Permission denied when adding key protectors during MDT task sequence in Hyper-V VM with vTPM

Jason Wheeler 25 Reputation points
2023-09-20T20:50:56.7566667+00:00

I'm working on getting Windows 2022 server deployment using MDT version 8456 with Win11 ADK version 22H2 (with workarounds detailed here: https://www.deploymentresearch.com/notes-from-the-lab-on-windows-adk-for-windows-11-22h2/ - Thanks @Johan Arwidmark !) and now have the pre-provisioning working. During the next boot the newly deployed OS takes ownership of the vTPM successfully. However, after the deployment is complete, now I see that the protection is still off and the vTPM has not been added as a protector once the task sequence is complete. There is this error in the ZTIBDI log:

Attempting to enable BitLocker TPM ZTIBde 9/15/2023 3:02:56 PM 0 (0x0000) ZTI ERROR - Unhandled error returned by ZTIBde: Permission denied (70) ZTIBde 9/15/2023 3:02:56 PM 0 (0x0000)

Here is my BitLocker-related properties:

SkipBitLocker=YES

BDEInstallSuppress=NO

BdeDriveLetter=S:

BdeDriveSize=2000

BdeInstall=TPM

BdeKeyLocation=\\<myhost>\<myshare>

BdeWaitForEncryption=TRUE

I was able to manually add the vTPM and enable protection with manage-bde afterwards. However, I'd like to get it to do this in the task sequence. I haven't found much online for this error during the BitLocker provisioning process in MDT. How can I get the task sequence to add the key protectors and enable protection? Thanks!

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,071 questions
Microsoft Deployment Toolkit
Microsoft Deployment Toolkit
A collection of Microsoft tools and documentation for automating desktop and server deployment. Previously known as Microsoft Solution Accelerator for Business Desktop Deployment (BDD).
894 questions
Hyper-V
Hyper-V
A Windows technology providing a hypervisor-based virtualization solution enabling customers to consolidate workloads onto a single server.
2,708 questions
Windows 11
Windows 11
A Microsoft operating system designed for productivity, creativity, and ease of use.
9,623 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Jason Wheeler 25 Reputation points
    2023-10-02T17:07:13.9266667+00:00

    I was using the WinPE ISO to boot. After some trial and error, I found out it was causing the problem so I added a task to automatically eject the ISO from the virtual drive after first booting into the deployed OS.

    1 person found this answer helpful.
    0 comments No comments

  2. AllenLiu-MSFT 44,496 Reputation points Microsoft Vendor
    2023-09-21T06:56:53.91+00:00

    Hi, @Jason Wheeler

    Thank you for posting in Microsoft Q&A forum.

    The error "Permission denied" during the BitLocker provisioning process in MDT could be caused by insufficient permissions for the account running the task sequence.

    Ensure that the account has the necessary permissions to enable BitLocker and add key protectors.

    Additionally, check that the TPM device has sufficient permissions on the TPM devices container in Active Directory Domain Services (AD DS) to back up the BitLocker recovery information.

    For your reference:

    https://learn.microsoft.com/en-us/troubleshoot/windows-client/windows-security/bitlocker-cannot-encrypt-a-drive-known-tpm-issues#bitlocker-fails-to-enable-with-the-error-access-denied-failed-to-backup-tpm-owner-authorization-information-to-active-directory-domain-services-errorcode-0x80070005-or-insufficient-rights


    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Add comment".


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.