I was using the WinPE ISO to boot. After some trial and error, I found out it was causing the problem so I added a task to automatically eject the ISO from the virtual drive after first booting into the deployed OS.
Permission denied when adding key protectors during MDT task sequence in Hyper-V VM with vTPM
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(182.40000000000003, 50%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJW%3C/text%3E%3C/svg%3E)
Jason Wheeler
25
Reputation points
I'm working on getting Windows 2022 server deployment using MDT version 8456 with Win11 ADK version 22H2 (with workarounds detailed here: https://www.deploymentresearch.com/notes-from-the-lab-on-windows-adk-for-windows-11-22h2/ - Thanks @Johan Arwidmark !) and now have the pre-provisioning working. During the next boot the newly deployed OS takes ownership of the vTPM successfully. However, after the deployment is complete, now I see that the protection is still off and the vTPM has not been added as a protector once the task sequence is complete. There is this error in the ZTIBDI log:
Attempting to enable BitLocker TPM ZTIBde 9/15/2023 3:02:56 PM 0 (0x0000) ZTI ERROR - Unhandled error returned by ZTIBde: Permission denied (70) ZTIBde 9/15/2023 3:02:56 PM 0 (0x0000)
Here is my BitLocker-related properties:
SkipBitLocker=YES
BDEInstallSuppress=NO
BdeDriveLetter=S:
BdeDriveSize=2000
BdeInstall=TPM
BdeKeyLocation=\\<myhost>\<myshare>
BdeWaitForEncryption=TRUE
I was able to manually add the vTPM and enable protection with manage-bde afterwards. However, I'd like to get it to do this in the task sequence. I haven't found much online for this error during the BitLocker provisioning process in MDT. How can I get the task sequence to add the key protectors and enable protection? Thanks!
Windows for business | Windows Client for IT Pros | Devices and deployment | Set up, install, or upgrade
Windows for business | Windows Client for IT Pros | Storage high availability | Virtualization and Hyper-V
Windows for business | Windows Server | User experience | Other
Windows for business | Windows Client for IT Pros | User experience | Other
2 answers
Sort by: Most helpful
-
-
AllenLiu-MSFT 49,436 Reputation points Microsoft External Staff2023-09-21T06:56:53.91+00:00 Hi, @Jason Wheeler
Thank you for posting in Microsoft Q&A forum.
The error "Permission denied" during the BitLocker provisioning process in MDT could be caused by insufficient permissions for the account running the task sequence.
Ensure that the account has the necessary permissions to enable BitLocker and add key protectors.
Additionally, check that the TPM device has sufficient permissions on the TPM devices container in Active Directory Domain Services (AD DS) to back up the BitLocker recovery information.
For your reference:
If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Add comment".
-
Jason Wheeler 25 Reputation points
2023-09-21T10:59:53.0566667+00:00 This is an MDT task sequence, so I believe it is running under the local admin account by default (I didn't change that in the task sequence template). Also, it is deploying a workgroup computer so there is no Active Directory. I thought if I specified the BdeKeyLocation property to a share that it would not try to store keys in Active Directory. Is there something else I have to configure for a workgroup computer? I'm not sure that it is trying to do anything with Active Directory though because this is the function ZTIBde.wsf that is generating the error:
Function ProtectKeyWithTpm () Dim iRetVal oLogging.CreateEntry "Attempting to enable BitLocker TPM", LogTypeInfo iRetVal = oBdeVol.ProtectKeyWithTPM("TPM Protection",Empty,sVolProtectorId) Do While iRetVal = &H80310030 PromptToRemove iRetVal = oBdeVol.ProtectKeyWithTPM("TPM Protection",Empty,sVolProtectorId) If iRetVal <> &H80310030 then PromptToInsert End if Loop TestAndFail iRetVal, 6711, "ProtectKeyWithTPM " ProtectKeyWithTpm = SuccessIf my understanding it correct, it is only trying to enable the protection with the TPM as a protector in this function. If that's right, it isn't getting permission denied in regards to backing up the recovery key. Do I have that right, and if so, what else could be wrong?
-
AllenLiu-MSFT 49,436 Reputation points Microsoft External Staff
2023-09-27T08:39:14.26+00:00 It may be helpful to review the BitLocker logs on the local computer to see if there are any additional error messages that could provide more information about the issue.
Sign in to comment -