We recently started getting access is denied when trying to enable bitlocker on our Dell Latitude E7440 models. At first we thought it was a problem with the laptop itself upon the first occurrence of it. We were able to image all other models with no problems. We contacted Dell Premiere support and they concurred. They said that replacing the motherboard should rectify the issue since the issue seemed to be with the TPM chip. Dell replaced the motherboard and this issue persisted. We imaged other E7440 laptops and got the same error. Actually, the access is denied appeared when we went to manually encrypt the laptops. We would get Error code: 0x80070005 when trying to enable bitlocker via the control panel. The build would fail when it tried to enable the bitlocker. When I looked at the event viewer logs, I found the following errors:
I have written two PowerShell scripts, with the help of PowerShell Studio by Sapien Technologies, that bitlocker the systems. The first script uses BitlockerSAK to make sure the TPM is ready to be used. Once it verifies the TPM is turned on, cleared, and activated, the script deletes the FVE and TPM registry keys. The next step is does is to take ownership of the TPM. To take ownership of the TPM, it needs the BIOS password, which is a mandatory parameter upon the execution of the script. The next step is to enable bitlocker. A group policy update is now necessary to repopulate the registry keys the script deleted earlier. Next, the script gets the Bitlocker ID using the function provided by PowerShell District. This is necessary for the next step that pushes the recovery key to active directory. At this point, the script is finished and the system must be rebooted in order for bitlocker to begin encrypting the drive.
There is a second script for the actual encryption process. This script is executed as the next task sequence. It first waits for the fvenotify.exe to begin. The script waits 5 minutes for this to begin. If it does not begin within 5 minutes, the script exits with an error code 1. Once the fvenotify.exe is a process, the script waits until it disappears. This is intended to delay a build until the encryption process is completed.
You can download the scripts from the following links:
At this point, we thought the issue might have been with the build process. We started combing through the build trying to find out what might be wrong. The problem was that all other model systems worked, except for this one. We did the following steps in troubleshooting:
- Verified all other model laptops enable bitlocker with no issues
- The same task sequence is used on all laptops. The only differences are drivers and bios.
- We followed the procedure from this blog that fixed this issue for some users. It did not fix it for our systems.
- We verified the BIOS is updated to the latest version
- Dell replaced the motherboard and HDD
- Windows 7 32-Bit installs and bitlockering on this model had no issues
- We verified that the system will bitlocker if we move it to the computers container in active directory
- We noticed two problems with the BIOS. The first is that it will not activate the TPM on the first try. When you click activate, apply, and exit, the system reboots, but it goes back to deactivate. It takes two times to activate it. The second problem is pxe booting. When we select to boot from the NIC, the system reboots on the first try. These problems are happening to all of our E7440 laptops.
- I laid down a base windows 7 image with no drivers or windows updates. The only driver I installed was the NIC for network connectivity. When I joined it to the domain, it still gave access denied.
- I downgraded the BIOS
- We disabled the Cisco Anywhere Connect VPN software from being installed during the build. I ran across troubleshooting post for the access is denied where they recommended uninstall any VPN software. This did not fix the issue.
- I gave the SELF account full control of the specific computer in active directory with no success
- One more suggestion we found that some said worked was upgrading the firmware to the latest version for the HDD. We were not able to get the firmware to upgrade on our flash HDD.
- We were able to get systems to bitlocker if we joined the system to a local workgroup, changed the name of the system to one that had never been used before, and then joined the domain.
- We were able to get systems to bitlocker if we moved the system in active directory to the computers container where it gets no GPOs.
- We also noticed other problems with the E7440. When you go into the BIOS to turn on, clear, and activate the TPM, it does not behave correctly. Once you have completed the clear process, the TPM is automatically put into deactivated mode. You must then reboot the system for it to take effect. Next, you click to activate the TPM, it shows it is activated, but when you reboot and go back into the BIOS, the TPM is showing as deactivated. The activation step must be done twice. The second issue we found was with PXE booting. Sometimes when we hit F12, select Onboard NIC, the system will reboot when it begins the initializing step of the PXE process.
By this time, we had spent almost 70 hours troubleshooting this, including Dell support trying to help. Finally I decided to find out exactly what the Bitlocker GPO changed on system. I found it pushed two registry keys: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE and HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\TPM. I deleted those registry keys out and then tried to enable bitlocker through the control panel. It worked. I knew at this point, it had to be with the system and not the GPO, especially since it worked with all other systems. The next thing that needed to be done was to make sure the recovery key got to active directory. I ran a GPUPDATE.EXE to force the registry keys back down to the system. I then ran manage-bde -protectors -get c: to get the numerical password ID. Finally, I ran manage-bde -protectors -adbackup c: -id {Numerical ID} to push the key to active directory and it worked! My next step was to make sure this same process would work on other model systems so that we could have a single process to work on all instead of having more than one. It does successfully work on the other models.
I have written two PowerShell scripts, with the help of PowerShell Studio by Sapien Technologies, that bitlocker the systems. The first script uses BitlockerSAK to make sure the TPM is ready to be used. Once it verifies the TPM is turned on, cleared, and activated, the script deletes the FVE and TPM registry keys. The next step is does is to take ownership of the TPM. To take ownership of the TPM, it needs the BIOS password, which is a mandatory parameter upon the execution of the script. The next step is to enable bitlocker. A group policy update is now necessary to repopulate the registry keys the script deleted earlier. Next, the script gets the Bitlocker ID using the function provided by PowerShell District. This is necessary for the next step that pushes the recovery key to active directory. At this point, the script is finished and the system must be rebooted in order for bitlocker to begin encrypting the drive.
There is a second script for the actual encryption process. This script is executed as the next task sequence. It first waits for the fvenotify.exe to begin. The script waits 5 minutes for this to begin. If it does not begin within 5 minutes, the script exits with an error code 1. Once the fvenotify.exe is a process, the script waits until it disappears. This is intended to delay a build until the encryption process is completed.
You can download the scripts from the following links:
BitlockerSystem.ps1
<#
.NOTES
===========================================================================
Created with: SAPIEN Technologies, Inc., PowerShell Studio 2015 v4.2.99
Created on: 2/25/2016 4:29 PM
Created by: Mick Pletcher
Organization:
Filename: BitlockerSystem.ps1
===========================================================================
.DESCRIPTION
This script waits for the bitlocker process to begin. If the bitlocker
process does not begin within 5 minutes, the script exits with an error
code 1. If the process does begin, then the script waits until
bitlocker is complete with encrypting the system.
#>
#Declare Variables
Set-Variable -Name CurrentTime -Scope Local -Force
Set-Variable -Name Difference -Scope Local -Force
Set-Variable -Name Output1 -Scope Local -Force
Set-Variable -Name Output2 -Scope Local -Force
Set-Variable -Name Output3 -Scope Local -Force
Set-Variable -Name Process -Value $null -Scope Local -Force
Set-Variable -Name StartTime -Scope Local -Force
Clear-Host
$StartTime = Get-Date
$Output1 = "Waiting for Bitlocker Encryption to begin....."
$Output1
While ($Process -eq $null) {
Start-Sleep -Seconds 5
$Process = Get-Process -Name fvenotify -ErrorAction SilentlyContinue
$CurrentTime = Get-Date
$Difference = (New-TimeSpan -Start $StartTime -End $CurrentTime).minutes
If ($Difference -eq 5) {
Exit 1
}
}
$Output1 = $Output1 + "Completed"
Clear-Host
$Output1
$Output2 = "Bitlockering System....."
$Output2
while ($Process -ne $null) {
$Process = $null
$Process = Get-Process -Name fvenotify -ErrorAction SilentlyContinue
$Output3 = manage-bde -status $env:HOMEDRIVE
Clear-Host
$Output1
$Output2
Write-Host
$Output3[9].TRIM()
Start-Sleep -Seconds 60
}
Write-Host "Complete" -ForegroundColor Yellow
#Cleanup Variables
Remove-Variable -Name CurrentTime -Scope Local -Force
Remove-Variable -Name Difference -Scope Local -Force
Remove-Variable -Name Output1 -Scope Local -Force
Remove-Variable -Name Output2 -Scope Local -Force
Remove-Variable -Name Output3 -Scope Local -Force
Remove-Variable -Name Process -Scope Local -Force
Remove-Variable -Name StartTime -Scope Local -Force
EnableBitlocker.ps1
<#
===========================================================================
Created with: SAPIEN Technologies, Inc., PowerShell Studio 2015 v4.2.99
Created on: 2/26/2016 2:02 PM
Created by: Mick Pletcher
Organization:
Filename: EnableBitlocker.ps1
===========================================================================
.DESCRIPTION
This script will enable bitlocker on a system. It first tests the
system to make sure the TPM is ready for bitlocker. If it passes
the test, then it does the following:
1) Deletes the FVE and TPM registry keys
2) Takes ownership of the TPM
3) Enables bitlocker
4) Performs a gpupdate
5) Gets the bitlocker recovery key ID
6) Backs up the recovery key to active directory
#>
param
(
[Parameter(Mandatory = $true)][string]$BIOSPassword
)
Function BitLockerSAK {
<#
.SYNOPSIS
Get and set Bitlocker related information.
.DESCRIPTION
Based on WMI classes, this function can achiev the following tasks :
--TPM operations---
-TPM activation state.
-If the TPM is enabled or not.
-If a TPM OwnerShip is Allowed.
-If the TPM is currently owned.
-The possibility to take the ownerShip
--Encryption possibilities ---
- Retrieves the current encryption method.
- Get the current protection status.
- The current protection state.
- The possibility to encrypt a Drive.
- The possibility to Resume an encryption that has been paused.
- Possibility to return the current protector ID's.
- Possibility to return the current protector type(s).
- Retrieves the Volume key protector Passwords
.PARAMETER isTPMActivated
Returns activation state of the TPM:
Returns true if activated and false if not.
.PARAMETER isTPMEnabled
Returns the enabled state of the TPM:
Returns true if activated and false if not.
.PARAMETER IsTPMOwnerShipAllowed
Returns if the TPM ownership is allowed.
Returns true if allowed, false if not.
.PARAMETER ResumeEncryption
Will resume an paused encryption.
.PARAMETER GetEncryptionState
Returns the current encurrent state in an object as wolled :
.PARAMETER GetProtectionStatus
Returns the current protection status. It will return "Protected" if the drive is 100% encrypted, and "Unprotected" if anything else then "100% encrypted".
.PARAMETER Encrypt
Will encrypt a drive.
.PARAMETER TakeTPMOwnerShip
Returns true if allowed, false if not
.PARAMETER pin
Is needed in order to take the ownership and to encrypt the drive.
.PARAMETER IsTPMOwned
Returns true if owned, false if not
.PARAMETER GetKeyProtectorIds
Returns all the protector id's available on the machine.
.PARAMETER GetKeyProtectorType
Returns the type of protector that is currently in use.
.PARAMETER GetEncryptionMethod
REturns the current encryption method that is in use.
.PARAMETER GetKeyProtectorNumericalPassword
Returns a given numerical password based on a Protector ID value.
The ProtectorID value is mandatory, and must be passed using the parameter VolumeKeyProtectorID.
.PARAMETER VolumeKeyProtectorID
This parameter will work only in conjunction with GetKeyProtectorNumericalPassword switch.
It must contain the ProtectorID from which the desired Numerical Password will be returned.
.PARAMETER GetKeyProtectorTypeAndID
The GetKeyProtectorTypeAndID switch will return all the existing key protector ID's and their type of the Keys existing on the machine.
.PARAMETER Whatif
Permits to launch this script in "draft" mode. This means it will only show the results without really making generating the files.
.PARAMETER Verbose
Allow to run the script in verbose mode for debbuging purposes.
.EXAMPLE
BitLockerSAK
Returns the current status of the drives.
IsTPMOwned : True
EncryptionMethod : AES_128
IsTPMOwnerShipAllowed : True
IsTPMActivated : True
IsTPMEnabled : True
CurrentEncryptionPercentage : 100
EncryptionState : FullyEncrypted
ProtectorIds : {{FFC19381-6E75-4D1E-94E9-D6E0D3E681FA}, {65AF5A93-9846-47AC-B3B1-D8DE6F06B780}}
KeyProtectorType : {Numerical password, Trusted Platform Module (TPM)}
.EXAMPLE
BitLockerSAK -GetProtectionStatus
Returns the current protection status : Protected or unprotected
.EXAMPLE
BitLockerSAK -GetEncryptionState
CurrentEncryptionProgress is express in percentage.
CurrentEncryptionProgress EncryptionState
------------------------- ---------------
100 FullyEncrypted
.EXAMPLE
Get all the key protectors and their respective ID's and protector types from the current machine.
BitLockerSAK -GetKeyProtectorTypeAndID
KeyProtectorID KeyProtectorType
-------------- ----------------
{AB1535D4-ECB3-49D6-8AB1-E334A4F60579} Numerical password
{B1BDF8CD-55F2-4532-A93F-4B1AF4F22B55} Trusted Platform Module (TPM)
.EXAMPLE
Get the numerical password from a specefic Key using the ID.
BitLockerSAK -GetKeyProtectorNumericalPassword -VolumeKeyProtectorID "{AB1535D4-ECB3-49D6-8AB1-E334A4F60579}"
Message KeyProtectorNumericalPassword VolumeKeyProtectorID
------- ----------------------------- --------------------
The method was successful. 242968-693319-295251-477840-704451-214225-550055-383229 {AB1535D4-ECB3-49D6-8AB1-E334A4F60579}
.NOTES
-Author: Stephane van Gulick
-Email :
-CreationDate: 13-01-2014
-LastModifiedDate: 11.06.2015
-Version: 1.5
-History:
#0.1 : Created function
#1.1 : 20140901 Added GetProtectorIds
#1.2 : 20140909 Rewrote function
Added GetKeyprotectorType
Added EncryptionMethod
#1.3 : 20141003 Added TPM conditions.
#1.4 : Possiblity to select drive letter, added RemoveKeyProtectors.
--> GetKeyProtectorTypeAndID,
--> DeleteKeyProtectors,
--> ProtectorIDs,
--> DeleteKeyProtector,
--> PauseEncryption,
--> PauseDecryption,
--> Decrytp
#1.4.1 --> updated help with GetKeyPRotectedID instead of KeyProtectedID parameter
#1.5 Added GetKeyProtectorNumericalPassword and VolumeKeyProtectorID parameters.
.LINK
www.PowerShellDistrict.com
#>
[cmdletBinding()]
Param (
[Switch]$IsTPMActivated,
[Switch]$IsTPMEnabled,
[Switch]$IsTPMOwnerShipAllowed,
[Switch]$ResumeEncryption,
[Switch]$GetEncryptionState,
[Switch]$GetProtectionStatus,
[switch]$Encrypt,
[Parameter(ParameterSetName = 'OwnerShip')][switch]$TakeTPMOwnerShip,
[Parameter(ParameterSetName = 'OwnerShip')][int]$pin,
[switch]$IsTPMOwned,
[Switch]$GetKeyProtectorIds,
[switch]$GetEncryptionMethod,
[ValidateScript({
if ($_ -match '^[A-Z]{1}[:]') {
return $true
} else {
Write-Warning 'The drive letter parameter has to respect the following case: DriverLetter+Colomn EG: --> C: --> D: --> E: '
return $false
}
})][string]$DriveLetter = 'C:',
[switch]$GetKeyProtectorTypeAndID,
[switch]$DeleteKeyProtectors,
#Acceptvaluefrompipelinebyname
[String[]]$ProtectorIDs,
[switch]$DeleteKeyProtector,
[switch]$PauseEncryption,
[switch]$PauseDecryption,
[switch]$Decrytp,
[Parameter(ParameterSetName = 'NumericalPassword')][Switch]$GetKeyProtectorNumericalPassword,
[Parameter(ParameterSetName = 'NumericalPassword', Mandatory = $true)][String]$VolumeKeyProtectorID
)
Begin {
try {
$Tpm = Get-WmiObject -Namespace ROOT\CIMV2\Security\MicrosoftTpm -Class Win32_Tpm -ErrorAction Stop
} catch [System.Management.ManagementException]{
write-warning 'Could not access the WMI methods. Verify that you run the script with elevated rights and try again.'
continue
}
}
Process {
##Add switch to verify if enough place is present on HD (6gig are need, 10 recommended).
switch ($PSBoundParameters.keys) {
'IsTPMActivated'{ $return = if ($Tpm) { $tpm.IsActivated().isactivated }; break }
'IsTPMEnabled'{ $return = if ($Tpm) { $tpm.IsEnabled().isenabled }; break }
'IsTPMOwnerShipAllowed'{ $return = if ($Tpm) { $tpm.IsOwnerShipAllowed().IsOwnerShipAllowed }; break }
'IsTPMOwned'{ $return = if ($Tpm) { $Tpm.isowned().isowned }; break }
'GetEncryptionState'{
write-verbose "Getting the encryptionstate of drive $($driveletter)"
#http://msdn.microsoft.com/en-us/library/aa376433(VS.85).aspx
#We only want to work on the C: drive.
$EncryptionData = Get-WmiObject -Namespace ROOT\CIMV2\Security\Microsoftvolumeencryption -Class Win32_encryptablevolume -Filter "DriveLetter = '$DriveLetter'"
$protectionState = $EncryptionData.GetConversionStatus()
$CurrentEncryptionProgress = $protectionState.EncryptionPercentage
switch ($ProtectionState.Conversionstatus) {
'0' {
$Properties = @{ 'EncryptionState' = 'FullyDecrypted'; 'CurrentEncryptionProgress' = $CurrentEncryptionProgress }
$Return = New-Object psobject -Property $Properties
}
'1' {
$Properties = @{ 'EncryptionState' = 'FullyEncrypted'; 'CurrentEncryptionProgress' = $CurrentEncryptionProgress }
$Return = New-Object psobject -Property $Properties
}
'2' {
$Properties = @{ 'EncryptionState' = 'EncryptionInProgress'; 'CurrentEncryptionProgress' = $CurrentEncryptionProgress }
$Return = New-Object psobject -Property $Properties
}
'3' {
$Properties = @{ 'EncryptionState' = 'DecryptionInProgress'; 'CurrentEncryptionProgress' = $CurrentEncryptionProgress }
$Return = New-Object psobject -Property $Properties
}
'4' {
$Properties = @{ 'EncryptionState' = 'EncryptionPaused'; 'CurrentEncryptionProgress' = $CurrentEncryptionProgress }
$Return = New-Object psobject -Property $Properties
}
'5' {
$Properties = @{ 'EncryptionState' = 'DecryptionPaused'; 'CurrentEncryptionProgress' = $CurrentEncryptionProgress }
$Return = New-Object psobject -Property $Properties
}
default {
write-verbose "Couldn't retrieve an encryption state."
$Properties = @{ 'EncryptionState' = $false; 'CurrentEncryptionProgress' = $false }
$Return = New-Object psobject -Property $Properties
}
}
}
'ResumeEncryption'{
write-verbose 'Resuming encryption'
$ProtectionState = Get-WmiObject -Namespace ROOT\CIMV2\Security\Microsoftvolumeencryption -Class Win32_encryptablevolume -Filter "DriveLetter = '$DriveLetter'"
$Ret = $protectionState.ResumeConversion()
$ReturnCode = $ret.ReturnValue
switch ($ReturnCode) {
('0') { $Message = 'The Method Resume Conversion was called succesfully.' }
('2150694912') { $message = 'The volume is locked' }
default { $message = 'The resume operation failed with an uknowned return code.' }
}
$Properties = @{ 'ReturnCode' = $ReturnCode; 'ErrorMessage' = $message }
$Return = New-Object psobject -Property $Properties
} #EndResumeEncryption
'GetProtectionStatus'{
#http://msdn.microsoft.com/en-us/library/windows/desktop/aa376448(v=vs.85).aspx
$ProtectionState = Get-WmiObject -Namespace ROOT\CIMV2\Security\Microsoftvolumeencryption -Class Win32_encryptablevolume -Filter "DriveLetter = '$DriveLetter'"
write-verbose 'Gathering BitLocker protection status infos.'
switch ($ProtectionState.GetProtectionStatus().protectionStatus) {
('0') { $return = 'Unprotected' }
('1') { $return = 'Protected' }
('2') { $return = 'Uknowned' }
default { $return = 'NoReturn' }
} #EndSwitch
} #EndGetProtection
'Encrypt'{
#http://msdn.microsoft.com/en-us/library/windows/desktop/aa376432(v=vs.85).aspx
$ProtectionState = Get-WmiObject -Namespace ROOT\CIMV2\Security\Microsoftvolumeencryption -Class Win32_encryptablevolume -Filter "DriveLetter = '$DriveLetter'"
write-verbose 'Launching drive encryption.'
$ProtectorKey = $protectionState.ProtectKeyWithTPMAndPIN('ProtectKeyWithTPMAndPin', '', $pin)
Start-Sleep -Seconds 3
$NumericalPasswordReturn = $protectionState.ProtectKeyWithNumericalPassword()
$Return = $protectionState.Encrypt()
$returnCode = $return.returnvalue
switch ($ReturnCode) {
('0') { $message = 'Operation successfully started.' }
('2147942487') { $message = 'The EncryptionMethod parameter is provided but is not within the known range or does not match the current Group Policy setting.' }
('2150694958') { $message = 'No encryption key exists for the volume' }
('2150694957') { $message = 'The provided encryption method does not match that of the partially or fully encrypted volume.' }
('2150694942') { $message = 'The volume cannot be encrypted because this computer is configured to be part of a server cluster.' }
('2150694956') { $message = 'No key protectors of the type Numerical Password are specified. The Group Policy requires a backup of recovery information to Active Directory Domain Services' }
default {
$message = 'An unknown status was returned by the Encryption action.'
}
}
$Properties = @{ 'ReturnCode' = $ReturnCode; 'ErrorMessage' = $message }
$Return = New-Object psobject -Property $Properties
}
'GetKeyProtectorIds'{
$BitLocker = Get-WmiObject -Namespace 'Root\cimv2\Security\MicrosoftVolumeEncryption' -Class 'Win32_EncryptableVolume' -Filter "DriveLetter = '$DriveLetter'"
$return = $BitLocker.GetKeyProtectors('0').VolumeKeyProtectorID
}
'GetEncryptionMethod'{
$BitLocker = Get-WmiObject -Namespace 'Root\cimv2\Security\MicrosoftVolumeEncryption' -Class 'Win32_EncryptableVolume' -Filter "DriveLetter = '$DriveLetter'"
$EncryptMethod = $BitLocker.GetEncryptionMethod().encryptionmethod
switch ($EncryptMethod) {
'0'{ $Return = 'None'; break }
'1'{ $Return = 'AES_128_WITH_DIFFUSER'; break }
'2'{ $Return = 'AES_256_WITH_DIFFUSER'; break }
'3'{ $Return = 'AES_128'; break }
'4'{ $Return = 'AES_256'; break }
'5'{ $Return = 'HARDWARE_ENCRYPTION'; break }
default { $Return = 'UNKNOWN'; break }
}
}
'GetKeyProtectorTypeAndID'{
$BitLocker = Get-WmiObject -Namespace 'Root\cimv2\Security\MicrosoftVolumeEncryption' -Class 'Win32_EncryptableVolume' -Filter "DriveLetter = '$DriveLetter'"
$ProtectorIds = $BitLocker.GetKeyProtectors('0').volumekeyprotectorID
$return = @()
foreach ($ProtectorID in $ProtectorIds) {
$KeyProtectorType = $BitLocker.GetKeyProtectorType($ProtectorID).KeyProtectorType
$keyType = ''
switch ($KeyProtectorType) {
'0'{ $Keytype = 'Unknown or other protector type'; break }
'1'{ $Keytype = 'Trusted Platform Module (TPM)'; break }
'2'{ $Keytype = 'External key'; break }
'3'{ $Keytype = 'Numerical password'; break }
'4'{ $Keytype = 'TPM And PIN'; break }
'5'{ $Keytype = 'TPM And Startup Key'; break }
'6'{ $Keytype = 'TPM And PIN And Startup Key'; break }
'7'{ $Keytype = 'Public Key'; break }
'8'{ $Keytype = 'Passphrase'; break }
'9'{ $Keytype = 'TPM Certificate'; break }
'10'{ $Keytype = 'CryptoAPI Next Generation (CNG) Protector'; break }
} #endSwitch
$Properties = @{ 'KeyProtectorID' = $ProtectorID; 'KeyProtectorType' = $Keytype }
$Return += New-Object -TypeName psobject -Property $Properties
} #EndForeach
} #EndGetKeyProtectorType
'DeleteKeyProtectors'{
$BitLocker = Get-WmiObject -Namespace 'Root\cimv2\Security\MicrosoftVolumeEncryption' -Class 'Win32_EncryptableVolume' -Filter "DriveLetter = '$DriveLetter'"
$Return = $BitLocker.DeleteKeyProtectors()
}
'TakeTPMOwnerShip'{
$Tpm.takeOwnership()
}
'DeleteKeyProtector'{
if ($PSBoundParameters.ContainsKey('ProtectorIDs')) {
$Return = @()
$BitLocker = Get-WmiObject -Namespace 'Root\cimv2\Security\MicrosoftVolumeEncryption' -Class 'Win32_EncryptableVolume' -Filter "DriveLetter = '$DriveLetter'"
foreach ($ProtID in $ProtectorIDs) {
$Return += $BitLocker.DeleteKeyProtector($ProtID)
}
} else {
write-warning 'Could not delete the key protector. Missing ProtectorID parameter.'
$Return = 'Could not delete the key protector. Missing ProtectorID parameter.'
}
}
'PauseEncryption'{
$BitLocker = Get-WmiObject -Namespace 'Root\cimv2\Security\MicrosoftVolumeEncryption' -Class 'Win32_EncryptableVolume' -Filter "DriveLetter = '$DriveLetter'"
$ReturnCode = $BitLocker.PauseConversion()
switch ($ReturnCode.ReturnValue) {
'0'{ $Return = 'Paused sucessfully.'; break }
'2150694912'{ $Return = 'The volume is locked.'; Break }
default { $Return = 'Uknown return code.'; break }
}
}
'PauseDecryption'{
$BitLocker = Get-WmiObject -Namespace 'Root\cimv2\Security\MicrosoftVolumeEncryption' -Class 'Win32_EncryptableVolume' -Filter "DriveLetter = '$DriveLetter'"
$ReturnCode = $BitLocker.PauseConversion()
switch ($ReturnCode.ReturnValue) {
'0'{ $Return = 'Paused sucessfully.'; break }
'2150694912'{ $Return = 'The volume is locked.'; Break }
default { $Return = 'Uknown return code.'; break }
}
}
'Decrytp'{
$BitLocker = Get-WmiObject -Namespace 'Root\cimv2\Security\MicrosoftVolumeEncryption' -Class 'Win32_EncryptableVolume' -Filter "DriveLetter = '$DriveLetter'"
$ReturnCode = $BitLocker.Decrypt()
switch ($ReturnCode.ReturnValue) {
'0'{ $Return = 'Uncryption started successfully.'; break }
'2150694912'{ $Return = 'The volume is locked.'; Break }
'2150694953' { $Return = 'This volume cannot be decrypted because keys used to automatically unlock data volumes are available.'; Break }
default { $Return = 'Uknown return code.'; break }
}
}
'GetKeyProtectorNumericalPassword'{
$BitLocker = Get-WmiObject -Namespace 'Root\cimv2\Security\MicrosoftVolumeEncryption' -Class 'Win32_EncryptableVolume' -Filter "DriveLetter = '$DriveLetter'"
$Return = @()
$KeyProtectorReturn = $BitLocker.GetKeyProtectorNumericalPassword($VolumeKeyProtectorID)
switch ($KeyProtectorReturn.ReturnValue) {
'0' { $msg = 'The method was successful.' }
'2150694912' { $msg = 'The volume is locked.'; Break }
'2147942487' { $msg = "The VolumeKeyProtectorID parameter does not refer to a key protector of the type 'Numerical Password'."; Break }
'2150694920' { $msg = 'BitLocker is not enabled on the volume. Add a key protector to enable BitLocker.'; Break }
default { $msg = "Unknown return value: $($KeyProtectorReturn.ReturnValue)" }
} #EndSwitch
$Properties = @{ 'KeyProtectorNumericalPassword' = $KeyProtectorReturn.NumericalPassword; 'VolumeKeyProtectorID' = $VolumeKeyProtectorID; 'Message' = $msg }
$Return += New-Object -TypeName psobject -Property $Properties
}
} #endSwitch
if ($PSBoundParameters.Keys.Count -eq 0) {
#Returning info on all drives.
write-verbose 'Returning bitlocker main status'
$Tpm = Get-WmiObject -Namespace ROOT\CIMV2\Security\MicrosoftTpm -Class Win32_Tpm
$BitLocker = Get-WmiObject -Namespace 'Root\cimv2\Security\MicrosoftVolumeEncryption' -Class 'Win32_EncryptableVolume' -Filter "DriveLetter = '$DriveLetter'"
#If no TPM module is present
if ($tpm) {
$TpmActivated = $tpm.IsActivated().isactivated
$TPMEnabled = $tpm.IsEnabled().isenabled
$TPMOwnerShipAllowed = $Tpm.IsOwnershipAllowed().IsOwnerShipAllowed
$TPMOwned = $Tpm.isowned().isowned
}
$ProtectorIds = $BitLocker.GetKeyProtectors('0').volumekeyprotectorID
$CurrentEncryptionState = BitLockerSAK -GetEncryptionState
$EncryptionMethod = BitLockerSAK -GetEncryptionMethod
$KeyProtectorTypeAndID = BitLockerSAK -GetKeyProtectorTypeAndID
$properties = @{
'IsTPMActivated' = $TpmActivated;`
'IsTPMEnabled' = $TPMEnabled;`
'IsTPMOwnerShipAllowed' = $TPMOwnerShipAllowed;`
'IsTPMOwned' = $TPMOwned;`
'CurrentEncryptionPercentage' = $CurrentEncryptionState.CurrentEncryptionProgress;`
'EncryptionState' = $CurrentEncryptionState.encryptionState; `
'EncryptionMethod' = $EncryptionMethod;`
'KeyProtectorTypesAndIDs' = $KeyProtectorTypeAndID
}
$Return = New-Object psobject -Property $Properties
}
}
End {
return $return
}
}
Function Get-Architecture {
#Define Local Variables
Set-Variable -Name Architecture -Scope Local -Force
$Architecture = Get-WmiObject -Class Win32_OperatingSystem | Select-Object OSArchitecture
$Architecture = $Architecture.OSArchitecture
Return $Architecture
#Returns 32-bit or 64-bit
#Cleanup Local Variables
Remove-Variable -Name Architecture -Scope Local -Force
}
function Get-BiosStatus {
param ([String]$Option)
#Declare Local Variables
Set-Variable -Name Architecture -Scope Local -Force
Set-Variable -Name Argument -Scope Local -Force
Set-Variable -Name CCTK -Scope Local -Force
Set-Variable -Name Output -Scope Local -Force
$Architecture = Get-Architecture
If ($Architecture -eq "32-bit") {
$CCTK = $env:ProgramFiles + "\Dell\Command Configure\X86\cctk.exe"
} else {
$CCTK = ${env:ProgramFiles(x86)} + "\Dell\Command Configure\X86_64\cctk.exe"
}
$Argument = "--" + $Option
$Output = [string] (& $CCTK $Argument)
$Output = $Output.Split('=')
Return $Output[1]
#Cleanup Local Variables
Remove-Variable -Name Architecture -Scope Local -Force
Remove-Variable -Name Argument -Scope Local -Force
Remove-Variable -Name CCTK -Scope Local -Force
Remove-Variable -Name Output -Scope Local -Force
}
Function Install-EXE {
Param ([String]$DisplayName,
[String]$Executable,
[String]$Switches)
#Declare Local Variables
Set-Variable -Name ErrCode -Scope Local -Force
Write-Host "Install"$DisplayName"....." -NoNewline
If ((Test-Path $Executable) -eq $true) {
$ErrCode = (Start-Process -FilePath $Executable -ArgumentList $Switches -Wait -Passthru).ExitCode
} else {
$ErrCode = 1
}
If (($ErrCode -eq 0) -or ($ErrCode -eq 3010)) {
Write-Host "Success" -ForegroundColor Yellow
} else {
Write-Host "Failed with error code "$ErrCode -ForegroundColor Red
}
#Cleanup Local Variables
Remove-Variable -Name ErrCode -Scope Local -Force
}
Function Get-BitLockerRecoveryKeyId {
<#
.SYNOPSIS
This returns the Bitlocker key protector id.
.DESCRIPTION
The key protectorID is retrived either according to the protector type, or simply all of them.
.PARAMETER KeyProtectorType
The key protector type can have one of the following values :
*TPM
*ExternalKey
*NumericPassword
*TPMAndPin
*TPMAndStartUpdKey
*TPMAndPinAndStartUpKey
*PublicKey
*PassPhrase
*TpmCertificate
*SID
.EXAMPLE
Get-BitLockerRecoveryKeyId
Returns all the ID's available from all the different protectors.
.EXAMPLE
Get-BitLockerRecoveryKeyId -KeyProtectorType NumericPassword
Returns the ID(s) of type NumericPassword
.NOTES
Version: 1.0
Author: Stephane van Gulick
Creation date:12.08.2014
Last modification date: 12.08.2014
.LINK
www.powershellDistrict.com
.LINK
http://social.technet.microsoft.com/profile/st%C3%A9phane%20vg/
.LINK
#http://msdn.microsoft.com/en-us/library/windows/desktop/aa376441(v=vs.85).aspx
#>
[cmdletBinding()]
Param (
[Parameter(Mandatory = $false, ValueFromPipeLine = $false)][ValidateSet("Alltypes", "TPM", "ExternalKey", "NumericPassword", "TPMAndPin", "TPMAndStartUpdKey", "TPMAndPinAndStartUpKey", "PublicKey", "PassPhrase", "TpmCertificate", "SID")]$KeyProtectorType
)
$BitLocker = Get-WmiObject -Namespace "Root\cimv2\Security\MicrosoftVolumeEncryption" -Class "Win32_EncryptableVolume"
switch ($KeyProtectorType) {
("Alltypes") { $Value = "0" }
("TPM") { $Value = "1" }
("ExternalKey") { $Value = "2" }
("NumericPassword") { $Value = "3" }
("TPMAndPin") { $Value = "4" }
("TPMAndStartUpdKey") { $Value = "5" }
("TPMAndPinAndStartUpKey") { $Value = "6" }
("PublicKey") { $Value = "7" }
("PassPhrase") { $Value = "8" }
("TpmCertificate") { $Value = "9" }
("SID") { $Value = "10" }
default { $Value = "0" }
}
$Ids = $BitLocker.GetKeyProtectors($Value).volumekeyprotectorID
return $ids
}
Function Remove-RegistryKey {
Param ([String]$RegistryKey,
[Boolean]$Recurse)
#Declare Local Variables
Set-Variable -Name i -Scope Local -Force
Set-Variable -Name RegKey -Scope Local -Force
Set-Variable -Name RegistryKey1 -Scope Local -Force
Set-Variable -Name tempdrive -Scope Local -Force
$tempdrive = New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT
$RegistryKey1 = $RegistryKey.split("\")
switch ($RegistryKey1[0]) {
"HKEY_CLASSES_ROOT" { $RegistryKey1[0] = "HKCR" }
"HKEY_CURRENT_USER" { $RegistryKey1[0] = "HKCU" }
"HKEY_LOCAL_MACHINE" { $RegistryKey1[0] = "HKLM" }
"HKEY_USERS" { $RegistryKey1[0] = "HKU" }
"HKEY_CURRENT_CONFIG" { $RegistryKey1[0] = "HKCC" }
}
For ($i = 0; $i -lt $RegistryKey1.Count; $i++) {
$RegKey = $RegKey + $RegistryKey1[$i]
If ($i -eq 0) {
$RegKey = $RegKey + ":\"
} elseif ($i -ne $RegistryKey1.Count - 1) {
$RegKey = $RegKey + "\"
} else {
$RegKey = $RegKey
}
}
Write-Host "Delete"$RegKey"....." -NoNewline
If (Test-Path $RegKey) {
If (($Recurse -eq $false) -or ($Recurse -eq $null)) {
Remove-Item -Path $RegKey -Force
} elseIf ($Recurse -eq $true) {
Remove-Item -Path $RegKey -Recurse -Force
}
if ((Test-Path $RegKey) -eq $false) {
Write-Host "Success" -ForegroundColor Yellow
} else {
Write-Host "Failed" -ForegroundColor Yellow
}
} else {
Write-Host "Not Present" -ForegroundColor Green
}
#Cleanup Local Variables
Remove-Variable -Name i -Scope Local -Force
Remove-Variable -Name RegKey -Scope Local -Force
Remove-Variable -Name RegistryKey1 -Scope Local -Force
Remove-Variable -Name tempdrive -Scope Local -Force
}
#Declare Local Variables
Set-Variable -Name BitlockerID -Scope Local -Force
Set-Variable -Name ManageBDE -Value $env:windir"\System32\manage-bde.exe" -Scope Local -Force
Set-Variable -Name Switches -Scope Local -Force
Set-Variable -Name TPMActivated -Scope Local -Force
Set-Variable -Name TPMEnabled -Scope Local -Force
Set-Variable -Name TPMOwnershipAllowed -Scope Local -Force
cls
#Check if TPM is enabled
$TPMEnabled = Get-BiosStatus -Option "tpm"
Write-Host "TPM Enabled:"$TPMEnabled
#Check if TPM is activated
$TPMActivated = Get-BiosStatus -Option "tpmactivation"
Write-Host "TPM Activated:"$TPMActivated
#Check if TPM Ownership is allowed
$TPMOwnershipAllowed = BitLockerSAK -IsTPMOwnerShipAllowed
Write-Host "TPM Ownership Allowed:"$TPMOwnershipAllowed
#Check if TPM is owned
$TPMOwned = BitLockerSAK -IsTPMOwned
Write-Host "TPM Owned:"$TPMOwned
If (($TPMEnabled -eq "on") -and ($TPMActivated -eq "activate") -and ($TPMOwnershipAllowed -eq $true) -and ($TPMOwned -eq $false)) {
#Delete Bitlocker GPO registry keys
Remove-RegistryKey -RegistryKey "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" -Recurse $true
Remove-RegistryKey -RegistryKey "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\TPM" -Recurse $true
#Take ownership of TPM
$Switches = "-tpm -takeownership" + [char]32 + $BIOSPassword
Install-EXE -DisplayName "Take TPM Ownership" -Executable $ManageBDE -Switches $Switches
#Enable Bitlocker
$Switches = "-on" + [char]32 + $env:HOMEDRIVE + [char]32 + "-recoverypassword"
Install-EXE -DisplayName "Enable Bitlocker" -Executable $ManageBDE -Switches $Switches
#Execute GPUpdate to re-apply registry keys
Install-EXE -DisplayName "GPUpdate" -Executable $env:windir"\System32\gpupdate.exe" -Switches " "
#Retrieve numerical password ID
$BitlockerID = Get-BitLockerRecoveryKeyId -KeyProtectorType NumericPassword
#Backup recovery key to active directory
$Switches = "-protectors -adbackup" + [char]32 + $env:HOMEDRIVE + [char]32 + "-id" + [char]32 + $BitlockerID
Install-EXE -DisplayName "Backup Recovery Key to AD" -Executable $ManageBDE -Switches $Switches
}
#Cleanup Local Variables
Remove-Variable -Name BitlockerID -Scope Local -Force
Remove-Variable -Name ManageBDE -Scope Local -Force
Remove-Variable -Name Switches -Scope Local -Force
Remove-Variable -Name TPMActivated -Scope Local -Force
Remove-Variable -Name TPMEnabled -Scope Local -Force
Remove-Variable -Name TPMOwnershipAllowed -Scope Local -Force
I think you may be going the wrong direction here. Based on your event logs, I am guessing that you are running Windows 8 or newer, and that these computers experiencing the problem have been imaged at least once before. the access denied error you're getting is when windows tries to save the TPM key to Active Directory. Your GPO probably requires the TPM key be written to AD, which is why bitlocker works fine when the GPO is not applied. By enabling bitlocker with the GPO not applied, then applying the settings afterwards, you are not getting the info saved to AD.
ReplyDeleteI believe that the root issue may be that the domain accounts for these computers were deleted without removing the TPM info from AD first. Windows 8 changed the location in AD that it saves the TPM to, and if the computer account gets deleted the TPM info will be left behind, orphaned.
When a new computer account is created, and you try to enable the TPM and back up to AD, the object already exists, and the computer doesn't have permission to overwrite it.
You will need to identify and clean up the orphaned entries for the TPM data in AD in order to truly resolve this issue.
This issue came up when we converted from Windows 7 x86 to WIndows 7 x64. The bitlocker process works on 12 of the 13 models of laptops we have in service. The only model it does not work on and requires the above fix is for the Latitude E7440. We have had Dell engineers working on this for the past three weeks and they are still stumped. I have googled this very problem and there are a couple of fixes out there, but those fixes did not work on our systems, along with many other users who also said they did not work. Dell has finally given up and does not know what else to do. The Windows 7 32-bit works great on the E7440. It is just the 64-bit that gives the access denied.
DeleteMick - we are having the same problem. BitLocker encryption works fine on certain Dell models but not on others. For example, models E5570 and E5440 fail while all others model work just fine. The machines failing are brand spanking new from dell - never joined to our domain.
DeleteThanks for this workaround.
Rod
Hmm, I would have thought the blog post you linked to about ad permissions would have worked if you are still on Windows 7.
ReplyDeleteThat error clearly looks like it's an issue writing to AD though. I would suggest you identify the object it is trying to write to in AD, if it's not the TPM device object. If you can do that, I'd bet you will find a permission issue.
If you enable the view in ADUC, do you have a TPM Devices container in AD, and does it have anything in
It?
It seems strange that it would only affect a specific model of computer. What else is different, besides switching to a 64 bit win7? Are you using a different Task sequence to deploy 64bit? Or a different boot image?
We are using the same task sequence and same boot image as we used for the 32-bit. The only differences are the drivers, windows updates, and of course the OS. Dell had us to install an image, pause immediately after the first time bootup, and make sure no drivers or windows updates were applied. We then installed the network driver only. The issue still occurred when we joined it to the domain and moved it into its specified OU where all other laptops resided and imaged fine. We did dig down into AD and researched the object it was trying to write to. The 32-bit win 7 wrote to the same object as the 64-bit, but with success, unlike the 64-bit version. We did notice that if we moved the system to the computers container, it would bitlocker, but of course it could not write the key to AD. We spent more than 70 hours with Dell researching and troubleshooting this. They pointed out that is a 32-bit could write to the same system object (computer name) in AD that the 64-bit image could not write to, then there had to be some other issue. The only other time we were able to get this to work was to do the following: 1) Delete the computer from AD, 2) rename the system that would not bitlocker to a name we never used before while joining a workgroup, 3) reboot the system, 4) Rejoin the domain with the new name, 5)bitlocker the machine. If we did not do those steps for this specific model and OS architecture and version, it would give the access denied error. This has been the most frustrating issue I have ever encountered.
DeleteHere are two more things I noticed with the E7440. The first is that when you go into the BIOS to turn on, clear, and then activate the TPM, it turns on and clears, but does not activate on the first attempt. It stays in deactivated mode. It takes two attempts to activate it. Second is when you try to PXE boot. The moment you select PXE, the system reboots on the first attempt. It takes two attempts to successfully PXE boot.
DeleteI am having the same exact issue on the new line of Lenovo laptops with SKYLAKE processors. I am using the EnableBitLocker.vbs to initiate, take ownership and then encrypt the HDD, and GPO to send recovery key to AD. All previous models of laptops that we support encrypt and backup the key in AD with no issues, however the X1 Carbon 4th Generation and T460s fail to take ownership of the TPM. I've took all the troubleshooting steps mentioned by Mick in his original post but no luck. However when I delete the two Registry keys mentioned I am able to successfully execute the vbs and enable BitLocker. Does this have anything to do with the new Intel processors or BIOS version? Yes the PowerShell scripts provided work fine as a workaround, however I want to find out why it's happening to these specific models.
ReplyDeleteI am glad this helped. Thanks for replying because that shows it is not just a Dell issue. It would be interesting to see if both systems share the same BIOS manufacturer.
DeleteBIOS manufacturer and version is Phoenix Technologies UEFI: 1.11 /ECP: 1:09. Don't think it's the BIOS because I updated the BIOS on my older model laptops and they work just fine. I also tried removing the permissions for the SELF account in AD for ms-TPMOwnerInformation attribute and then adding again but to no avail. The issue appears to be permissions related, but I can't figure out why it's specific to the new models.
ReplyDeleteOne other thing I have noticed is that these laptops do not activate the TPM on the first try. When I go into the BIOS, click activate TPM, and then reboot, the TPM is back to deactivated. I have to activate it a second time before it actually activates. Do you have this same issue?
DeleteOur machines come with the TPM activated from the factory, but if I deactivate and activate again, I only need to do it once. Does the Dell E7440 come with Skylake processors as well?
ReplyDeleteWe have the i5-4300u processor.
Deletewhat if we don't have a BIOS password? does not allow a empty PW field
ReplyDeleteBitlocker cannot be enabled with the bios password
DeleteGreat! We are running into what seems to be this exact same issue as we can't figure out why it won't store the TPM to AD even though we have the schema attributes all there, etc.
ReplyDeleteLet me ask, how exactly do you execute these scripts?...I'm a little confused at what the BitlockerSystem.ps1 script does? I understand I would run that other script to take care of the registry, etc., etc., but then what was BitlockerSystem.ps1 do? Do you kick that off right after the other script and this is what takes care of actually doing the encryption?
Thanks!