0A98) ConfigureKeyProtection( keyMode, pwdMode, pszStartupKeyVolume ), HRESULT=80070005 (e:\nts_sms_fre\sms\client\osdeployment\bitlocker\bitlocker.cpp,1396) OSDBitLocker 11/01/2012 15:45:18 2712 (0x0A98) pBitLocker->Enable( argInfo.keyMode, argInfo.passwordMode, argInfo.sStartupKeyVolume, argInfo.bWait ), HRESULT=80070005 (e:\nts_sms_fre\sms\client\osdeployment\bitlocker\main.cpp,650) OSDBitLocker 11/01/2012 15:45:18 2712 (0x0A98) Process completed with exit code 2147942405 TSManager 11/01/2012 15:45:18 1800 (0x0708) !--------------------------------------------------------------------------------------------! TSManager 11/01/2012 15:45:18 1800 (0x0708) Failed to run the action: Enable BitLocker. Permissions on the requested may be configured incorrectly. Access is denied. (Error: 80070005; Source: Windows) TSManager 11/01/2012 15:45:18 1800 (0x0708) When i've tried to enable bitlocker from the command line (using manage-bde.exe -on C:) the output reports that BitLocker can't enable as TPM isn't the owner and that the OS needs to take ownership first. This can be achived by running manage-bde.exe -tpm -o selectapassword however i'm trying to avoid this method as would prefer to use the proper TS step (and have an auto generated password) Can anyone help? We're running SCCM 2007 R3.

Hi there Are you using HP's BiosConfigUtility.exe to configure your TPM chip prior to enabling BitLocker? Check out this guide here on myITforum http://www.myitforum.com/absolutenm/templates/default.aspx?a=23728&template=print-article.htm My task sequence is similar however I use the MDT 2010 script ztibde.wsf to create and configure the BitLocker partition. The tool works really well and we have no problems automating BitLocker during our build process. Good luck!

Hey, Thanks for the link. Yes, i'm using the HP Biosconfigutility with a similar configuration to that shown in the link you've provided. I also added a step within the TS to remove the Infineon drivers and apply the correct driver, as mentioned at the bottom. Incase it makes a difference, the options selected within my TPMENABLE.REPSET file are as follows - Reset of TPM from OS - Enabled OS Management of TPM - Enabled Embedded Security device availability - Enabled Everything else is left as default. The difference is we do not wish to store the keys, however the error i've posted above seems to suggest the TS Enable BitLocker command is trying to communicate with AD. Thanks, Doug

You need to take the ownership of the TPM. Please refer to: Access Denied Error 0x80070005 message when initializing TPM for Bitlocker http://blogs.technet.com/b/bitlocker/archive/2010/09/14/access-denied-error-0x80070005-message-when-initializing-tpm-for-bitlocker.aspxPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, We are not storing any encrption keys within AD. We've selected not to create a recovery key. Why do we need to change the AD TPM Permissions on the O.U if we're not creating (or storing) any recovery keys? Thanks, Doug

The users does not have permission to write to TPM on client computers. The delegation just assign the permission to users. It is not a permission change for content in AD.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi blbake1985 I don't suppose you ever found a resolution to this problem did you? My circumstance is identical to yours. I used the HP BIOS config and I am not storing the keys in AD. I got the same error log as you when attempting to enable Bitlocker via the TS.