Enablebitlocker.vbs Error the protectkeywithtpm failed with exit code 80310018
My Goal is a post deployment of Bitlocker.
I am running the enablebitlocker.vbs script deployed from SCCM 2007, running the comand EnableBitLocker.vbs /on:tpm /l:c:\BitLocker.log
Group Policy is configured for ADDS backup and to prevent deployment unless backup of the keys.
On the first pass, I can physically verify that the TPM is enabled and that ownership has not been taken.
On the second pass I recieve the error as stated above. Error the protectkeywithtpm failed with exit code 80310018.
My Disk is partitoned as below;
300MB BDEDrive , System, Active, Partition Primary
200GB OSDisk, Boot, Page file, Crash Dump, Primary Partition
If I manually click to Enable Bitlocker, it backs the TPM to AD ?
???!!! I am clearly missing something ???!!! any words of wisdom much appreciated
Log file; below...
-----------------------------------------------------------------------
---------------Executing with the following arguments------------------
-----------------------------------------------------------------------
Enable parameters: tpm
Logging location: c:\bitlocker.log
Create recovery key: No recovery key use specified
Encryption method: 1
Create SMS status MIF's: No SMS status MIF's will be created
Reset TPM ownership: TPM ownership information will not be cleared
User prompting: Users will not be prompted for PIN or to insert USB key
-----------------------------------------------------------------------
Connection succeeded to MicrosoftTPM
Successfully retrieved a TPM instance from the Win32_TPM provider class
TPM found in the following state:
Enabled - False
Activated - False
Owned - False
Connection succeeded to MicrosoftVolumeEncryption
TPM is not turned on...will Enable and Activate TPM and force a reboot.
Attempting to enable and activate the TPM
Completed enabling and activating the TPM with an exit code of: 0
Presence Transition = 2
Completed PhysicalPresenceTransition with an exit code of: 0
Rebooting system to finish enabling the TPM
TPM found in the following state: Enabled - False, Activated - False, Owned - False. The volume has a protection status of: . . Script Completed Successfully
Script ended 19/04/2012 14:31:30
Script processing started 19/04/2012 14:39:10
Proper number of command line arguments passed to the script
-----------------------------------------------------------------------
---------------Executing with the following arguments------------------
-----------------------------------------------------------------------
Enable parameters: tpm
Logging location: c:\bitlocker.log
Create recovery key: No recovery key use specified
Encryption method: 1
Create SMS status MIF's: No SMS status MIF's will be created
Reset TPM ownership: TPM ownership information will not be cleared
User prompting: Users will not be prompted for PIN or to insert USB key
-----------------------------------------------------------------------
Connection succeeded to MicrosoftTPM
Successfully retrieved a TPM instance from the Win32_TPM provider class
TPM found in the following state:
Enabled - True
Activated - True
Owned - False
Connection succeeded to MicrosoftVolumeEncryption
TPM ownership is not taken...will take ownership.
Successfully determined if Endorsement Key Pair is present with an exit code of: 0
IsEndorsementKeyPairPresent returned a value of: True
Endorsement Key Pair is present.
Successfully connected to WMI StdRegProv
Checking if Group Policy encryption method is set...
Found ActiveDirectoryBackup with value: 1
Found RequireActiveDirectoryBackup with value: 1
Determined client Group Policy configured to require AD escrow of recovery password
EncryptableVolumes count is: 1
The EncryptableVolume(s) found:
\\?\Volume{1c1aa0a7-8a63-11e1-97d0-806e6f6e6963}\
EncryptableVolume used for encryption is: C:
The volume has a protection status of: 0
BitLocker Protection is Off
Get conversion status is: 0
The volume has a status of fully decrypted
Attempting to enable BitLocker TPM
ERROR - the ProtectKeyWithTPM Method failed with the exit code: 80310018
Script ended 19/04/2012 14:39:15
April 19th, 2012 10:14am
Hi,
This error means FVE_E_TPM_NOT_OWNED 0x80310018. You must initialize the Trusted Platform Module (TPM) before you can use BitLocker Drive Encryption.
Juke Chou
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
April 24th, 2012 4:42am