During SCCM 2012 TS to enable start BitLocker encryption of OS drive, Task Sequence failed with following error:
___________________________________________________________________________
The task sequence execution engine failed executing the action (BitLocker on C: Drive) in the group () with the error code 2147500037
Action output: ==============================[ OSDBitLocker.exe ]==============================
Command line: "OSDBitLocker.exe" /enable /wait:True /mode:TPM /pwd:AD
'IsSrkAuthCompatible' failed (2150105106)
'IsEndorsementKeyPairPresent' failed (2150105095)
TPM cannot be enabled without physical presence. The operating system reported error 2147500037: Unspecified error
__________________________________________________________________________
Reason for this BitLocker Message issue is because TPM was not enabled during the SCCM Task Sequence.
For HP Models a solution is to export BIOS configuration in txt file and find right setting which enable TPM.
BiosConfigUtility.exe /getconfig:config.txt
Enter this BIOS setting in a file that will be used to modify BIOS settings.
This commands are particularly for HP machines:
BiosConfigUtility.exe /CurSetupPassword:"password" /setconfig:EnableTPM.REPSET
For model HP EliteBook 2570p EnableTPM.REPSET file should look like this:
English
TPM Activation Policy
F1 to Boot
Allow user to reject
*No prompts
Activate TPM On Next Boot
Disable
*Enable
BiosConfigUtility can be downloaded from HP web site.
Tuesday, October 22, 2013
Thursday, October 17, 2013
Enabling TPM on HP machines using SCCM 2012
To enable TPM on HP machines there is a tool from HP, Bios Configuration Utility, that modifies BIOS settings from Windows.To modify specified values to BIOS, first they can be exported using following command:
BiosConfigUtility.exe /getconfig:filename.txt
After verifying the exported file the values that we want to modify can be added in new file.
For example, to activate TPM on HP ProBook 6565b these value should be used:
English
OS Management of TPM
Disable
*Enable
Embedded Security Activation Policy
F1 to Boot
Allow user to reject
*No prompts
Activate Embedded Security On Next Boot
Disable
*Enable
Next step is to execute the command to activate TPM on the specified model. Here it is important to note that to do this step there must be BIOS password enabled.
Here is the command:
biosconfigutility.exe /CurSetupPassword:"password" /setconfig:EnableTPM.REPSET
This command can be added in cmd file, and together with EnableTPM.txt can be added in SCCM package that latter can be executed in Task Sequence.
If you need to verify if TPM is enabled in the BIOS then this WMI command can be used:
SELECT * FROM Win32_Tpm where IsEnabled_InitialValue="False"
This command is considered for following WMI Namespace:
root\cimv2\Security\MicrosoftTpm
This command can be placed in Task Sequence:
BiosConfigUtility.exe /getconfig:filename.txt
After verifying the exported file the values that we want to modify can be added in new file.
For example, to activate TPM on HP ProBook 6565b these value should be used:
English
OS Management of TPM
Disable
*Enable
Embedded Security Activation Policy
F1 to Boot
Allow user to reject
*No prompts
Activate Embedded Security On Next Boot
Disable
*Enable
Next step is to execute the command to activate TPM on the specified model. Here it is important to note that to do this step there must be BIOS password enabled.
Here is the command:
biosconfigutility.exe /CurSetupPassword:"password" /setconfig:EnableTPM.REPSET
This command can be added in cmd file, and together with EnableTPM.txt can be added in SCCM package that latter can be executed in Task Sequence.
If you need to verify if TPM is enabled in the BIOS then this WMI command can be used:
SELECT * FROM Win32_Tpm where IsEnabled_InitialValue="False"
This command is considered for following WMI Namespace:
root\cimv2\Security\MicrosoftTpm
This command can be placed in Task Sequence:
Friday, October 4, 2013
Initializing the TPM Security hardware. Access denied.
Durring manual activation of Bitlocker in order to encrypt Operating system drive there is a message Access Denied.
To mention that TPM is already configured on the local machine. The reason why this message appears is that GPO is configured to write TPM Backup information in AD.
Here the question is that there is not enough permissions to write requested TPM information in AD.
In order to enable this there is an excellent article from MS Core Team:
http://blogs.technet.com/b/askcore/archive/2010/03/30/access-denied-error-0x80070005-message-when-initializing-tpm-for-bitlocker.aspx
http://blogs.technet.com/b/askcore/archive/2010/03/30/access-denied-error-0x80070005-message-when-initializing-tpm-for-bitlocker.aspx
Subscribe to:
Posts (Atom)