This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 38%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGH%3C/text%3E%3C/svg%3E)
Hi All,
Since +/- Friday 07-July-2023 we started noticing (so it might have started earlier) that only our HP ProBook 440 G5 laptops no longer automatically enabled BitLocker after it was installed with a new image (and because of that, they will not get compliant, so are of no use to our end users).
It seems the drive is still automatically encrypted, but the TMP protector has not been created and the recovery key is not uploaded to Azure.
(I'm not sure which one should go first, it could be that the TMP protector is not created because the recovery key has not yet been uploaded to Azure, or that the recovery key has not been uploaded to Azure because the TPM protector has not yet been created)
In event viewer we can see that the encryption has successfully finished, but the following error message shows when trying to upload the recovery key to Azure:
Failed to backup BitLocker Drive Encryption recovery information for volume C: to your Azure AD.
Error: Unknown Hresult Error code: 0x80072efe
Id: 846
(and it keeps trying here and there but keeps failing)
If I create the TPM protector via the following PowerShell command:
Add-BitLockerKeyProtector -MountPoint C: -TpmProtector
It is possible to activate BitLocker via the following PowerShell command:
Resume-BitLocker -MountPoint C:
And the laptop becomes compliant, but the recovery key has still not been uploaded to Azure (so this is still not a laptop which we want to provide to the end user).
If I try to upload the recovery key to Azure via the following PowerShell commands:
$bdeallsettings = Get-BitLockerVolume -MountPoint C: | select *
$bdeselectkey = $bdeallsettings.KeyProtector | where {$_.KeyProtectorType -eq 'RecoveryPassword'}
foreach ($key in $bdeselectkey) {
BackupToAAD-BitLockerKeyProtector -MountPoint C: -KeyProtectorId $key.KeyProtectorId
}
I get the following error message:
*BackupToAAD-BitLockerKeyProtector : Uitzondering van HRESULT: 0x80072EFE
+ BackupToAAD-BitLockerKeyProtector -MountPoint C: -KeyProtecto ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Write-Error], COMException
+ FullyQualifiedErrorId : System.Runtime.InteropServices.COMException,BackupToAAD-BitLockerKeyProtector*
Which is kind of the same as the error in event viewer.
For what I could find, the error message indicates that there would be a connection (and/or DNS) error with Azure (or access issue), but if this would be the case, this would be an issue on all our laptops (and this is not the case, because the issue only occurs with the HP ProBook 440 G5).
When using "dsregcmd.exe /status", I also notice that the laptops with an issue have the following differences with laptops which don't have this issue (but could be a coincidence):
Tenant Details:
Working: JoinSrvVersion : 1.0
Not working: JoinSrvVersion : 2.0
(not sure what this does/means)
Diagnostic Data:
Working: Last HostName Update : SUCCESS
Server Message : The attribute 'hostnames' value(s) were successfully updated
Not Working: Last HostName Update : FAIL
Client ErrorCode : 0x80072ee7
And this error message also indicates connection and/or DNS issues.
Can anyone tell us what has changed and/or what is causing these issues?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 90%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
We have a ticket open for the same exact issue. Sharing this post with our assigned CSM now to hopefully help prioritize the escalation.
I have an update myself. :-)
It looks like it might be an issue with an old TPM firmware (but not confirmed yet, as I did not yet find an TPM firmware update which was new enough).
But there is also a workaround:
This seems to resolve the issue.
But we don't want to roll-out this change yet, as we are not sure yet what implications removing those signature suites from the registry might have on any other part of the laptop and/or communication with our other systems.
So if anyone can help out there, that would be great.
If I know more, I will let you know.
Update from MS:
We have identified this issue where some Windows clients with TPM 2.0 cannot handle some algorithms properly during client TLS when communicating with enterpriseregistration.windows.net.
The Product group is currently investigating and working to resolve this issue.
Unfortunately, no ETA yet.
(but if you can't wait, you can look into the above mentioned workarounds)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 86%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEA%3C/text%3E%3C/svg%3E)
I can confirm that George's workaround works properly.
I'm wondering if I could prevent this issue by not configuring encryption method.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 31%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBJ%3C/text%3E%3C/svg%3E)
Hi George Hollerman, Thanks for your post and workaround provided is working fine.
We have same issue with all HP EliteBook 830 G5 model, Post SCCM TS we can fix this issue by decrypt and enable bitlocker or registry key changes you have provided. We want SCCM task sequence to enable bitlocker protection during image process.
Any update provided by Microsoft?
SMSTS Log says Error: 80072EFE
OSDBitLocker is running on Windows 8 or higher. OSDBitLocker 7/27/2023 7:39:19 AM 2636 (0x0A4C)
No reboot count provided. OSDBitLocker 7/27/2023 7:39:19 AM 2636 (0x0A4C)
Protection is OFF OSDBitLocker 7/27/2023 7:39:19 AM 2636 (0x0A4C)
Volume is fully encrypted OSDBitLocker 7/27/2023 7:39:19 AM 2636 (0x0A4C)
Creating key protectors OSDBitLocker 7/27/2023 7:39:19 AM 2636 (0x0A4C)
Tpm is enabled OSDBitLocker 7/27/2023 7:39:19 AM 2636 (0x0A4C)
Tpm is activated OSDBitLocker 7/27/2023 7:39:19 AM 2636 (0x0A4C)
Tpm is owned OSDBitLocker 7/27/2023 7:39:19 AM 2636 (0x0A4C)
Tpm ownership is allowed OSDBitLocker 7/27/2023 7:39:19 AM 2636 (0x0A4C)
Tpm has compatible SRK OSDBitLocker 7/27/2023 7:39:19 AM 2636 (0x0A4C)
Tpm has EK pair OSDBitLocker 7/27/2023 7:39:19 AM 2636 (0x0A4C)
Initial TPM state: 63 OSDBitLocker 7/27/2023 7:39:19 AM 2636 (0x0A4C)
TPM is already owned. OSDBitLocker 7/27/2023 7:39:19 AM 2636 (0x0A4C)
Creating recovery password and escrowing to Active Directory OSDBitLocker 7/27/2023 7:39:19 AM 2636 (0x0A4C)
Set FVE group policy registry keys to escrow recovery password OSDBitLocker 7/27/2023 7:39:19 AM 2636 (0x0A4C)
Set FVE group policy registry key in Windows 7 OSDBitLocker 7/27/2023 7:39:19 AM 2636 (0x0A4C)
Set FVE OSV group policy registry keys to escrow recovery password OSDBitLocker 7/27/2023 7:39:19 AM 2636 (0x0A4C)
Using random recovery password OSDBitLocker 7/27/2023 7:39:19 AM 2636 (0x0A4C)
uStatus == 0, HRESULT=80072efe (X:\bt\1216594\repo\src\Framework\TSCore\encryptablevolume.cpp,1294) OSDBitLocker 7/27/2023 7:39:28 AM 2636 (0x0A4C)
'ProtectKeyWithNumericalPassword' failed (2147954430) OSDBitLocker 7/27/2023 7:39:28 AM 2636 (0x0A4C)
m_pEncryptableVolume->ProtectKeyWithNumericalPassword( sRecoveryPwdId ), HRESULT=80072efe (X:\bt\1216594\repo\src\client\OsDeployment\BitLocker\bitlocker.cpp,653) OSDBitLocker 7/27/2023 7:39:28 AM 2636 (0x0A4C)
Failed to create recovery password. Ensure that Active Directory is properly configured for use with BitLocker
Unknown error (Error: 80072EFE; Source: Unknown) OSDBitLocker 7/27/2023 7:39:28 AM 2636 (0x0A4C)
CreateRecoveryPassword(), HRESULT=80072efe (X:\bt\1216594\repo\src\client\OsDeployment\BitLocker\bitlocker.cpp,1353) OSDBitLocker 7/27/2023 7:39:28 AM 2636 (0x0A4C)
Failed to CreateRecoveryPassword (0x80072EFE) OSDBitLocker 7/27/2023 7:39:28 AM 2636 (0x0A4C)
hr, HRESULT=80072efe (X:\bt\1216594\repo\src\client\OsDeployment\BitLocker\bitlocker.cpp,1657) OSDBitLocker 7/27/2023 7:39:28 AM 2636 (0x0A4C)
Failed to configure key protection (0x80072EFE) OSDBitLocker 7/27/2023 7:39:28 AM 2636 (0x0A4C)
Rolling back ... OSDBitLocker 7/27/2023 7:39:28 AM 2636 (0x0A4C)
pBitLocker->Enable( argInfo.keyMode, argInfo.passwordMode, argInfo.sStartupKeyVolume, argInfo.bWait, argInfo.bFull, argInfo.dwEncryptMethod, argInfo.bIgnoreWhenTPMInvalid), HRESULT=80072efe (X:\bt\1216594\repo\src\client\OsDeployment\BitLocker\main.cpp,525) OSDBitLocker 7/27/2023 7:39:28 AM 2636 (0x0A4C)
Process completed with exit code 2147954430 TSManager 7/27/2023 7:39:28 AM 4692 (0x1254)
!--------------------------------------------------------------------------------------------! TSManager 7/27/2023 7:39:28 AM 4692 (0x1254)
Failed to run the action: Enable BitLocker Spec Version. Error -2147012866 TSManager 7/27/2023 7:39:28 AM 4692 (0x1254)
Event ID 846 says Failed to backup BitLocker Drive Encryption recovery information for volume C: to your Azure AD.
TraceId: {3fff26d9-98da-40ab-a1a3-07224fe424be}
Error: Unknown HResult Error code: 0x80072efe
No update from MS yet, but for me it started working normally yesterday at the end of the day (so no more workaround or updated TPM firmware needed anymore).
Will do some more tests/checks today and ask MS what happened.
Still no confirmation and/or root cause from MS, except te part in which they acknowledged the issue:
We have identified this issue where some Windows clients with TPM 2.0 cannot handle some algorithms properly during client TLS when communicating with enterpriseregistration.windows.net.
The Product group is currently investigating and working to resolve this issue.
But we tested this multiple times on multiple laptops and the issue seems to be resolved from Wednesday 26-07-2023 end of day without any change on our side, so MS must have changed/fixed something by then.
And since I will be leaving for a holiday, we will be closing this issue on our side.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(243.2, 85%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3END%3C/text%3E%3C/svg%3E)
Do we need to decrypt before applying the workaround? Or simply delete the registry keys and restart the machine?
Workaround:
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(307.2, 52%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EES%3C/text%3E%3C/svg%3E)
We have the same issue on Lenovo L480's and Viglen PC's (these are prob peculiar to the UK)
We have been performing a delete from AD (on prem) then a remove and rejoin to the domain and BitLocker again. this seems to work - our BitLocker will not complete unless it has written the recovery key to AD.
The L480's, if we delete the record from AD first, then they appear to BitLocker without issue as part of the Task Sequence.
@goerge Hollerman - did any one come back to you about any negative issues around removing those registry values?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(240, 46%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKH%3C/text%3E%3C/svg%3E)
We also had a bitlocker activation problem with one hp elitedesk, elitebooks worked fine.
the workaround helped, we imported the correct reg without the following:
now we can stage again, thanks
regards stefan