MBAM fails to take ownership of TPM

Article ID: 2640178 - View products that this article applies to.
Expand all | Collapse all

Symptoms

When Microsoft BitLocker Administration and Monitoring (MBAM) tries to initialize TPM, on some machines you may see the below error message.

Error
BitLocker drive encryption has a problem and must close.
BitLocker will close now. Contact the help desk of your company if you need additional help.

Details
Error taking ownership of the TPM.


Collapse this imageExpand this image
Bitlocker Encrypt Error


Cause

Microsoft BitLocker Administration and Monitoring (MBAM) fails to take ownership if Endorsement Key (EK) pair is missing on the TPM.
The Endorsement Key (EK) is an encryption key that is permanently embedded in the Trusted Platform Module (TPM) security hardware, generally at the time of manufacture.
You may see this error message if the TPM manufacturer didn’t create the Endorsement Key (EK) pair.

Note: Enabling verbose logging on Microsoft BitLocker Administration and Monitoring (MBAM) client should show the error as below:
TPM_E_NO_ENDORSEMENT - 0x80280023- The TPM does not have an Endorsement Key (EK) installed.




Resolution

To have us fix this problem for you, go to the "Fix it for me" section. If you prefer to fix this problem yourself, go to the "Let me fix it myself" section.

Fix it for me


To fix this problem automatically, click the Fix it button or link. Then click Run in the File Download dialog box, and follow the steps in the Fix it wizard.
Collapse this imageExpand this image
assets fixit1
Fix this problem
Microsoft Fix it 50797
Collapse this imageExpand this image
assets fixit2

Notes
  • This wizard may be in English only. However, the automatic fix also works for other language versions of Windows.
  • If you are not on the computer that has the problem, save the Fix it solution to a flash drive or a CD and then run it on the computer that has the problem.

Then, go to the "Did this fix the problem?" section.

Let me fix it myself

To resolve this issue, follow below steps:
  1. Copy the below mentioned script text to a notepad file and save it as "tpm-ek.txt" (without quotes).
  2. Rename the extension of the above mentioned text file to "tpm-ek.vbs" (without quotes).
  3. Execute the vbs script on the machine to generate the Endorsement Key (EK) pair.
  4. Now, when MBAM tries to take ownership of TPM it will work correctly. This will happen when MBAM agent will hit the next client wake-up frequency, which is 90 minutes by default.

=============== Script Text ===============

Set objWMIService = GetObject("WinMgmts:{impersonationLevel=impersonate,AuthenticationLevel=pktprivacy}//" & "." & "\root\CIMV2\Security\MicrosoftTpm")

Set objItems = objWMIService.InstancesOf("Win32_Tpm")



For Each objItem In objItems



'rvaluea = objItem.IsEnabled(A)

'rvalueb = objItem.IsActivated(B)

'rvaluec = objItem.IsOwned(C)

rvalued = objItem.IsEndorsementKeyPairPresent(D)



'If A Then

'WScript.Echo "TPM Is Enabled: " & A

'Else

'WScript.Echo "TPM Is Enabled: " & A

'End If



'If B Then

'WScript.Echo "TPM Is Activated: " & B

'Else

'WScript.Echo "TPM Is Activated: " & B

'End If



'If C Then

'WScript.Echo "TPM Is Owned: " & C

'Else

'WScript.Echo "TPM Is Owned: " & C

'End If



'If D Then

'WScript.Echo "TPM Is EndorsementKeyPairPresent: " & D

'Else

If Not D Then

'WScript.Echo "TPM Is EndorsementKeyPairPresent: " & D

'WScript.Echo "CreateEndorsementKeyPair... Please Wait"

rvaluee = objItem.CreateEndorsementKeyPair(E)

'WScript.Echo "CreateEndorsementKeyPair... Returns:" & rvaluee & " and E=" & E

If (rvaluee <> 0) Then

WScript.Quit -1

End If

End If

Next
WScript.Quit 0

=============== Script Text ===============


Did this fix the problem?

  • Check whether the problem is fixed. If the problem is fixed, you are finished with this section. If the problem is not fixed, you can contact support.
  • We would appreciate your feedback. To provide feedback or to report any issues with this solution, please leave a comment on the "Fix it for me" blog or send us an email.

More information

Understand the TPM Endorsement Key
http://technet.microsoft.com/en-us/library/cc770443.aspx

BitLocker Sample Deployment Script
http://gallery.technet.microsoft.com/ScriptCenter/780d167f-2d57-4eb7-bd18-84c5293d93e3/

TPM Error Codes
http://msdn.microsoft.com/en-us/library/dd542648(VS.85).aspx

Properties

Article ID: 2640178 - Last Review: September 4, 2013 - Revision: 7.0
Applies to
  • Microsoft BitLocker Administration and Monitoring
Keywords: 
kbfixme kbmsifixme KB2640178

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com