Consider the following scenario:
- You use Microsoft Deployment Toolkit (MDT) to deploy Windows 10. (This can be any version of MDT that supports Windows 10.)
- You use the "Enable BitLocker (offline)" step (ZTIBDE.wsf script) to pre-provision BitLocker during Windows PE in the "Preinstall" group.
- The deployment is successful.
The TPM is ready for use, with reduced functionality. Information Flags: 0x900
The TPM owner authorization is not properly stored in the registry.
Windows's registry information about the TPM's Storage Root Key does not match the TPM Storage Root Key or is missing.
This issue occurs because the TpmValidate function in the ZTIBDE.wsf script takes ownership of the TPM from Windows PE unnecessarily. Windows should be able to correctly take ownership of the TPM before OOBE to provision it by using the correct parameters.
When this change in ownership of the TPM from Windows PE occurs, the TPM is given parameters that Windows does not understand. Therefore, the key hierarchies in the TPM are disabled and made permanently unavailable to Windows.
To work around this issue for new deployments until a new version of MDT is available, add the following command to the ZTIBDE.wsf script at the start of the "Function Main" section:
reg add hklm\system\currentcontrolset\services\tpm\wmi -v UseNullDerivedOwnerAuth -t REG_DWORD -d 0x01 -f
For devices in which the TPM is already in reduced functionality mode, the TPM must be cleared before you can mitigate this issue. We recommend that you reset the TPM if it's in this state. To do this, follow the recommendations in the "Clear all the keys from the TPM" section of the following TechNet topic:View status, clear, or troubleshoot the TPM