We do the following for the TPM at the start of the build: 1) Ensure that TPM is turned on in the BIOs
2) Disable auto provisioning a. Powershell.exe -Command "(gwmi -class win32_tpm -Namespace root\cimv2\security\microsofttpm).DisableAutoprovisioning()" 3) Enable the TPM a. Powershell.exe -Command "(gwmi -class win32_tpm -Namespace root\cimv2\security\microsofttpm).SetPhysicalPresenceRequest(1)" 4) Activate the TPM a. Powershell.exe -Command "(gwmi -class win32_tpm -Namespace root\cimv2\security\microsofttpm).SetPhysicalPresenceRequest(3)" The immediately after the disk is partitioned we use the built-in pre-provision BitLocker action. Next we apply the image. Towards the end we install the MBAM client. Reboot Run the "Invoke-MbamClientDeployment.ps1" This is where we get our failure. "Failed to add Numerical Password protector to device" From: [email protected] [mailto:[email protected]] On Behalf Of Denzik, Josh Sent: Friday, September 23, 2016 8:50 AM To: [email protected] Subject: RE: [MDT-OSD] Surface Pro 4 Bitlocker Pre-Provisioning I am also getting an "already owned" error in the smts log. Mike are you going anything else to the tpm before the pre-provision step? From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Denzik, Josh Sent: Friday, September 23, 2016 6:42 AM To: [email protected]<mailto:[email protected]> Subject: Re: [MDT-OSD] Surface Pro 4 Bitlocker Pre-Provisioning Thanks Mike! Please let me know if you find anything else out. Sent from my iPhone On Sep 22, 2016, at 7:03 PM, Marable, Mike <[email protected]<mailto:[email protected]>> wrote: Josh, We are able to successfully pre-provision BitLocker but our MBAM config script fails after installing the MBAM client. If I remember the error message it is something about MBAM being unable to set the numeric password. We get it pre-provisioned fine. The MBAM client installs successfully, but the MBAM config script (sorry I cannot remember its name) is what fails. I believe we're using the SCCM+MDT default partitioning for UEFI as well. I'll VPN in later and get the details. Right now I don't think I'm being much help. :) Mike From: <[email protected]<mailto:[email protected]>> on behalf of "Denzik, Josh" <[email protected]<mailto:[email protected]>> Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: Thursday, September 22, 2016 at 3:39 PM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: [MDT-OSD] Surface Pro 4 Bitlocker Pre-Provisioning All, Has anyone been successful using the pre-provision step on a Surface Pro 4? We currently use MBAM turn on bitlocker in the task sequence. We have successfully been able to pre-provision dell and Lenovo machines with uefi bios. I read that it might have something to do with the size of Windows RE partition...? Any insight would be helpful. -Josh ********************************************************** Electronic Mail is not secure, may not be read every day, and should not be used for urgent or sensitive issues ********************************************************** Electronic Mail is not secure, may not be read every day, and should not be used for urgent or sensitive issues
