Search the Community

Hi all, First time poster, so apologise in advance if I post incorrectly. Currently building Windows 10 devices, some are upgrades from Windows 7 to Windows 10 and others are fresh Windows 10 using SCCM (MDT integrated). This works as expected, but when I log in and check TPM Administration the following message show up Reduced Functionality errors codes 0x400900 = The Device lock counter has not be created 0x2900 = The monotonic counter incremental during the boot has not been created Do I need to do something in the Task Sequence to clear the protectors or clear TPM before BitLocker is enabled Cheers all

Hi all, I'm hoping that someone can help as I'm really struggling to find anyone else that's had this specific problem. When trying to build brand new HP equipment with an SCCM (MDT integrated) OSD task sequence I am seeing the following error when the machine runs the "Invoke-MbamClientDeployment.ps1" script: Failed to escrow TPM owner-auth to http://MBAMSERVER.domain/MBAMRecoveryAndHardwareService/CoreService.svc. HRESULT: 0x80280012 I've found that 0x80280012 means "There is no Storage Root Key (SRK) set." but I'm struggling to understand why this error only effects some new machines and not others even though they are all the same model and spec. We have a workaround which seems to be working every single time which is to turn on a new machine and let it run through OOBE of the shipped W10 OS then once completed, reboot the machine and PXE boot to the W10 Task Sequence. So something during the OOBE of a brand new machine seems to be creating/setting the SRK for the very first time. Does anyone have any ideas as to what might be causing this and how/when a TPM SRK is initially created? Thanks in advance, Westy

I am testing what happens when users enter their bitlocker PIN wrong too many times, but cannot find a way to access the password to unlock the TPM. I believe all that is visible is a hash of it. Does anyone have any info on this? At the moment, all i can do is leave the computer logged in with recovery key and left active until the TPM reset period passes.

I seem to have an issue where I cannot control the behaviour of our TPMs in our Panasonic Devices via Group Policy. I have issues where the TPMs (Manufactured by Infineon) in our Panasonic AX3s seem to lockout far too easily, previously I have not applied any group policy settings to control the behaviour of the TPMs themselves as during testing they seemed fine. Now I have tried to apply settings to set the standard user lockout threshold and maximum number of authorisations, on our Panasonic Devices I cannot seem to set these settings, its like the TPM ignores the commands from group policy. I have tried this on some Lenovo devices (TPM is manufactured by STM) built in exactly the same manner and the TPM will accept the commands. Has anyone else had this issue with these or similar devices at all?, all of our devices are built identical with the TPM being initialised during a build sequence and they are setup with Bitlocker using MBAM 2.0. Any help would be most appreciated. Thanks

Hi, Let me firts explain how i inherited this: I have a TS in sccm 2007R3 that deployes windows 7 and does the following in the bitlocker steps on standalone laptops(not domain joined after ts finishes): ( password and tpm already activated and set in bios with cctk tools) Bitlocker step: 1. manage-bde -tpm -turnon 2. reboot 3. (depending on the laptop model we must manualy press "y" to activate the tpm. In our case fujitsu laptops S781. for our dell laptops this is not requierd) 4. manage-bde -tpm -takeownership <password> 5. manage-bde -protectors -add c: -tpmandpin <password> 6. default enabel bitlocker step with default values(recovery key in ad etc ) Bitlocker policy's are set via localgpo tool before bitloker step. This all works for new deployments. When reimaging these standalone laptops steps 1-4-5 fail because this has already been set. Question: 1. Is this the best way to do this? 2. Does the tpm ownership get wiped when laptops are reimaged or is this the same password? 3. Can u use the same recovery key from AD or is there a new one generated every time we reimage a laoptop? 3. Is it needed to take ownership for tpm? Keep in mind that after these laptops are imaged, users must logon with pin number and users must not be able to change bitlocker or tpm ownership/keys. thanks in advanced for ur help. Charles

I am trying to enable and activate the TPM chip on the Dell machine's we have. So far I have created the CCTK package, pushed it to my DP, etc, but it keeps failing at setting the BIOS password. I have been unable to get my task sequence to complete. Everything that I have read so far seems to lead me in the same direction, and yet I can get nothing to cooperate.