04 March 2016

Bitlocker Access is Denied

We recently started getting access is denied when trying to enable bitlocker on our Dell Latitude E7440 models. At first we thought it was a problem with the laptop itself upon the first occurrence of it. We were able to image all other models with no problems. We contacted Dell Premiere support and they concurred. They said that replacing the motherboard should rectify the issue since the issue seemed to be with the TPM chip. Dell replaced the motherboard and this issue persisted. We imaged other E7440 laptops and got the same error. Actually, the access is denied appeared when we went to manually encrypt the laptops. We would get Error code: 0x80070005 when trying to enable bitlocker via the control panel. The build would fail when it tried to enable the bitlocker. When I looked at the event viewer logs, I found the following errors:

At this point, we thought the issue might have been with the build process. We started combing through the build trying to find out what might be wrong. The problem was that all other model systems worked, except for this one. We did the following steps in troubleshooting:

  1. Verified all other model laptops enable bitlocker with no issues
  2. The same task sequence is used on all laptops. The only differences are drivers and bios.
  3. We followed the procedure from this blog that fixed this issue for some users. It did not fix it for our systems.
  4. We verified the BIOS is updated to the latest version
  5. Dell replaced the motherboard and HDD
  6. Windows 7 32-Bit installs and bitlockering on this model had no issues
  7. We verified that the system will bitlocker if we move it to the computers container in active directory
  8. We noticed two problems with the BIOS. The first is that it will not activate the TPM on the first try. When you click activate, apply, and exit, the system reboots, but it goes back to deactivate. It takes two times to activate it. The second problem is pxe booting. When we select to boot from the NIC, the system reboots on the first try. These problems are happening to all of our E7440 laptops.
  9. I laid down a base windows 7 image with no drivers or windows updates. The only driver I installed was the NIC for network connectivity. When I joined it to the domain, it still gave access denied.
  10. I downgraded the BIOS
  11. We disabled the Cisco Anywhere Connect VPN software from being installed during the build. I ran across troubleshooting post for the access is denied where they recommended uninstall any VPN software. This did not fix the issue.
  12. I gave the SELF account full control of the specific computer in active directory with no success
  13. One more suggestion we found that some said worked was upgrading the firmware to the latest version for the HDD. We were not able to get the firmware to upgrade on our flash HDD.
  14. We were able to get systems to bitlocker if we joined the system to a local workgroup, changed the name of the system to one that had never been used before, and then joined the domain.
  15. We were able to get systems to bitlocker if we moved the system in active directory to the computers container where it gets no GPOs.
  16. We also noticed other problems with the E7440. When you go into the BIOS to turn on, clear, and activate the TPM, it does not behave correctly. Once you have completed the clear process, the TPM is automatically put into deactivated mode. You must then reboot the system for it to take effect. Next, you click to activate the TPM, it shows it is activated, but when you reboot and go back into the BIOS, the TPM is showing as deactivated. The activation step must be done twice. The second issue we found was with PXE booting. Sometimes when we hit F12, select Onboard NIC, the system will reboot when it begins the initializing step of the PXE process.
By this time, we had spent almost 70 hours troubleshooting this, including Dell support trying to help. Finally I decided to find out exactly what the Bitlocker GPO changed on system. I found it pushed two registry keys: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE and HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\TPM. I deleted those registry keys out and then tried to enable bitlocker through the control panel. It worked. I knew at this point, it had to be with the system and not the GPO, especially since it worked with all other systems. The next thing that needed to be done was to make sure the recovery key got to active directory. I ran a GPUPDATE.EXE to force the registry keys back down to the system. I then ran manage-bde -protectors -get c: to get the numerical password ID. Finally, I ran manage-bde -protectors -adbackup c: -id {Numerical ID} to push the key to active directory and it worked! My next step was to make sure this same process would work on other model systems so that we could have a single process to work on all instead of having more than one. It does successfully work on the other models. 

I have written two PowerShell scripts, with the help of PowerShell Studio by Sapien Technologies, that bitlocker the systems. The first script uses BitlockerSAK to make sure the TPM is ready to be used. Once it verifies the TPM is turned on, cleared, and activated, the script deletes the FVE and TPM registry keys. The next step is does is to take ownership of the TPM. To take ownership of the TPM, it needs the BIOS password, which is a mandatory parameter upon the execution of the script. The next step is to enable bitlocker. A group policy update is now necessary to repopulate the registry keys the script deleted earlier. Next, the script gets the Bitlocker ID using the function provided by PowerShell District. This is necessary for the next step that pushes the recovery key to active directory. At this point, the script is finished and the system must be rebooted in order for bitlocker to begin encrypting the drive. 

There is a second script for the actual encryption process. This script is executed as the next task sequence. It first waits for the fvenotify.exe to begin. The script waits 5 minutes for this to begin. If it does not begin within 5 minutes, the script exits with an error code 1. Once the fvenotify.exe is a process, the script waits until it disappears. This is intended to delay a build until the encryption process is completed. 

You can download the scripts from the following links:

       Created with:      SAPIEN Technologies, Inc., PowerShell Studio 2015 v4.2.99  
       Created on:       2/25/2016 4:29 PM  
       Created by:       Mick Pletcher  
       Filename:        BitlockerSystem.ps1  
           This script waits for the bitlocker process to begin. If the bitlocker  
           process does not begin within 5 minutes, the script exits with an error  
           code 1. If the process does begin, then the script waits until   
           bitlocker is complete with encrypting the system.  
 #Declare Variables  
 Set-Variable -Name CurrentTime -Scope Local -Force  
 Set-Variable -Name Difference -Scope Local -Force  
 Set-Variable -Name Output1 -Scope Local -Force  
 Set-Variable -Name Output2 -Scope Local -Force  
 Set-Variable -Name Output3 -Scope Local -Force  
 Set-Variable -Name Process -Value $null -Scope Local -Force  
 Set-Variable -Name StartTime -Scope Local -Force  
 $StartTime = Get-Date  
 $Output1 = "Waiting for Bitlocker Encryption to begin....."  
 While ($Process -eq $null) {  
      Start-Sleep -Seconds 5  
      $Process = Get-Process -Name fvenotify -ErrorAction SilentlyContinue  
      $CurrentTime = Get-Date  
      $Difference = (New-TimeSpan -Start $StartTime -End $CurrentTime).minutes  
      If ($Difference -eq 5) {  
           Exit 1  
 $Output1 = $Output1 + "Completed"  
 $Output2 = "Bitlockering System....."  
 while ($Process -ne $null) {  
      $Process = $null  
      $Process = Get-Process -Name fvenotify -ErrorAction SilentlyContinue  
      $Output3 = manage-bde -status $env:HOMEDRIVE  
      Start-Sleep -Seconds 60  
 Write-Host "Complete" -ForegroundColor Yellow  
 #Cleanup Variables  
 Remove-Variable -Name CurrentTime -Scope Local -Force  
 Remove-Variable -Name Difference -Scope Local -Force  
 Remove-Variable -Name Output1 -Scope Local -Force  
 Remove-Variable -Name Output2 -Scope Local -Force  
 Remove-Variable -Name Output3 -Scope Local -Force  
 Remove-Variable -Name Process -Scope Local -Force  
 Remove-Variable -Name StartTime -Scope Local -Force  

      Created with:     SAPIEN Technologies, Inc., PowerShell Studio 2015 v4.2.99  
      Created on:       2/26/2016 2:02 PM  
      Created by:       Mick Pletcher  
      Filename:         EnableBitlocker.ps1  
           This script will enable bitlocker on a system. It first tests the   
           system to make sure the TPM is ready for bitlocker. If it passes  
           the test, then it does the following:  
           1) Deletes the FVE and TPM registry keys  
           2) Takes ownership of the TPM  
           3) Enables bitlocker  
           4) Performs a gpupdate  
           5) Gets the bitlocker recovery key ID  
           6) Backs up the recovery key to active directory  
      [Parameter(Mandatory = $true)][string]$BIOSPassword  
 Function BitLockerSAK {  
      Get and set Bitlocker related information.  
      Based on WMI classes, this function can achiev the following tasks :  
   --TPM operations---  
     -TPM activation state.  
     -If the TPM is enabled or not.  
     -If a TPM OwnerShip is Allowed.  
     -If the TPM is currently owned.  
     -The possibility to take the ownerShip  
   --Encryption possibilities ---  
     - Retrieves the current encryption method.  
     - Get the current protection status.  
     - The current protection state.  
     - The possibility to encrypt a Drive.  
     - The possibility to Resume an encryption that has been paused.  
     - Possibility to return the current protector ID's.  
     - Possibility to return the current protector type(s).  
     - Retrieves the Volume key protector Passwords  
 .PARAMETER isTPMActivated  
      Returns activation state of the TPM:  
   Returns true if activated and false if not.  
 .PARAMETER isTPMEnabled  
      Returns the enabled state of the TPM:  
   Returns true if activated and false if not.  
 .PARAMETER IsTPMOwnerShipAllowed  
   Returns if the TPM ownership is allowed.  
   Returns true if allowed, false if not.  
 .PARAMETER ResumeEncryption  
   Will resume an paused encryption.  
 .PARAMETER GetEncryptionState  
   Returns the current encurrent state in an object as wolled :   
 .PARAMETER GetProtectionStatus  
   Returns the current protection status. It will return "Protected" if the drive is 100% encrypted, and "Unprotected" if anything else then "100% encrypted".  
 .PARAMETER Encrypt  
   Will encrypt a drive.  
 .PARAMETER TakeTPMOwnerShip  
   Returns true if allowed, false if not  
   Is needed in order to take the ownership and to encrypt the drive.  
   Returns true if owned, false if not  
 .PARAMETER GetKeyProtectorIds  
   Returns all the protector id's available on the machine.  
 .PARAMETER GetKeyProtectorType  
   Returns the type of protector that is currently in use.  
 .PARAMETER GetEncryptionMethod  
   REturns the current encryption method that is in use.  
 .PARAMETER GetKeyProtectorNumericalPassword  
   Returns a given numerical password based on a Protector ID value.  
   The ProtectorID value is mandatory, and must be passed using the parameter VolumeKeyProtectorID.   
 .PARAMETER VolumeKeyProtectorID  
   This parameter will work only in conjunction with GetKeyProtectorNumericalPassword switch.  
   It must contain the ProtectorID from which the desired Numerical Password will be returned.  
 .PARAMETER GetKeyProtectorTypeAndID  
   The GetKeyProtectorTypeAndID switch will return all the existing key protector ID's and their type of the Keys existing on the machine.  
 .PARAMETER Whatif  
      Permits to launch this script in "draft" mode. This means it will only show the results without really making generating the files.  
 .PARAMETER Verbose  
      Allow to run the script in verbose mode for debbuging purposes.  
 Returns the current status of the drives.  
 IsTPMOwned         : True  
 EncryptionMethod      : AES_128  
 IsTPMOwnerShipAllowed    : True  
 IsTPMActivated       : True  
 IsTPMEnabled        : True  
 CurrentEncryptionPercentage : 100  
 EncryptionState       : FullyEncrypted  
 ProtectorIds        : {{FFC19381-6E75-4D1E-94E9-D6E0D3E681FA}, {65AF5A93-9846-47AC-B3B1-D8DE6F06B780}}  
 KeyProtectorType      : {Numerical password, Trusted Platform Module (TPM)}  
 BitLockerSAK -GetProtectionStatus  
 Returns the current protection status : Protected or unprotected  
 BitLockerSAK -GetEncryptionState  
 CurrentEncryptionProgress is express in percentage.   
 CurrentEncryptionProgress EncryptionState                                             
 ------------------------- ---------------                                             
            100 FullyEncrypted  
 Get all the key protectors and their respective ID's and protector types from the current machine.  
 BitLockerSAK -GetKeyProtectorTypeAndID  
 KeyProtectorID                                           KeyProtectorType                                            
 --------------                                           ----------------                                            
 {AB1535D4-ECB3-49D6-8AB1-E334A4F60579}                               Numerical password                                           
 {B1BDF8CD-55F2-4532-A93F-4B1AF4F22B55}                               Trusted Platform Module (TPM)  
 Get the numerical password from a specefic Key using the ID.  
 BitLockerSAK -GetKeyProtectorNumericalPassword -VolumeKeyProtectorID "{AB1535D4-ECB3-49D6-8AB1-E334A4F60579}"  
 Message                              KeyProtectorNumericalPassword                   VolumeKeyProtectorID                         
 -------                              -----------------------------                   --------------------                         
 The method was successful.                     242968-693319-295251-477840-704451-214225-550055-383229      {AB1535D4-ECB3-49D6-8AB1-E334A4F60579}   
      -Author: Stephane van Gulick  
      -Email :   
      -CreationDate: 13-01-2014  
      -LastModifiedDate: 11.06.2015  
      -Version: 1.5  
   #0.1 : Created function  
   #1.1 : 20140901 Added GetProtectorIds  
   #1.2 : 20140909 Rewrote function  
           Added GetKeyprotectorType  
           Added EncryptionMethod  
      #1.3 : 20141003 Added TPM conditions.  
   #1.4 : Possiblity to select drive letter, added RemoveKeyProtectors.  
     --> GetKeyProtectorTypeAndID,  
     --> DeleteKeyProtectors,  
     --> ProtectorIDs,  
     --> DeleteKeyProtector,  
     --> PauseEncryption,  
     --> PauseDecryption,  
     --> Decrytp  
   #1.4.1 --> updated help with GetKeyPRotectedID instead of KeyProtectedID parameter  
   #1.5 Added GetKeyProtectorNumericalPassword and VolumeKeyProtectorID parameters.  
      Param (  
           [Parameter(ParameterSetName = 'OwnerShip')][switch]$TakeTPMOwnerShip,  
           [Parameter(ParameterSetName = 'OwnerShip')][int]$pin,  
                if ($_ -match '^[A-Z]{1}[:]') {  
                     return $true  
                } else {  
                     Write-Warning 'The drive letter parameter has to respect the following case: DriverLetter+Colomn EG: --> C: --> D: --> E: '  
                     return $false  
           })][string]$DriveLetter = 'C:',  
           [Parameter(ParameterSetName = 'NumericalPassword')][Switch]$GetKeyProtectorNumericalPassword,  
           [Parameter(ParameterSetName = 'NumericalPassword', Mandatory = $true)][String]$VolumeKeyProtectorID  
      Begin {  
           try {  
                $Tpm = Get-WmiObject -Namespace ROOT\CIMV2\Security\MicrosoftTpm -Class Win32_Tpm -ErrorAction Stop  
           } catch [System.Management.ManagementException]{  
                write-warning 'Could not access the WMI methods. Verify that you run the script with elevated rights and try again.'  
      Process {  
           ##Add switch to verify if enough place is present on HD (6gig are need, 10 recommended).  
           switch ($PSBoundParameters.keys) {  
                'IsTPMActivated'{ $return = if ($Tpm) { $tpm.IsActivated().isactivated }; break }  
                'IsTPMEnabled'{ $return = if ($Tpm) { $tpm.IsEnabled().isenabled }; break }  
                'IsTPMOwnerShipAllowed'{ $return = if ($Tpm) { $tpm.IsOwnerShipAllowed().IsOwnerShipAllowed }; break }  
                'IsTPMOwned'{ $return = if ($Tpm) { $Tpm.isowned().isowned }; break }  
                     write-verbose "Getting the encryptionstate of drive $($driveletter)"  
                     #We only want to work on the C: drive.  
                     $EncryptionData = Get-WmiObject -Namespace ROOT\CIMV2\Security\Microsoftvolumeencryption -Class Win32_encryptablevolume -Filter "DriveLetter = '$DriveLetter'"  
                     $protectionState = $EncryptionData.GetConversionStatus()  
                     $CurrentEncryptionProgress = $protectionState.EncryptionPercentage  
                     switch ($ProtectionState.Conversionstatus) {  
                          '0' {  
                               $Properties = @{ 'EncryptionState' = 'FullyDecrypted'; 'CurrentEncryptionProgress' = $CurrentEncryptionProgress }  
                               $Return = New-Object psobject -Property $Properties  
                          '1' {  
                               $Properties = @{ 'EncryptionState' = 'FullyEncrypted'; 'CurrentEncryptionProgress' = $CurrentEncryptionProgress }  
                               $Return = New-Object psobject -Property $Properties  
                          '2' {  
                               $Properties = @{ 'EncryptionState' = 'EncryptionInProgress'; 'CurrentEncryptionProgress' = $CurrentEncryptionProgress }  
                               $Return = New-Object psobject -Property $Properties  
                          '3' {  
                               $Properties = @{ 'EncryptionState' = 'DecryptionInProgress'; 'CurrentEncryptionProgress' = $CurrentEncryptionProgress }  
                               $Return = New-Object psobject -Property $Properties  
                          '4' {  
                               $Properties = @{ 'EncryptionState' = 'EncryptionPaused'; 'CurrentEncryptionProgress' = $CurrentEncryptionProgress }  
                               $Return = New-Object psobject -Property $Properties  
                          '5' {  
                               $Properties = @{ 'EncryptionState' = 'DecryptionPaused'; 'CurrentEncryptionProgress' = $CurrentEncryptionProgress }  
                               $Return = New-Object psobject -Property $Properties  
                          default {  
                               write-verbose "Couldn't retrieve an encryption state."  
                               $Properties = @{ 'EncryptionState' = $false; 'CurrentEncryptionProgress' = $false }  
                               $Return = New-Object psobject -Property $Properties  
                     write-verbose 'Resuming encryption'  
                     $ProtectionState = Get-WmiObject -Namespace ROOT\CIMV2\Security\Microsoftvolumeencryption -Class Win32_encryptablevolume -Filter "DriveLetter = '$DriveLetter'"  
                     $Ret = $protectionState.ResumeConversion()  
                     $ReturnCode = $ret.ReturnValue  
                     switch ($ReturnCode) {  
                          ('0') { $Message = 'The Method Resume Conversion was called succesfully.' }  
                          ('2150694912') { $message = 'The volume is locked' }  
                          default { $message = 'The resume operation failed with an uknowned return code.' }  
                     $Properties = @{ 'ReturnCode' = $ReturnCode; 'ErrorMessage' = $message }  
                     $Return = New-Object psobject -Property $Properties  
                } #EndResumeEncryption    
                     $ProtectionState = Get-WmiObject -Namespace ROOT\CIMV2\Security\Microsoftvolumeencryption -Class Win32_encryptablevolume -Filter "DriveLetter = '$DriveLetter'"  
                     write-verbose 'Gathering BitLocker protection status infos.'  
                     switch ($ProtectionState.GetProtectionStatus().protectionStatus) {  
                          ('0') { $return = 'Unprotected' }  
                          ('1') { $return = 'Protected' }  
                          ('2') { $return = 'Uknowned' }  
                          default { $return = 'NoReturn' }  
                     } #EndSwitch  
                } #EndGetProtection  
                     $ProtectionState = Get-WmiObject -Namespace ROOT\CIMV2\Security\Microsoftvolumeencryption -Class Win32_encryptablevolume -Filter "DriveLetter = '$DriveLetter'"  
                     write-verbose 'Launching drive encryption.'  
                     $ProtectorKey = $protectionState.ProtectKeyWithTPMAndPIN('ProtectKeyWithTPMAndPin', '', $pin)  
                     Start-Sleep -Seconds 3  
                     $NumericalPasswordReturn = $protectionState.ProtectKeyWithNumericalPassword()  
                     $Return = $protectionState.Encrypt()  
                     $returnCode = $return.returnvalue  
                     switch ($ReturnCode) {  
                          ('0') { $message = 'Operation successfully started.' }  
                          ('2147942487') { $message = 'The EncryptionMethod parameter is provided but is not within the known range or does not match the current Group Policy setting.' }  
                          ('2150694958') { $message = 'No encryption key exists for the volume' }  
                          ('2150694957') { $message = 'The provided encryption method does not match that of the partially or fully encrypted volume.' }  
                          ('2150694942') { $message = 'The volume cannot be encrypted because this computer is configured to be part of a server cluster.' }  
                          ('2150694956') { $message = 'No key protectors of the type Numerical Password are specified. The Group Policy requires a backup of recovery information to Active Directory Domain Services' }  
                          default {  
                               $message = 'An unknown status was returned by the Encryption action.'  
                     $Properties = @{ 'ReturnCode' = $ReturnCode; 'ErrorMessage' = $message }  
                     $Return = New-Object psobject -Property $Properties  
                     $BitLocker = Get-WmiObject -Namespace 'Root\cimv2\Security\MicrosoftVolumeEncryption' -Class 'Win32_EncryptableVolume' -Filter "DriveLetter = '$DriveLetter'"  
                     $return = $BitLocker.GetKeyProtectors('0').VolumeKeyProtectorID  
                     $BitLocker = Get-WmiObject -Namespace 'Root\cimv2\Security\MicrosoftVolumeEncryption' -Class 'Win32_EncryptableVolume' -Filter "DriveLetter = '$DriveLetter'"  
                     $EncryptMethod = $BitLocker.GetEncryptionMethod().encryptionmethod  
                     switch ($EncryptMethod) {  
                          '0'{ $Return = 'None'; break }  
                          '1'{ $Return = 'AES_128_WITH_DIFFUSER'; break }  
                          '2'{ $Return = 'AES_256_WITH_DIFFUSER'; break }  
                          '3'{ $Return = 'AES_128'; break }  
                          '4'{ $Return = 'AES_256'; break }  
                          '5'{ $Return = 'HARDWARE_ENCRYPTION'; break }  
                          default { $Return = 'UNKNOWN'; break }  
                     $BitLocker = Get-WmiObject -Namespace 'Root\cimv2\Security\MicrosoftVolumeEncryption' -Class 'Win32_EncryptableVolume' -Filter "DriveLetter = '$DriveLetter'"  
                     $ProtectorIds = $BitLocker.GetKeyProtectors('0').volumekeyprotectorID  
                     $return = @()  
                     foreach ($ProtectorID in $ProtectorIds) {  
                          $KeyProtectorType = $BitLocker.GetKeyProtectorType($ProtectorID).KeyProtectorType  
                          $keyType = ''  
                          switch ($KeyProtectorType) {  
                               '0'{ $Keytype = 'Unknown or other protector type'; break }  
                               '1'{ $Keytype = 'Trusted Platform Module (TPM)'; break }  
                               '2'{ $Keytype = 'External key'; break }  
                               '3'{ $Keytype = 'Numerical password'; break }  
                               '4'{ $Keytype = 'TPM And PIN'; break }  
                               '5'{ $Keytype = 'TPM And Startup Key'; break }  
                               '6'{ $Keytype = 'TPM And PIN And Startup Key'; break }  
                               '7'{ $Keytype = 'Public Key'; break }  
                               '8'{ $Keytype = 'Passphrase'; break }  
                               '9'{ $Keytype = 'TPM Certificate'; break }  
                               '10'{ $Keytype = 'CryptoAPI Next Generation (CNG) Protector'; break }  
                          } #endSwitch  
                          $Properties = @{ 'KeyProtectorID' = $ProtectorID; 'KeyProtectorType' = $Keytype }  
                          $Return += New-Object -TypeName psobject -Property $Properties  
                     } #EndForeach  
                } #EndGetKeyProtectorType  
                     $BitLocker = Get-WmiObject -Namespace 'Root\cimv2\Security\MicrosoftVolumeEncryption' -Class 'Win32_EncryptableVolume' -Filter "DriveLetter = '$DriveLetter'"  
                     $Return = $BitLocker.DeleteKeyProtectors()  
                     if ($PSBoundParameters.ContainsKey('ProtectorIDs')) {  
                          $Return = @()  
                          $BitLocker = Get-WmiObject -Namespace 'Root\cimv2\Security\MicrosoftVolumeEncryption' -Class 'Win32_EncryptableVolume' -Filter "DriveLetter = '$DriveLetter'"  
                          foreach ($ProtID in $ProtectorIDs) {  
                               $Return += $BitLocker.DeleteKeyProtector($ProtID)  
                     } else {  
                          write-warning 'Could not delete the key protector. Missing ProtectorID parameter.'  
                          $Return = 'Could not delete the key protector. Missing ProtectorID parameter.'  
                     $BitLocker = Get-WmiObject -Namespace 'Root\cimv2\Security\MicrosoftVolumeEncryption' -Class 'Win32_EncryptableVolume' -Filter "DriveLetter = '$DriveLetter'"  
                     $ReturnCode = $BitLocker.PauseConversion()  
                     switch ($ReturnCode.ReturnValue) {  
                          '0'{ $Return = 'Paused sucessfully.'; break }  
                          '2150694912'{ $Return = 'The volume is locked.'; Break }  
                          default { $Return = 'Uknown return code.'; break }  
                     $BitLocker = Get-WmiObject -Namespace 'Root\cimv2\Security\MicrosoftVolumeEncryption' -Class 'Win32_EncryptableVolume' -Filter "DriveLetter = '$DriveLetter'"  
                     $ReturnCode = $BitLocker.PauseConversion()  
                     switch ($ReturnCode.ReturnValue) {  
                          '0'{ $Return = 'Paused sucessfully.'; break }  
                          '2150694912'{ $Return = 'The volume is locked.'; Break }  
                          default { $Return = 'Uknown return code.'; break }  
                     $BitLocker = Get-WmiObject -Namespace 'Root\cimv2\Security\MicrosoftVolumeEncryption' -Class 'Win32_EncryptableVolume' -Filter "DriveLetter = '$DriveLetter'"  
                     $ReturnCode = $BitLocker.Decrypt()  
                     switch ($ReturnCode.ReturnValue) {  
                          '0'{ $Return = 'Uncryption started successfully.'; break }  
                          '2150694912'{ $Return = 'The volume is locked.'; Break }  
                          '2150694953' { $Return = 'This volume cannot be decrypted because keys used to automatically unlock data volumes are available.'; Break }  
                          default { $Return = 'Uknown return code.'; break }  
                     $BitLocker = Get-WmiObject -Namespace 'Root\cimv2\Security\MicrosoftVolumeEncryption' -Class 'Win32_EncryptableVolume' -Filter "DriveLetter = '$DriveLetter'"  
                     $Return = @()  
                     $KeyProtectorReturn = $BitLocker.GetKeyProtectorNumericalPassword($VolumeKeyProtectorID)  
                     switch ($KeyProtectorReturn.ReturnValue) {  
                          '0' { $msg = 'The method was successful.' }  
                          '2150694912' { $msg = 'The volume is locked.'; Break }  
                          '2147942487' { $msg = "The VolumeKeyProtectorID parameter does not refer to a key protector of the type 'Numerical Password'."; Break }  
                          '2150694920' { $msg = 'BitLocker is not enabled on the volume. Add a key protector to enable BitLocker.'; Break }  
                          default { $msg = "Unknown return value: $($KeyProtectorReturn.ReturnValue)" }  
                     } #EndSwitch  
                     $Properties = @{ 'KeyProtectorNumericalPassword' = $KeyProtectorReturn.NumericalPassword; 'VolumeKeyProtectorID' = $VolumeKeyProtectorID; 'Message' = $msg }  
                     $Return += New-Object -TypeName psobject -Property $Properties  
           } #endSwitch  
           if ($PSBoundParameters.Keys.Count -eq 0) {  
                #Returning info on all drives.  
                write-verbose 'Returning bitlocker main status'  
                $Tpm = Get-WmiObject -Namespace ROOT\CIMV2\Security\MicrosoftTpm -Class Win32_Tpm  
                $BitLocker = Get-WmiObject -Namespace 'Root\cimv2\Security\MicrosoftVolumeEncryption' -Class 'Win32_EncryptableVolume' -Filter "DriveLetter = '$DriveLetter'"  
                #If no TPM module is present  
                if ($tpm) {  
                     $TpmActivated = $tpm.IsActivated().isactivated  
                     $TPMEnabled = $tpm.IsEnabled().isenabled  
                     $TPMOwnerShipAllowed = $Tpm.IsOwnershipAllowed().IsOwnerShipAllowed  
                     $TPMOwned = $Tpm.isowned().isowned  
                $ProtectorIds = $BitLocker.GetKeyProtectors('0').volumekeyprotectorID  
                $CurrentEncryptionState = BitLockerSAK -GetEncryptionState  
                $EncryptionMethod = BitLockerSAK -GetEncryptionMethod  
                $KeyProtectorTypeAndID = BitLockerSAK -GetKeyProtectorTypeAndID  
                $properties = @{  
                     'IsTPMActivated' = $TpmActivated;`  
                     'IsTPMEnabled' = $TPMEnabled;`  
                     'IsTPMOwnerShipAllowed' = $TPMOwnerShipAllowed;`  
                     'IsTPMOwned' = $TPMOwned;`  
                     'CurrentEncryptionPercentage' = $CurrentEncryptionState.CurrentEncryptionProgress;`  
                     'EncryptionState' = $CurrentEncryptionState.encryptionState; `  
                     'EncryptionMethod' = $EncryptionMethod;`  
                     'KeyProtectorTypesAndIDs' = $KeyProtectorTypeAndID  
                $Return = New-Object psobject -Property $Properties  
      End {  
           return $return  
 Function Get-Architecture {  
      #Define Local Variables  
      Set-Variable -Name Architecture -Scope Local -Force  
      $Architecture = Get-WmiObject -Class Win32_OperatingSystem | Select-Object OSArchitecture  
      $Architecture = $Architecture.OSArchitecture  
      Return $Architecture  
      #Returns 32-bit or 64-bit  
      #Cleanup Local Variables  
      Remove-Variable -Name Architecture -Scope Local -Force  
 function Get-BiosStatus {  
      param ([String]$Option)  
      #Declare Local Variables  
      Set-Variable -Name Architecture -Scope Local -Force  
      Set-Variable -Name Argument -Scope Local -Force  
      Set-Variable -Name CCTK -Scope Local -Force  
      Set-Variable -Name Output -Scope Local -Force  
      $Architecture = Get-Architecture  
      If ($Architecture -eq "32-bit") {  
           $CCTK = $env:ProgramFiles + "\Dell\Command Configure\X86\cctk.exe"  
      } else {  
           $CCTK = ${env:ProgramFiles(x86)} + "\Dell\Command Configure\X86_64\cctk.exe"  
      $Argument = "--" + $Option  
      $Output = [string] (& $CCTK $Argument)  
      $Output = $Output.Split('=')  
      Return $Output[1]  
      #Cleanup Local Variables  
      Remove-Variable -Name Architecture -Scope Local -Force  
      Remove-Variable -Name Argument -Scope Local -Force  
      Remove-Variable -Name CCTK -Scope Local -Force  
      Remove-Variable -Name Output -Scope Local -Force  
 Function Install-EXE {  
      Param ([String]$DisplayName,  
      #Declare Local Variables  
      Set-Variable -Name ErrCode -Scope Local -Force  
      Write-Host "Install"$DisplayName"....." -NoNewline  
      If ((Test-Path $Executable) -eq $true) {  
           $ErrCode = (Start-Process -FilePath $Executable -ArgumentList $Switches -Wait -Passthru).ExitCode  
      } else {  
           $ErrCode = 1  
      If (($ErrCode -eq 0) -or ($ErrCode -eq 3010)) {  
           Write-Host "Success" -ForegroundColor Yellow  
      } else {  
           Write-Host "Failed with error code "$ErrCode -ForegroundColor Red  
      #Cleanup Local Variables  
      Remove-Variable -Name ErrCode -Scope Local -Force  
 Function Get-BitLockerRecoveryKeyId {  
      This returns the Bitlocker key protector id.  
      The key protectorID is retrived either according to the protector type, or simply all of them.  
      .PARAMETER KeyProtectorType  
      The key protector type can have one of the following values :  
      Returns all the ID's available from all the different protectors.  
     Get-BitLockerRecoveryKeyId -KeyProtectorType NumericPassword  
     Returns the ID(s) of type NumericPassword  
           Version: 1.0  
     Author: Stephane van Gulick  
     Creation date:12.08.2014  
     Last modification date: 12.08.2014  
      Param (  
           [Parameter(Mandatory = $false, ValueFromPipeLine = $false)][ValidateSet("Alltypes", "TPM", "ExternalKey", "NumericPassword", "TPMAndPin", "TPMAndStartUpdKey", "TPMAndPinAndStartUpKey", "PublicKey", "PassPhrase", "TpmCertificate", "SID")]$KeyProtectorType  
      $BitLocker = Get-WmiObject -Namespace "Root\cimv2\Security\MicrosoftVolumeEncryption" -Class "Win32_EncryptableVolume"  
      switch ($KeyProtectorType) {  
           ("Alltypes") { $Value = "0" }  
           ("TPM") { $Value = "1" }  
           ("ExternalKey") { $Value = "2" }  
           ("NumericPassword") { $Value = "3" }  
           ("TPMAndPin") { $Value = "4" }  
           ("TPMAndStartUpdKey") { $Value = "5" }  
           ("TPMAndPinAndStartUpKey") { $Value = "6" }  
           ("PublicKey") { $Value = "7" }  
           ("PassPhrase") { $Value = "8" }  
           ("TpmCertificate") { $Value = "9" }  
           ("SID") { $Value = "10" }  
           default { $Value = "0" }  
      $Ids = $BitLocker.GetKeyProtectors($Value).volumekeyprotectorID  
      return $ids  
 Function Remove-RegistryKey {  
      Param ([String]$RegistryKey,  
      #Declare Local Variables  
      Set-Variable -Name i -Scope Local -Force  
      Set-Variable -Name RegKey -Scope Local -Force  
      Set-Variable -Name RegistryKey1 -Scope Local -Force  
      Set-Variable -Name tempdrive -Scope Local -Force  
      $tempdrive = New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT  
      $RegistryKey1 = $RegistryKey.split("\")  
      switch ($RegistryKey1[0]) {  
           "HKEY_CLASSES_ROOT" { $RegistryKey1[0] = "HKCR" }  
           "HKEY_CURRENT_USER" { $RegistryKey1[0] = "HKCU" }  
           "HKEY_LOCAL_MACHINE" { $RegistryKey1[0] = "HKLM" }  
           "HKEY_USERS" { $RegistryKey1[0] = "HKU" }  
           "HKEY_CURRENT_CONFIG" { $RegistryKey1[0] = "HKCC" }  
      For ($i = 0; $i -lt $RegistryKey1.Count; $i++) {  
           $RegKey = $RegKey + $RegistryKey1[$i]  
           If ($i -eq 0) {  
                $RegKey = $RegKey + ":\"  
           } elseif ($i -ne $RegistryKey1.Count - 1) {  
                $RegKey = $RegKey + "\"  
           } else {  
                $RegKey = $RegKey  
      Write-Host "Delete"$RegKey"....." -NoNewline  
      If (Test-Path $RegKey) {  
           If (($Recurse -eq $false) -or ($Recurse -eq $null)) {  
                Remove-Item -Path $RegKey -Force  
           } elseIf ($Recurse -eq $true) {  
                Remove-Item -Path $RegKey -Recurse -Force  
           if ((Test-Path $RegKey) -eq $false) {  
                Write-Host "Success" -ForegroundColor Yellow  
           } else {  
                Write-Host "Failed" -ForegroundColor Yellow  
      } else {  
           Write-Host "Not Present" -ForegroundColor Green  
      #Cleanup Local Variables  
      Remove-Variable -Name i -Scope Local -Force  
      Remove-Variable -Name RegKey -Scope Local -Force  
      Remove-Variable -Name RegistryKey1 -Scope Local -Force  
      Remove-Variable -Name tempdrive -Scope Local -Force  
 #Declare Local Variables  
 Set-Variable -Name BitlockerID -Scope Local -Force  
 Set-Variable -Name ManageBDE -Value $env:windir"\System32\manage-bde.exe" -Scope Local -Force  
 Set-Variable -Name Switches -Scope Local -Force  
 Set-Variable -Name TPMActivated -Scope Local -Force  
 Set-Variable -Name TPMEnabled -Scope Local -Force  
 Set-Variable -Name TPMOwnershipAllowed -Scope Local -Force  
 #Check if TPM is enabled  
 $TPMEnabled = Get-BiosStatus -Option "tpm"  
 Write-Host "TPM Enabled:"$TPMEnabled  
 #Check if TPM is activated  
 $TPMActivated = Get-BiosStatus -Option "tpmactivation"  
 Write-Host "TPM Activated:"$TPMActivated  
 #Check if TPM Ownership is allowed  
 $TPMOwnershipAllowed = BitLockerSAK -IsTPMOwnerShipAllowed  
 Write-Host "TPM Ownership Allowed:"$TPMOwnershipAllowed  
 #Check if TPM is owned  
 $TPMOwned = BitLockerSAK -IsTPMOwned  
 Write-Host "TPM Owned:"$TPMOwned  
 If (($TPMEnabled -eq "on") -and ($TPMActivated -eq "activate") -and ($TPMOwnershipAllowed -eq $true) -and ($TPMOwned -eq $false)) {  
      #Delete Bitlocker GPO registry keys  
      Remove-RegistryKey -RegistryKey "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" -Recurse $true  
      Remove-RegistryKey -RegistryKey "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\TPM" -Recurse $true  
      #Take ownership of TPM  
      $Switches = "-tpm -takeownership" + [char]32 + $BIOSPassword  
      Install-EXE -DisplayName "Take TPM Ownership" -Executable $ManageBDE -Switches $Switches  
      #Enable Bitlocker  
      $Switches = "-on" + [char]32 + $env:HOMEDRIVE + [char]32 + "-recoverypassword"  
      Install-EXE -DisplayName "Enable Bitlocker" -Executable $ManageBDE -Switches $Switches  
      #Execute GPUpdate to re-apply registry keys  
      Install-EXE -DisplayName "GPUpdate" -Executable $env:windir"\System32\gpupdate.exe" -Switches " "  
      #Retrieve numerical password ID  
      $BitlockerID = Get-BitLockerRecoveryKeyId -KeyProtectorType NumericPassword  
      #Backup recovery key to active directory  
      $Switches = "-protectors -adbackup" + [char]32 + $env:HOMEDRIVE + [char]32 + "-id" + [char]32 + $BitlockerID  
      Install-EXE -DisplayName "Backup Recovery Key to AD" -Executable $ManageBDE -Switches $Switches  
 #Cleanup Local Variables  
 Remove-Variable -Name BitlockerID -Scope Local -Force  
 Remove-Variable -Name ManageBDE -Scope Local -Force  
 Remove-Variable -Name Switches -Scope Local -Force  
 Remove-Variable -Name TPMActivated -Scope Local -Force  
 Remove-Variable -Name TPMEnabled -Scope Local -Force  
 Remove-Variable -Name TPMOwnershipAllowed -Scope Local -Force  


  1. I think you may be going the wrong direction here. Based on your event logs, I am guessing that you are running Windows 8 or newer, and that these computers experiencing the problem have been imaged at least once before. the access denied error you're getting is when windows tries to save the TPM key to Active Directory. Your GPO probably requires the TPM key be written to AD, which is why bitlocker works fine when the GPO is not applied. By enabling bitlocker with the GPO not applied, then applying the settings afterwards, you are not getting the info saved to AD.

    I believe that the root issue may be that the domain accounts for these computers were deleted without removing the TPM info from AD first. Windows 8 changed the location in AD that it saves the TPM to, and if the computer account gets deleted the TPM info will be left behind, orphaned.
    When a new computer account is created, and you try to enable the TPM and back up to AD, the object already exists, and the computer doesn't have permission to overwrite it.
    You will need to identify and clean up the orphaned entries for the TPM data in AD in order to truly resolve this issue.

    1. This issue came up when we converted from Windows 7 x86 to WIndows 7 x64. The bitlocker process works on 12 of the 13 models of laptops we have in service. The only model it does not work on and requires the above fix is for the Latitude E7440. We have had Dell engineers working on this for the past three weeks and they are still stumped. I have googled this very problem and there are a couple of fixes out there, but those fixes did not work on our systems, along with many other users who also said they did not work. Dell has finally given up and does not know what else to do. The Windows 7 32-bit works great on the E7440. It is just the 64-bit that gives the access denied.

    2. Mick - we are having the same problem. BitLocker encryption works fine on certain Dell models but not on others. For example, models E5570 and E5440 fail while all others model work just fine. The machines failing are brand spanking new from dell - never joined to our domain.

      Thanks for this workaround.

  2. Hmm, I would have thought the blog post you linked to about ad permissions would have worked if you are still on Windows 7.

    That error clearly looks like it's an issue writing to AD though. I would suggest you identify the object it is trying to write to in AD, if it's not the TPM device object. If you can do that, I'd bet you will find a permission issue.

    If you enable the view in ADUC, do you have a TPM Devices container in AD, and does it have anything in

    It seems strange that it would only affect a specific model of computer. What else is different, besides switching to a 64 bit win7? Are you using a different Task sequence to deploy 64bit? Or a different boot image?

    1. We are using the same task sequence and same boot image as we used for the 32-bit. The only differences are the drivers, windows updates, and of course the OS. Dell had us to install an image, pause immediately after the first time bootup, and make sure no drivers or windows updates were applied. We then installed the network driver only. The issue still occurred when we joined it to the domain and moved it into its specified OU where all other laptops resided and imaged fine. We did dig down into AD and researched the object it was trying to write to. The 32-bit win 7 wrote to the same object as the 64-bit, but with success, unlike the 64-bit version. We did notice that if we moved the system to the computers container, it would bitlocker, but of course it could not write the key to AD. We spent more than 70 hours with Dell researching and troubleshooting this. They pointed out that is a 32-bit could write to the same system object (computer name) in AD that the 64-bit image could not write to, then there had to be some other issue. The only other time we were able to get this to work was to do the following: 1) Delete the computer from AD, 2) rename the system that would not bitlocker to a name we never used before while joining a workgroup, 3) reboot the system, 4) Rejoin the domain with the new name, 5)bitlocker the machine. If we did not do those steps for this specific model and OS architecture and version, it would give the access denied error. This has been the most frustrating issue I have ever encountered.

    2. Here are two more things I noticed with the E7440. The first is that when you go into the BIOS to turn on, clear, and then activate the TPM, it turns on and clears, but does not activate on the first attempt. It stays in deactivated mode. It takes two attempts to activate it. Second is when you try to PXE boot. The moment you select PXE, the system reboots on the first attempt. It takes two attempts to successfully PXE boot.

  3. I am having the same exact issue on the new line of Lenovo laptops with SKYLAKE processors. I am using the EnableBitLocker.vbs to initiate, take ownership and then encrypt the HDD, and GPO to send recovery key to AD. All previous models of laptops that we support encrypt and backup the key in AD with no issues, however the X1 Carbon 4th Generation and T460s fail to take ownership of the TPM. I've took all the troubleshooting steps mentioned by Mick in his original post but no luck. However when I delete the two Registry keys mentioned I am able to successfully execute the vbs and enable BitLocker. Does this have anything to do with the new Intel processors or BIOS version? Yes the PowerShell scripts provided work fine as a workaround, however I want to find out why it's happening to these specific models.

    1. I am glad this helped. Thanks for replying because that shows it is not just a Dell issue. It would be interesting to see if both systems share the same BIOS manufacturer.

  4. BIOS manufacturer and version is Phoenix Technologies UEFI: 1.11 /ECP: 1:09. Don't think it's the BIOS because I updated the BIOS on my older model laptops and they work just fine. I also tried removing the permissions for the SELF account in AD for ms-TPMOwnerInformation attribute and then adding again but to no avail. The issue appears to be permissions related, but I can't figure out why it's specific to the new models.

    1. One other thing I have noticed is that these laptops do not activate the TPM on the first try. When I go into the BIOS, click activate TPM, and then reboot, the TPM is back to deactivated. I have to activate it a second time before it actually activates. Do you have this same issue?

  5. Our machines come with the TPM activated from the factory, but if I deactivate and activate again, I only need to do it once. Does the Dell E7440 come with Skylake processors as well?

  6. what if we don't have a BIOS password? does not allow a empty PW field

    1. Bitlocker cannot be enabled with the bios password

  7. Great! We are running into what seems to be this exact same issue as we can't figure out why it won't store the TPM to AD even though we have the schema attributes all there, etc.

    Let me ask, how exactly do you execute these scripts?...I'm a little confused at what the BitlockerSystem.ps1 script does? I understand I would run that other script to take care of the registry, etc., etc., but then what was BitlockerSystem.ps1 do? Do you kick that off right after the other script and this is what takes care of actually doing the encryption?