what systems are you seeing the errors on and have you made sure you are using the latest bios available from support.dell.com ? likewise are you using the latest CCTK from dell ?
On Thu, Jan 22, 2015 at 1:54 PM, Denzik, Josh <[email protected]> wrote: > Niall, > > > > We are in little different situation where we have pre-existing laptops > out in the wild that don’t have this turned on and it would really be nice > if we could at least figure out why this is happening when we run the cctk > commands*(The Required BIOS interfaces cannot be found on this system)*. > I was hoping an engineer from dell would be able to point me in the right > direction on this issue…. > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Niall Brady > *Sent:* Wednesday, January 21, 2015 5:06 PM > *To:* [email protected] > *Subject:* Re: [MDT-OSD] RE: Error Installing MBAM in TS > > > > *CAUTION: *External > > we have an agreement with our hardware vendor to send computers with the > tpm enabled, in the past we used to use bios commands in the task sequence > to enable the tpm and take ownership, > > we do not do either of those things any more, > > during the ts we preprovision bitlocker, install the OS and after > installing apps etc we enable bitlocker late in the task sequence, we do > not wait for encryption to continue, we install the mbam client and do not > see the issue you are referring to, > > if you want to try our the way I do it, look at this task sequence > > > http://www.windows-noob.com/forums/index.php?/topic/11864-the-cm12-uefi-bitlocker-frontend-hta-part-1-the-features/ > > > > On Wed, Jan 21, 2015 at 9:25 PM, Denzik, Josh <[email protected]> wrote: > > I found this post on dells community website this guy had the same > problem no one was able to answer the question….very frustrating issue… > > > > http://en.community.dell.com/techcenter/enterprise-client/f/4448/t/19613208 > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Marcum, John > *Sent:* Wednesday, January 21, 2015 10:32 AM > *To:* [email protected] > *Subject:* RE: [MDT-OSD] RE: Error Installing MBAM in TS > > > > *CAUTION: *External > > xcopy.exe ".\*.*" "x:\CCTK\X64\" /E /C /I /Q /H /R /Y /S > > x:\CCTK\X64\HAPI\hapint -i -k C-C-T-K -p X:\CCTK\X64\HAPI\ > > x:\CCTK\x64\CCTK.exe --setuppwd=password > > X:\CCTK\x64\CCTK.exe --tpm=on --valsetuppwd=password > > xcopy.exe ".\*.*" "x:\CCTK\X64\" /E /C /I /Q /H /R /Y /S > > x:\CCTK\X64\HAPI\hapint -i -k C-C-T-K -p X:\CCTK\X64\HAPI\ > > x:\CCTK\x64\CCTK.exe --tpmactivation=activate --valsetuppwd=password > > x:\CCTK\x64\cctk --setuppwd= --valsetuppwd=password > > REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE /v > EncryptionMethod /t REG_DWORD /d 2 /f > > > > > > > > > > > > > > -----Original Message----- > From: [email protected] [ > mailto:[email protected] <[email protected]>] > On Behalf Of Denzik, Josh > Sent: Wednesday, January 21, 2015 9:16 AM > To: [email protected] > Subject: RE: [MDT-OSD] RE: Error Installing MBAM in TS > > > > Sorry I copied and pasted incorrectly..... > > > > cctk.exe --setuppwd=password > > cctk.exe --tpm=on --valsetuppwd=password Reboot cctk.exe > --tpmactivation=activate --valsetuppwd=password cctk.exe --setuppwd= > --valsetuppwd=password > > > > -----Original Message----- > > From: [email protected] [ > mailto:[email protected] <[email protected]>] > On Behalf Of Denzik, Josh > > Sent: Wednesday, January 21, 2015 10:02 AM > > To: [email protected] > > Subject: RE: [MDT-OSD] RE: Error Installing MBAM in TS > > > > John, > > > > Below are the commands I am running in this order: > > > > cctk.exe --setuppwd=password > > cctk.exe --tpm=on --valsetuppwd=password Reboot cctk.exe > --tpmactivation=activate --valsetuppwd=password > > > > cctk.exe --setuppwd= --valsetuppwd=password > > > > It even gets the error if I just run the commands inside of windows > without trying to image the machine. > > > > -Josh > > > > > > -----Original Message----- > > From: [email protected] [ > mailto:[email protected] <[email protected]>] > On Behalf Of Bain.John > > Sent: Wednesday, January 21, 2015 9:37 AM > > To: [email protected] > > Subject: Re: [MDT-OSD] RE: Error Installing MBAM in TS > > > > CAUTION: External > > > > What's commands are you running and in what order? > > > > John > > > > > > Sent from my BlackBerry 10 smartphone on the Rogers network. > > From: Denzik, Josh > > Sent: Wednesday, January 21, 2015 09:32 > > To: [email protected] > > Reply To: [email protected] > > Subject: RE: [MDT-OSD] RE: Error Installing MBAM in TS > > > > > > I am trying to use the cctk 3.0.0.1 commands to turn on the tpm and set > the bios password. The commands work just fine; then after running the cctk > commands a few times for testing commands I get this error: “The Required > BIOS interfaces cannot be found on this system” This error has happened on > a different models. Has anyone seen this before? Please Help! > > > > Joshua Denzik > > Senior Systems Engineer | Managed Desktop Team | OCIO-IS > > phone: 843-792-0306 | email: [email protected] > > > > > > > > From: [email protected] [ > mailto:[email protected] <[email protected]>] > On Behalf Of [email protected] > > Sent: Monday, December 8, 2014 5:30 PM > > To: [email protected] > > Subject: Re: [MDT-OSD] RE: Error Installing MBAM in TS > > > > > > 2.5 does not solve the TPM owner password not being saved, when using > pre-provisioning. There really isnt a way to do that, unless you set the > same owner password for every device (I do not recommend that.) > > > > If the TPM gets into a state that locks out, just follow the below steps > > > > 1. Boot into windows > > > > 1. Suspend Bitlocker > > > > 1. Clear the TPM (don't need password) > > > > 1. reboot (pressing the key if physical presence is required) > > > > 1. resume BitLocker. > > > > When you resume, it will apply the protectors back to the now cleared TPM, > and MBAM will see the change and rewrite the recovery key. > > > > Sent from Windows Mail > > > > From: Roger Truss<mailto:[email protected] <[email protected]>> > > Sent: Monday, December 8, 2014 12:54 PM > > To: [email protected]<mailto:[email protected]> > > > > As to the name, no it does not change later and techs along with users > have voiced concern over the difference. Essentially I think that the name > should not even show up on that screen as it is essentially useless as you > need to guid to do anything with mbam/bitlocker anyway, as John mentioned. > While yes the encryption keys are getting to the mbam database (using > pre-provisioning) the tpm backup info was not. There are times when tpm > gets out of whack and restoring the system requires a key. We have other > ways to obtain the keys I know, but the fact that it should be stored in > the mbam DB but does not unless MBAM is the true encryption owner is a > showstopper with pre-provisioning. Maybe 2.5 resolves this but we are not > there yet. We are only on the 2.0 server. > > > > Thank You, > > > > > > > > Roger Truss > > [email protected]<mailto:[email protected]> > > h (920) 456-8302 > > c (920) 203-0625 > > > > On Mon, Dec 8, 2014 at 11:29 AM, Krueger, Jeff < > [email protected]<mailto:[email protected]>> wrote: > > We pre-provision here and MBAM is getting all the data correctly. In the > recovery database I can directly query and see the correct computer name > associated to the volume ID and the recovery key. > > > > We wait till MBAM has been installed before enabling bitlocker, the disk > has been pre-provisioned and encrypted but it only has a TPM protector > until BitLocker is enabled at which point a recovery key is set which gets > saved by MBAM. > > > > From: [email protected]<mailto:[email protected]> > [ > mailto:[email protected]<mailto:[email protected]> > <[email protected]%3cmailto:[email protected]%3e>] > On Behalf Of Marcum, John > > Sent: Monday, December 8, 2014 11:06 AM > > To: [email protected]<mailto:[email protected]> > > Subject: RE: [MDT-OSD] RE: Error Installing MBAM in TS > > > > I'm seeing the same issue where MININT is the disk label. Not sure if that > corrects itself later or not. > > > > From: [email protected]<mailto:[email protected]> > [mailto:[email protected] <[email protected]>] > On Behalf Of Roger Truss > > Sent: Monday, December 08, 2014 9:57 AM > > To: [email protected]<mailto:[email protected]> > > Subject: Re: [MDT-OSD] RE: Error Installing MBAM in TS > > > > We stopped using the pre-provisioning step as data would not get reported > to the MBAM server properly once the MBAM client and policies were applied > post OSD. It did work to encrypt the drive but we noticed that there were > things that did not jive. The computer name it was using was MININT based > not the one we designated when prompted for the boot passphrase and > recovery data was not getting to the mbam server completely. I do not > think that pre-provisioning was designed with mbam in mind. > > > > If anyone can tell me if I missed something in the TS that would allow us > to have proper data transfer I may reconsider putting the MBAM based > encryption back in the process. But for now all we do is enable TPM and > then install MBAM and let GPO take over later. > > > > Thank You, > > > > > > > > Roger Truss > > [email protected]<mailto:[email protected]> > > h (920) 456-8302<tel:%28920%29%20456-8302 <%28920%29%20456-8302>> > > c (920) 203-0625<tel:%28920%29%20203-0625 <%28920%29%20203-0625>> > > > > On Tue, Nov 25, 2014 at 12:07 AM, < > [email protected]<mailto:[email protected]>> > wrote: > > As of MBAM v2.5 there are two roles that matter: > > Helpdesk: Need domain + username to be valid against a volume id, then are > able to access the recovery password > > Administrator: only needs volume id, then can access the recovery password. > > Drop your “helpdesk” users into the Administrator group that was specified > when you installed MBAM. > > > > FYI, if you are in the admin group and do specify a domain\user that is > not valid for the key, it will not allow you to access it. > > You will have to specify only the volume key, to gain access. > > > > From: [email protected]<mailto:[email protected]> > [ > mailto:[email protected]<mailto:[email protected]> > <[email protected]%3cmailto:[email protected]%3e>] > On Behalf Of Krueger, Jeff > > Sent: Thursday, November 20, 2014 16:59 > > To: [email protected]<mailto:[email protected]> > > Subject: [MDT-OSD] RE: Error Installing MBAM in TS > > > > Ah that’s due to the helpdesk role requirements, I don’t know off hand the > different roles and settings, but here our techs have to have a user ID to > lookup the key, but admins have a higher level role which can lookup the > password based on the Key ID alone. > > > > From: [email protected]<mailto:[email protected]> > [mailto:[email protected] <[email protected]>] > On Behalf Of Townsend, Robbie > > Sent: Thursday, November 20, 2014 4:43 PM > > To: [email protected]<mailto:[email protected]> > > Subject: [MDT-OSD] RE: Error Installing MBAM in TS > > > > I’ve tried that. I think the root issue with the recovery server is the > key is retrieved by a user or the help desk and they have to enter a domain > and user name of a user who logged into the machine, and since with NDJ > machines a user have never logged in with domain credentials. I was hoping > someone might know of a way around the domain user requirement > > > > From: [email protected]<mailto:[email protected]> > [mailto:[email protected] <[email protected]>] > On Behalf Of Krueger, Jeff > > Sent: Thursday, November 20, 2014 4:36 PM > > To: [email protected]<mailto:[email protected]> > > Subject: [MDT-OSD] RE: Error Installing MBAM in TS > > > > > > Well the GPOs are really just setting reg keys to tell the MBAM client > what server to get policy from and upload compliance info. So you should be > able to do a reg import during your TS > > > > From: [email protected]<mailto:[email protected]> > [mailto:[email protected] <[email protected]>] > On Behalf Of Townsend, Robbie > > Sent: Thursday, November 20, 2014 4:32 PM > > To: [email protected]<mailto:[email protected]> > > Subject: [MDT-OSD] RE: Error Installing MBAM in TS > > > > A little off topic from OSD, but was wondering if anyone knows of a way to > use a Bitlocker key recovery server for non-domain joined machines? I’ve > seen someone’s idea of joining it to the domain, do the encryption, let it > get the GPO’s and upload the key, then disjoin it, but that’s not really > feasible so wanted to see if anyone knew some tricks. > > > > Thanks > > > > From: [email protected]<mailto:[email protected]> > [mailto:[email protected] <[email protected]>] > On Behalf Of Krueger, Jeff > > Sent: Thursday, November 20, 2014 4:25 PM > > To: [email protected]<mailto:[email protected]> > > Subject: [MDT-OSD] RE: Error Installing MBAM in TS > > > > > > Because we’re using cctk in WinPE, that step is just installing the driver > it needs to communicate with the bios. Sometime I’d like to get it > integrated in the boot image itself. > > > > From: [email protected]<mailto:[email protected]> > [mailto:[email protected] <[email protected]>] > On Behalf Of Marcum, John > > Sent: Thursday, November 20, 2014 4:20 PM > > To: [email protected]<mailto:[email protected]> > > Subject: [MDT-OSD] RE: Error Installing MBAM in TS > > > > What is the enable HAPI step doing? > > > > From: [email protected]<mailto:[email protected]> > [mailto:[email protected] <[email protected]>] > On Behalf Of Krueger, Jeff > > Sent: Thursday, November 20, 2014 3:14 PM > > > > To: [email protected]<mailto:[email protected]> > > Subject: [MDT-OSD] RE: Error Installing MBAM in TS > > > > The pre-provisioning step will start encrypting the hard drive during > WinPE, encrypts with used space only, so that as it lays the image down on > the device it’s encrpypted as it goes. The pre-provisioning step takes > less than 10 secs on average. > > > > We then install MBAM later in the TS and don’t enable bitlocker until the > end, which just turns the protectors on. MBAM will set a recovery key and > save to the db after the fact. > > > > This shaved over an hour off the time it takes to image and fully encrypt > > > > [cid:[email protected]] > > > > [cid:[email protected]][cid:[email protected]] > > From: [email protected]<mailto:[email protected]> > [mailto:[email protected] <[email protected]>] > On Behalf Of Marcum, John > > Sent: Thursday, November 20, 2014 3:40 PM > > To: [email protected]<mailto:[email protected]> > > Subject: [MDT-OSD] RE: Error Installing MBAM in TS > > > > I am using CCTK to do deal with the TPM before MBAM installs. What does > the bitlocker pre-provisioning step do? Where do you put it in the TS? > > > > Here's what I am doing. As you can see I've tried a couple of differnet > ways to handle this and none work. The "Encrypt Hard Drive" steps are the > script from TechNet (StartMBAMEncryption.wsf > /AddRegFile:AddMBAMRegEntries.reg /RemoveRegFile:RemoveMBAMRegEntries.reg > /WaitForEncryption:false) now I am trying with the built-in Enable > Bitlocker step. I'll know soon if that one works. > > > > [cid:[email protected]] > > > > > > > > From: [email protected]<mailto:[email protected]> > [mailto:[email protected] <[email protected]>] > On Behalf Of Krueger, Jeff > > Sent: Thursday, November 20, 2014 1:06 PM > > To: [email protected]<mailto:[email protected]> > > Subject: [MDT-OSD] RE: Error Installing MBAM in TS > > > > If the TPM is not already turned on MBAM will turn it on then force a > restart, this breaks the TS cause it can’t recover the TS from an > unexpected shutdown. We’ve found no way to block the reboot that MBAM > causes, so we use the Dell and HP bios config utilities to ensure the TPM > is on and activated at the beginning of the TS process. > > > > Also look into pre-provisioning bitlocker, saves a huge amount of time. > > > > From: [email protected]<mailto:[email protected]> > [mailto:[email protected] <[email protected]>] > On Behalf Of Marcum, John > > Sent: Thursday, November 20, 2014 1:17 PM > > To: [email protected]<mailto:[email protected]> > > Subject: [MDT-OSD] Error Installing MBAM in TS > > > > Has anyone ever had problems installing the MBAM client in a task > sequence? It seems like it's completing the install then rebooting and > that's breaking it. > > > > Next I kick off a script to start encryption (script from TechNet blog) > and that has been for a very long time even though I added the switch > /waitforencryption:false > > > > > > > > > > > > > > > > Running "C:\WINDOWS\System32\msiexec.exe" /i > "C:\_SMSTaskSequence\Packages\PS100156\x64\MBAMClient.msi" /quiet > /norestart /l* "C:\WINDOWS\logs\MBAM x64 2.0 install.log" with > 32bitLauncher execmgr 11/20/2014 11:31:40 AM 1172 > (0x0494) > > Created Process for the passed command line execmgr > 11/20/2014 11:31:41 AM 1172 (0x0494) > > Raising event: > > [SMS_CodePage(437), SMS_LocaleID(1033)] > > instance of SoftDistProgramStartedEvent > > { > > AdvertisementId = "PS1201B9"; > > ClientID = "GUID:F63A2391-347D-484D-BEED-2A00EDDA1429"; > > CommandLine = "\"C:\\WINDOWS\\System32\\msiexec.exe\" /i > \"C:\\_SMSTaskSequence\\Packages\\PS100156\\x64\\MBAMClient.msi\" /quiet > /norestart /l* \"C:\\WINDOWS\\logs\\MBAM x64 2.0 install.log\""; > > DateTime = "20141120173141.014000+000"; > > MachineName = "BHM-L-919JD12"; > > PackageName = "PS100156"; > > ProcessID = 1584; > > ProgramName = "MBAM x64 Client Install"; > > SiteCode = "PS1"; > > ThreadID = 1172; > > UserContext = "NT AUTHORITY\\SYSTEM"; > > WorkingDirectory = > "C:\\_SMSTaskSequence\\Packages\\PS100156\\"; > > }; > > execmgr 11/20/2014 11:31:41 AM > 1172 (0x0494) > > Raised Program Started Event for Ad:PS1201B9, Package:PS100156, Program: > MBAM x64 Client Install execmgr 11/20/2014 11:31:41 > AM 1172 (0x0494) > > Service startup. execmgr 11/20/2014 11:31:49 > AM 2564 (0x0A04) > > Request in running or report status found for program MBAM x64 Client > Install package PS100156 execmgr 11/20/2014 > 11:31:51 AM 2564 (0x0A04) > > Service stopped while program MBAM x64 Client Install is running > execmgr 11/20/2014 11:31:51 AM 2564 (0x0A04) > > OpenProcess failed for process 2828, error 80070057 > execmgr 11/20/2014 11:31:51 AM 2564 (0x0A04) > > Can not continue monitoring the program after service restart because the > process exited. Assume failed execmgr 11/20/2014 > 11:31:51 AM 2564 (0x0A04) > > Looking for MIF file to get program status execmgr > 11/20/2014 11:31:51 AM 2564 (0x0A04) > > Raising event: > > [SMS_CodePage(437), SMS_LocaleID(1033)] > > instance of SoftDistProgramUnexpectedRebootEvent > > { > > AdvertisementId = "PS1201B9"; > > ClientID = "GUID:F63A2391-347D-484D-BEED-2A00EDDA1429"; > > DateTime = "20141120173151.477000+000"; > > MachineName = "BHM-L-919JD12"; > > PackageName = "PS100156"; > > ProcessID = 1512; > > ProgramName = "MBAM x64 Client Install"; > > SiteCode = "PS1"; > > ThreadID = 2564; > > }; > > execmgr 11/20/2014 11:31:51 AM > 2564 (0x0A04) > > Raised Program Unexpected Reboot Event for Ad:PS1201B9, Package:PS100156, > Program: MBAM x64 Client Install execmgr > 11/20/2014 11:31:51 AM 2564 (0x0A04) > > Execution Request for advert PS1201B9 package PS100156 program MBAM x64 > Client Install state change from Running to Completed > execmgr 11/20/2014 11:31:51 AM 2564 (0x0A04) > > Service startup. execmgr 11/20/2014 11:32:40 > AM 2548 (0x09F4) > > > > ________________________________ > > John Marcum > > MCITP, MCTS, MCSA > > Desktop Architect > > Bradley Arant Boult Cummings LLP > > ________________________________ > > > > [cid:[email protected]] > > > > > > ________________________________ > > > > Confidentiality Notice: This e-mail is from a law firm and may be > protected by the attorney-client or work product privileges. If you have > received this message in error, please notify the sender by replying to > this e-mail and then delete it from your computer. > > > > ________________________________ > > > > CONFIDENTIALITY NOTICE: This email contains information from the sender > that may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise > protected from disclosure. This email is intended for use only by the > person or entity to whom it is addressed. If you are not the intended > recipient, any use, disclosure, copying, distribution, printing, or any > action taken in reliance on the contents of this email, is strictly > prohibited. If you received this email in error, please contact the sending > party by reply email, delete the email from your computer system and shred > any paper copies. > > > > Note to Patients: There are a number of risks you should consider before > using e-mail to communicate with us. See our Privacy & Security page on > www.henryford.com<http://www.henryford.com > <http://www.henryford.com%3chttp:/www.henryford.com>> for more detailed > information as well as information concerning MyChart, our new patient > portal. If you do not believe that our policy gives you the privacy and > security protection you need, do not send e-mail or Internet communications > to us. > > ________________________________ > > > > Confidentiality Notice: This e-mail is from a law firm and may be > protected by the attorney-client or work product privileges. If you have > received this message in error, please notify the sender by replying to > this e-mail and then delete it from your computer. > > > > ________________________________ > > > > Confidentiality Notice: This e-mail is from a law firm and may be > protected by the attorney-client or work product privileges. If you have > received this message in error, please notify the sender by replying to > this e-mail and then delete it from your computer. > > > > ________________________________ > > > > Confidentiality Notice: This e-mail is from a law firm and may be > protected by the attorney-client or work product privileges. If you have > received this message in error, please notify the sender by replying to > this e-mail and then delete it from your computer. > > > > ________________________________ > > > > Confidentiality Notice: This e-mail is from a law firm and may be > protected by the attorney-client or work product privileges. If you have > received this message in error, please notify the sender by replying to > this e-mail and then delete it from your computer. > > > > > > ________________________________ > > > > Confidentiality Notice: This e-mail is from a law firm and may be > protected by the attorney-client or work product privileges. If you have > received this message in error, please notify the sender by replying to > this e-mail and then delete it from your computer. > > > > ________________________________ > > > > Confidentiality Notice: This e-mail is from a law firm and may be > protected by the attorney-client or work product privileges. If you have > received this message in error, please notify the sender by replying to > this e-mail and then delete it from your computer. > > > > > > ________________________________ > > > > Confidentiality Notice: This e-mail is from a law firm and may be > protected by the attorney-client or work product privileges. If you have > received this message in error, please notify the sender by replying to > this e-mail and then delete it from your computer. > > > ------------------------------ > > > Confidentiality Notice: This e-mail is from a law firm and may be > protected by the attorney-client or work product privileges. If you have > received this message in error, please notify the sender by replying to > this e-mail and then delete it from your computer. > > >
