I was using the WinPE ISO to boot. After some trial and error, I found out it was causing the problem so I added a task to automatically eject the ISO from the virtual drive after first booting into the deployed OS.
Permission denied when adding key protectors during MDT task sequence in Hyper-V VM with vTPM
I'm working on getting Windows 2022 server deployment using MDT version 8456 with Win11 ADK version 22H2 (with workarounds detailed here: https://www.deploymentresearch.com/notes-from-the-lab-on-windows-adk-for-windows-11-22h2/ - Thanks @Johan Arwidmark !) and now have the pre-provisioning working. During the next boot the newly deployed OS takes ownership of the vTPM successfully. However, after the deployment is complete, now I see that the protection is still off and the vTPM has not been added as a protector once the task sequence is complete. There is this error in the ZTIBDI log:
Attempting to enable BitLocker TPM ZTIBde 9/15/2023 3:02:56 PM 0 (0x0000) ZTI ERROR - Unhandled error returned by ZTIBde: Permission denied (70) ZTIBde 9/15/2023 3:02:56 PM 0 (0x0000)
Here is my BitLocker-related properties:
SkipBitLocker=YES
BDEInstallSuppress=NO
BdeDriveLetter=S:
BdeDriveSize=2000
BdeInstall=TPM
BdeKeyLocation=\\<myhost>\<myshare>
BdeWaitForEncryption=TRUE
I was able to manually add the vTPM and enable protection with manage-bde afterwards. However, I'd like to get it to do this in the task sequence. I haven't found much online for this error during the BitLocker provisioning process in MDT. How can I get the task sequence to add the key protectors and enable protection? Thanks!
2 answers
Sort by: Most helpful
-
-
AllenLiu-MSFT 44,496 Reputation points Microsoft Vendor
2023-09-21T06:56:53.91+00:00 Hi, @Jason Wheeler
Thank you for posting in Microsoft Q&A forum.
The error "Permission denied" during the BitLocker provisioning process in MDT could be caused by insufficient permissions for the account running the task sequence.
Ensure that the account has the necessary permissions to enable BitLocker and add key protectors.
Additionally, check that the TPM device has sufficient permissions on the TPM devices container in Active Directory Domain Services (AD DS) to back up the BitLocker recovery information.
For your reference:
If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Add comment".