BitLocker Task Sequence Error - "The context blob is invalid" (0x8028005A)

[rclayt]

Hello, I'm having a problem enabling BitLocker on Windows 10 v1607 during the task sequence for one model laptop: Dell Latitude E5450 -- except that it does work about 10% of the time. I haven't been able to narrow it down to a specific hardware problem and different BIOS update versions and drivers also result in mixed successes (even on the same exactly laptop). Strangely, the E5450 model has worked historically with the Windows 10 LTSB 2015 version and BitLocker.

 

Models in our environment that work 100% off the time (with the same exactly task sequence) include Latitude E6430, E5440, and E5470. We're using SCCM Current Branch and PXE boot for OS deployment. We do not have any integration with MDT or MBAM. With the E5450s, when it fails it does so at the default Enable BitLocker step. The Enable BitLocker step is configured for TPM Only, create recovery key in Active Directory, and Wait for BitLocker to complete. Also, prior to being built, the computers will have the TPM manually cleared in the BIOS (if previously BitLockered) and the disks formatted at the beginning of the build.

 

Here's a snippet from the smsts logs for the Enable BitLocker step on a failed build:

 

Command line: "OSDBitLocker.exe" /enable /wait:True /mode:TPM /pwd:AD
Initialized COM
Command line for extension .exe is "%1" %*
Set command line: "OSDBitLocker.exe" /enable /wait:True /mode:TPM /pwd:AD
Target volume not specified, using current OS volume
Current OS volume is 'C:'
Succeeded loading resource DLL 'C:\WINDOWS\CCM\1033\TSRES.DLL'
Protection is OFF
Volume is fully decrypted
Tpm is enabled
Tpm is activated
Tpm is owned
Tpm ownership is allowed
Tpm has compatible SRK
Tpm has EK pair
Initial TPM state: 63
TPM is already owned.
Creating recovery password and escrowing to Active Directory
Set FVE group policy registry keys to escrow recovery password
Set FVE group policy registry key in Windows 7
Set FVE OSV group policy registry keys to escrow recovery password
Using random recovery password
Protecting key with TPM only
uStatus == 0, HRESULT=8028005a (e:\qfe\nts\sms\framework\tscore\encryptablevolume.cpp,1304)
'ProtectKeyWithTPM' failed (2150105178)
hrProtectors, HRESULT=8028005a (e:\nts_sccm_release\sms\client\osdeployment\bitlocker\bitlocker.cpp,1252)
Failed to enable key protectors (0x8028005A)
CreateKeyProtectors( keyMode, pszStartupKeyVolume ), HRESULT=8028005a (e:\nts_sccm_release\sms\client\osdeployment\bitlocker\bitlocker.cpp,1322)
ConfigureKeyProtection( keyMode, pwdMode, pszStartupKeyVolume ), HRESULT=8028005a (e:\nts_sccm_release\sms\client\osdeployment\bitlocker\bitlocker.cpp,1517)
pBitLocker->Enable( argInfo.keyMode, argInfo.passwordMode, argInfo.sStartupKeyVolume, argInfo.bWait ), HRESULT=8028005a (e:\nts_sccm_release\sms\client\osdeployment\bitlocker\main.cpp,382)
Process completed with exit code 2150105178
Failed to run the action: Enable BitLocker. The context blob is invalid. (Error: 8028005A; Source: Windows)

 

 

On successful builds, the snippet is the exact same up to the "Protecting key with TPM only" line. At that point, it continues with the following before moving on to the next step:

 

Protecting key with TPM only

Encrypting volume 'C:'
Reset FVE group policy registery key
Reset FVE group policy registry key in Windows 7
Reset FVE OSV group policy registery key

 

 

 

I'm mostly wondering if anyone has seen the errors "Failed to enable key protectors (0x8028005A)" or "The context blob is invalid. (Error: 8028005A; Source: Windows)" -- or has any idea of what could cause this issue. Thank for you any help you can provide!

[rclayt]

The E5450 task sequence appears to be going through fine now after making a couple of minor changes.

We use Dell's CCTK (Dell Command Configure) to programmatically Enable and Activate the TPM during the task sequence before enabling BitLocker.

The task sequence is configured to Enable the TPM (turn it on) > Restart Computer > prepare CCTK files/drivers > sleep for 2 minutes to allow the TPM to initialize > Activate TPM. Those steps work fine for all other models we've seen apart from the E5450s.

To fix the E5450s, we use a WMI query so that the reboot steps are ignored for that model. To do this, we created a new group and moved the Restart Computer, prepare CCTK files/drivers, and sleep for 2 minutes into it. We have a WMI query on the group to only run those steps if the hardware model is not a Latitude E5450: "Select * from Win32_ComputerSystem where not Model like 'Latitude E5450%'".

We also have a reboot directly before the Enable BitLocker step. To make sure the system and TPM has time to initialize after the boot, we added a 60 second sleep directly before the Enable BitLocker step: "powershell.exe -command start-sleep 60".

Hopefully we don't see any more strangeness with this model!