Windows ADK for Windows 11 breaks Bitlocker in WinPE with some models (MECM/SCCM)

JM 1 Reputation point
2021-08-31T16:11:45.047+00:00

After upgrading to ADK for Windows 11, SCCM task sequence step "Pre-Provision Bitlocker" fails with error: Failed to take TPM ownership. This only affects some models, such as HP Elitebook 830 G8. Tested with multiple laptops. Other users on Reddit have seen similar behavior. See thread https://www.reddit.com/r/SCCM/comments/pao0uo/task_sequence_step_preprovision_bitlocker_fails/

Verified ADK TPM permissions , rebuilt boot image, updated BIOS, cleared TPM, set TPM steps to ready state for pre-provision etc.

Downgrading to Windows ADK for Windows 10 2004 solved the issue. Anyone else seen anything like this yet?

Some logs:
Set command line: OSDOfflineBitlocker.exe /enable /drive:%OSDisk% /ignoretpm:False /full:False /crypt:7 TSManager 23.8.2021 15.18.03 1304 (0x0518)
Start executing the command line: OSDOfflineBitlocker.exe /enable /drive:%OSDisk% /ignoretpm:False /full:False /crypt:7 TSManager 23.8.2021 15.18.03 1304 (0x0518)
!--------------------------------------------------------------------------------------------! TSManager 23.8.2021 15.18.03 1304 (0x0518)
Expand a string: WinPE TSManager 23.8.2021 15.18.03 1304 (0x0518)
Executing command line: OSDOfflineBitlocker.exe /enable /drive:%OSDisk% /ignoretpm:False /full:False /crypt:7 with options (0, 4) TSManager 23.8.2021 15.18.03 1304 (0x0518)
==============================[ OSDOfflineBitlocker.exe ]============================== OSDOfflineBitLocker 23.8.2021 15.18.03 908 (0x038C)
Running module version 5.0.9049.1000 from location 'X:\sms\bin\x64\OSDOfflineBitlocker.exe' OSDOfflineBitLocker 23.8.2021 15.18.03 908 (0x038C)
Command line: "OSDOfflineBitlocker.exe" /enable /drive:C: /ignoretpm:False /full:False /crypt:7 OSDOfflineBitLocker 23.8.2021 15.18.03 908 (0x038C)
Initialized COM OSDOfflineBitLocker 23.8.2021 15.18.03 908 (0x038C)
Command line for extension .exe is "%1" %* OSDOfflineBitLocker 23.8.2021 15.18.03 908 (0x038C)
Set command line: "OSDOfflineBitlocker.exe" /enable /drive:C: /ignoretpm:False /full:False /crypt:7 OSDOfflineBitLocker 23.8.2021 15.18.03 908 (0x038C)
User specified valid encrypt method value: xts_aes256 OSDOfflineBitLocker 23.8.2021 15.18.03 908 (0x038C)
Target drive is C: OSDOfflineBitLocker 23.8.2021 15.18.03 908 (0x038C)
Initializing TPM... OSDOfflineBitLocker 23.8.2021 15.18.03 908 (0x038C)
Tpm is enabled OSDOfflineBitLocker 23.8.2021 15.18.03 908 (0x038C)
Tpm is activated OSDOfflineBitLocker 23.8.2021 15.18.03 908 (0x038C)
Tpm is not owned OSDOfflineBitLocker 23.8.2021 15.18.03 908 (0x038C)
Tpm ownership is allowed OSDOfflineBitLocker 23.8.2021 15.18.03 908 (0x038C)
Tpm has compatible SRK OSDOfflineBitLocker 23.8.2021 15.18.03 908 (0x038C)
Tpm has EK pair OSDOfflineBitLocker 23.8.2021 15.18.03 908 (0x038C)
Initial TPM state: 55 OSDOfflineBitLocker 23.8.2021 15.18.03 908 (0x038C)
Creating TPM owner authorization value OSDOfflineBitLocker 23.8.2021 15.18.03 908 (0x038C)
Succeeded loading resource DLL 'X:\sms\bin\x64\1033\TSRES.DLL' OSDOfflineBitLocker 23.8.2021 15.18.03 908 (0x038C)
Taking ownership of TPM OSDOfflineBitLocker 23.8.2021 15.18.03 908 (0x038C)
uStatus == 0, HRESULT=80070002 (..\tpm.cpp,645) OSDOfflineBitLocker 23.8.2021 15.18.03 908 (0x038C)
'TakeOwnership' failed (2147942402) OSDOfflineBitLocker 23.8.2021 15.18.03 908 (0x038C)
pTpm->TakeOwnership(sOwnerAuth), HRESULT=80070002 (offlinebitlocker.cpp,204) OSDOfflineBitLocker 23.8.2021 15.18.03 908 (0x038C)
Failed to take ownership of TPM. Ensure that Active Directory permissions are properly configured
The system cannot find the file specified. (Error: 80070002; Source: Windows) OSDOfflineBitLocker 23.8.2021 15.18.03 908 (0x038C)
Process completed with exit code 2147942402 TSManager 23.8.2021 15.18.03 1304 (0x0518)
!--------------------------------------------------------------------------------------------! TSManager 23.8.2021 15.18.03 1304 (0x0518)
Failed to run the action: Pre-provision BitLocker. Error -2147024894 TSManager 23.8.2021 15.18.03 1304 (0x0518)

Microsoft Configuration Manager Deployment
Microsoft Configuration Manager Deployment
Microsoft Configuration Manager: An integrated solution for for managing large groups of personal computers and servers.Deployment: The process of delivering, assembling, and maintaining a particular version of a software system at a site.
902 questions
0 comments

8 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Frank Rojas 111 Reputation points Microsoft Employee
    2021-09-22T02:43:12.267+00:00

    We have been able to reproduce the issue internally at Microsoft and are currently investigating.

    2 people found this answer helpful.
    0 comments
  2. Frank Rojas 111 Reputation points Microsoft Employee
    2021-10-08T21:21:51.047+00:00

    We have confirmed that this is a bug in WinPE 11 and are working on a fix. In the meantime, you can add the following command as a Run Command Line task before the Pre-provision BitLocker task to fix the issue:

    reg.exe add HKLM\SOFTWARE\Policies\Microsoft\TPM /v OSManagedAuthLevel /t REG_DWORD /d 2 /f

    2 people found this answer helpful.
  3. C Filip 6 Reputation points
    2021-10-12T12:00:18.367+00:00

    Workaround worked for me. Imaging was done from within running old OS (without USMT, complete wipe). Newly installed OS was W10 21H1 19043.1237. Documentation for registry value OSManagedAuthLevel: https://learn.microsoft.com/en-us/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings

    1 person found this answer helpful.
    0 comments
  4. John Osti 1 Reputation point
    2021-10-05T04:26:02.47+00:00

    Hi all,

    Any updates to this issue at all? Haven't downgraded ADK yet hoping for a resolution.

    0 comments
  5. C Filip 6 Reputation points
    2021-10-11T15:17:49.52+00:00

    Same problem confirmed on DELL Latitude 5310 as well. We will try suggested workaround. Thank you.

    0 comments