Windows ADK for Windows 11 breaks Bitlocker in WinPE with some models (MECM/SCCM)

JM 1 Reputation point
2021-08-31T16:11:45.047+00:00

After upgrading to ADK for Windows 11, SCCM task sequence step "Pre-Provision Bitlocker" fails with error: Failed to take TPM ownership. This only affects some models, such as HP Elitebook 830 G8. Tested with multiple laptops. Other users on Reddit have seen similar behavior. See thread https://www.reddit.com/r/SCCM/comments/pao0uo/task_sequence_step_preprovision_bitlocker_fails/

Verified ADK TPM permissions , rebuilt boot image, updated BIOS, cleared TPM, set TPM steps to ready state for pre-provision etc.

Downgrading to Windows ADK for Windows 10 2004 solved the issue. Anyone else seen anything like this yet?

Some logs:
Set command line: OSDOfflineBitlocker.exe /enable /drive:%OSDisk% /ignoretpm:False /full:False /crypt:7 TSManager 23.8.2021 15.18.03 1304 (0x0518)
Start executing the command line: OSDOfflineBitlocker.exe /enable /drive:%OSDisk% /ignoretpm:False /full:False /crypt:7 TSManager 23.8.2021 15.18.03 1304 (0x0518)
!--------------------------------------------------------------------------------------------! TSManager 23.8.2021 15.18.03 1304 (0x0518)
Expand a string: WinPE TSManager 23.8.2021 15.18.03 1304 (0x0518)
Executing command line: OSDOfflineBitlocker.exe /enable /drive:%OSDisk% /ignoretpm:False /full:False /crypt:7 with options (0, 4) TSManager 23.8.2021 15.18.03 1304 (0x0518)
==============================[ OSDOfflineBitlocker.exe ]============================== OSDOfflineBitLocker 23.8.2021 15.18.03 908 (0x038C)
Running module version 5.0.9049.1000 from location 'X:\sms\bin\x64\OSDOfflineBitlocker.exe' OSDOfflineBitLocker 23.8.2021 15.18.03 908 (0x038C)
Command line: "OSDOfflineBitlocker.exe" /enable /drive:C: /ignoretpm:False /full:False /crypt:7 OSDOfflineBitLocker 23.8.2021 15.18.03 908 (0x038C)
Initialized COM OSDOfflineBitLocker 23.8.2021 15.18.03 908 (0x038C)
Command line for extension .exe is "%1" %* OSDOfflineBitLocker 23.8.2021 15.18.03 908 (0x038C)
Set command line: "OSDOfflineBitlocker.exe" /enable /drive:C: /ignoretpm:False /full:False /crypt:7 OSDOfflineBitLocker 23.8.2021 15.18.03 908 (0x038C)
User specified valid encrypt method value: xts_aes256 OSDOfflineBitLocker 23.8.2021 15.18.03 908 (0x038C)
Target drive is C: OSDOfflineBitLocker 23.8.2021 15.18.03 908 (0x038C)
Initializing TPM... OSDOfflineBitLocker 23.8.2021 15.18.03 908 (0x038C)
Tpm is enabled OSDOfflineBitLocker 23.8.2021 15.18.03 908 (0x038C)
Tpm is activated OSDOfflineBitLocker 23.8.2021 15.18.03 908 (0x038C)
Tpm is not owned OSDOfflineBitLocker 23.8.2021 15.18.03 908 (0x038C)
Tpm ownership is allowed OSDOfflineBitLocker 23.8.2021 15.18.03 908 (0x038C)
Tpm has compatible SRK OSDOfflineBitLocker 23.8.2021 15.18.03 908 (0x038C)
Tpm has EK pair OSDOfflineBitLocker 23.8.2021 15.18.03 908 (0x038C)
Initial TPM state: 55 OSDOfflineBitLocker 23.8.2021 15.18.03 908 (0x038C)
Creating TPM owner authorization value OSDOfflineBitLocker 23.8.2021 15.18.03 908 (0x038C)
Succeeded loading resource DLL 'X:\sms\bin\x64\1033\TSRES.DLL' OSDOfflineBitLocker 23.8.2021 15.18.03 908 (0x038C)
Taking ownership of TPM OSDOfflineBitLocker 23.8.2021 15.18.03 908 (0x038C)
uStatus == 0, HRESULT=80070002 (..\tpm.cpp,645) OSDOfflineBitLocker 23.8.2021 15.18.03 908 (0x038C)
'TakeOwnership' failed (2147942402) OSDOfflineBitLocker 23.8.2021 15.18.03 908 (0x038C)
pTpm->TakeOwnership(sOwnerAuth), HRESULT=80070002 (offlinebitlocker.cpp,204) OSDOfflineBitLocker 23.8.2021 15.18.03 908 (0x038C)
Failed to take ownership of TPM. Ensure that Active Directory permissions are properly configured
The system cannot find the file specified. (Error: 80070002; Source: Windows) OSDOfflineBitLocker 23.8.2021 15.18.03 908 (0x038C)
Process completed with exit code 2147942402 TSManager 23.8.2021 15.18.03 1304 (0x0518)
!--------------------------------------------------------------------------------------------! TSManager 23.8.2021 15.18.03 1304 (0x0518)
Failed to run the action: Pre-provision BitLocker. Error -2147024894 TSManager 23.8.2021 15.18.03 1304 (0x0518)

Microsoft Configuration Manager Deployment
Microsoft Configuration Manager Deployment
Microsoft Configuration Manager: An integrated solution for for managing large groups of personal computers and servers.Deployment: The process of delivering, assembling, and maintaining a particular version of a software system at a site.
906 questions
0 comments

8 answers

Sort by: Newest
Most helpful Newest Oldest
  1. Jonathan Conway 36 Reputation points
    2021-11-24T18:49:51.967+00:00

    Having the same issue with a couple of customers. Is there any news on when a fix might be released? Would it be helpful or wasteful to raise a support ticket for this?

    0 comments
  2. Matt Dillon 1,211 Reputation points
    2021-10-26T18:30:55.123+00:00

    The workaround is not working on a DELL Precision 7510 or 7520. I tried adding the Key Storage setting in BIOS and that failed as well. Client is sending me the laptop so I can try everything on my own instead of relying on info sent to me via email.

  3. C Filip 6 Reputation points
    2021-10-12T12:00:18.367+00:00

    Workaround worked for me. Imaging was done from within running old OS (without USMT, complete wipe). Newly installed OS was W10 21H1 19043.1237. Documentation for registry value OSManagedAuthLevel: https://learn.microsoft.com/en-us/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings

    1 person found this answer helpful.
    0 comments
  4. John Osti 1 Reputation point
    2021-10-12T06:08:42.837+00:00

    I did try the fix works fine when building via PXE or USB media, but when OSD imaging inside windows with USMT I receive the same error. Anyone else having this issue.?

    0 comments
  5. C Filip 6 Reputation points
    2021-10-11T15:17:49.52+00:00

    Same problem confirmed on DELL Latitude 5310 as well. We will try suggested workaround. Thank you.

    0 comments