MBAM fails to take ownership of TPM

Symptoms
When Microsoft BitLocker Administration and Monitoring (MBAM) tries to initialize TPM, on some machines you may see the below error message.

Error
BitLocker drive encryption has a problem and must close.
BitLocker will close now. Contact the help desk of your company if you need additional help.

Details
Error taking ownership of the TPM.




Cause
Microsoft BitLocker Administration and Monitoring (MBAM) fails to take ownership if Endorsement Key (EK) pair is missing on the TPM.
The Endorsement Key (EK) is an encryption key that is permanently embedded in the Trusted Platform Module (TPM) security hardware, generally at the time of manufacture.
You may see this error message if the TPM manufacturer didn’t create the Endorsement Key (EK) pair.

Note: Enabling verbose logging on Microsoft BitLocker Administration and Monitoring (MBAM) client should show the error as below:
TPM_E_NO_ENDORSEMENT - 0x80280023- The TPM does not have an Endorsement Key (EK) installed.




Resolution
To have us fix this problem for you, go to the "Fix it for me" section. If you prefer to fix this problem yourself, go to the "Let me fix it myself" section.

Fix it for me


To fix this problem automatically, click the Fix it button or link. Then click Run in the File Download dialog box, and follow the steps in the Fix it wizard.

Notes
  • This wizard may be in English only. However, the automatic fix also works for other language versions of Windows.
  • If you are not on the computer that has the problem, save the Fix it solution to a flash drive or a CD and then run it on the computer that has the problem.

Then, go to the "Did this fix the problem?" section.

Let me fix it myself

To resolve this issue, follow below steps:
  1. Copy the below mentioned script text to a notepad file and save it as "tpm-ek.txt" (without quotes).
  2. Rename the extension of the above mentioned text file to "tpm-ek.vbs" (without quotes).
  3. Execute the vbs script on the machine to generate the Endorsement Key (EK) pair.
  4. Now, when MBAM tries to take ownership of TPM it will work correctly. This will happen when MBAM agent will hit the next client wake-up frequency, which is 90 minutes by default.

=============== Script Text ===============

Set objWMIService = GetObject("WinMgmts:{impersonationLevel=impersonate,AuthenticationLevel=pktprivacy}//" & "." & "\root\CIMV2\Security\MicrosoftTpm")

Set objItems = objWMIService.InstancesOf("Win32_Tpm")



For Each objItem In objItems



'rvaluea = objItem.IsEnabled(A)

'rvalueb = objItem.IsActivated(B)

'rvaluec = objItem.IsOwned(C)

rvalued = objItem.IsEndorsementKeyPairPresent(D)



'If A Then

'WScript.Echo "TPM Is Enabled: " & A

'Else

'WScript.Echo "TPM Is Enabled: " & A

'End If



'If B Then

'WScript.Echo "TPM Is Activated: " & B

'Else

'WScript.Echo "TPM Is Activated: " & B

'End If



'If C Then

'WScript.Echo "TPM Is Owned: " & C

'Else

'WScript.Echo "TPM Is Owned: " & C

'End If



'If D Then

'WScript.Echo "TPM Is EndorsementKeyPairPresent: " & D

'Else

If Not D Then

'WScript.Echo "TPM Is EndorsementKeyPairPresent: " & D

'WScript.Echo "CreateEndorsementKeyPair... Please Wait"

rvaluee = objItem.CreateEndorsementKeyPair(E)

'WScript.Echo "CreateEndorsementKeyPair... Returns:" & rvaluee & " and E=" & E

If (rvaluee <> 0) Then

WScript.Quit -1

End If

End If

Next
WScript.Quit 0

=============== Script Text ===============


Did this fix the problem?

  • Check whether the problem is fixed. If the problem is fixed, you are finished with this section. If the problem is not fixed, you can contact support.
  • We would appreciate your feedback. To provide feedback or to report any issues with this solution, please leave a comment on the "Fix it for me" blog or send us an email.
MBAM, TPM, Error taking ownership fixit fix it fixme
Properties

Article ID: 2640178 - Last Review: 03/03/2015 01:49:00 - Revision: 8.0

Microsoft BitLocker Administration and Monitoring 1.0

  • kbfixme kbmsifixme kbtshoot KB2640178
Feedback